Getting ready for upcoming changes to New Zealand's privacy legislation
Businesses need to start preparing now for the changes proposed by the Privacy Amendment Bill 2023 (Bill) designed to increase transparency between collectors of personal information and the individuals from whom that data is collected.
One of the key focuses of the amendment is the indirect collection of personal information. Organisations which collect personal information about a person but not directly from that person will (amongst other requirements) need to notify individuals that they have collected their data.
This legislative shift, much like the proposed Modern Slavery legislation, aims to bring New Zealand in line with and reflects developments in other jurisdictions including Australia, the United Kingdom and the European Union.
Businesses need to understand the implications of the proposed Bill and should take proactive steps to ensure they are compliant when the changes take effect.
Overview of proposed privacy legislation
There are several key features of the Bill that businesses should be aware of:
- Expanded Notification Requirements: A new information privacy principle (IPP) 3A will require indirect collection agencies to notify individuals to whom the personal information relates that they have collected their data. As soon as reasonably practical, collectors must disclose things like the collector’s details, the purpose for which the information is being collected and stored and the individual’s right to access and correct the information. Direct collectors will be familiar with these requirements as they mirror the obligations outlined in IPP 3.
- New Exceptions to Compliance: IPP 3A also provides for several exceptions to the notification requirements. Most of these again mirror IPP 3 although there are several new exceptions businesses should be aware of. Key exceptions include:
- No subsequent disclosure: If a collector or another party (e.g. the direct collector) has already told the individual that it has or will collect personal information, it does not need to do so again.
- Anonymous storage: No disclosure is required if the information will be stored in a form that does not identify the individual or will be used for research purposes.
- Practical considerations: Collectors do not need to make disclosure if the information is already publicly available or if disclosure would prejudice national security, reveal trade secrets or threaten health and safety.
- No subsequent disclosure: If a collector or another party (e.g. the direct collector) has already told the individual that it has or will collect personal information, it does not need to do so again.
Businesses should note that the above changes, if enacted, will only apply to data collected after the date the Bill comes into force (currently scheduled for 1 June 2025).
What are the implications?
Business owners should seek guidance and advice about how the Bill could affect their obligations in relation to data collection and storage. Often it may be a question of amending their privacy policies but for more complex cases, adjustment of their data collection systems and processes may be required to comply with the new IPP 3A. Businesses should also review their contracts with third parties to ensure proper disclosures are made regarding indirect data collection.
Haigh Lyon has expertise in assisting businesses navigate and comply with their privacy obligations. For advice about the changes and how you can ensure your business and contracts comply with the Privacy Amendment Bill 2023 please contact Tom Pilley on 09 306 0609 or [email protected], or Anthony Kuran on 09 306 0611 or [email protected].