Introduction

The bill is divided into two parts. Part one contains substantive amendments to the Privacy Act, introducing a new information privacy principle (IPP). Part two makes certain technical changes and addresses minor issues of the Privacy Act.

Part one amendments

What are the new information obligations?

Under the existing privacy regime of New Zealand, agencies, whether public or private, are only required to provide a notice to individuals when they collect information directly from them. To ensure that individuals are informed when information about them is obtained through indirect sources, the Bill proposes the new IPP 3A.

More specifically, the IPP 3A requires an agency that collects personal information from a source other than from the individual to whom the information relates to take steps, as reasonably practicable, to ensure that the individual is aware of:

• the fact of collection of information;
• the purpose for which the information is collected;
• the intended recipients of the information;
• the names and addresses of the agency that has collected the information and is holding the information;
• if the information is authorized or required by or under the law, the law by or under which the collection of the information is authorized or required; and
• the rights of access to, and correction of, the information provided by the IPP.

The Bill confirms that the above is the same as in IPPs 3(1)(a) to (g) which apply when an agency collects personal information directly from the individual concerned.

Are there any exemptions to the information obligations?

The obligations under IPP 3A are not absolute and the Bill lays down various exemptions. According to the explanatory note of the Bill, the exemptions are included to ensure the efficient administration of certain public functions and to protect against other unintended consequences.

An agency is exempted if it believes, on reasonable grounds, that:

• the non-compliance would not prejudice the interests of the individual concerned;
• the information is publicly available information;
• non-compliance is necessary:
  • to avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offenses;
  • for the enforcement of a law that imposes a pecuniary penalty;
  • for the protection of public revenue; or
  • for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation);
• the compliance would prejudice the purposes of the collection;
• the compliance is not reasonably practicable in the circumstances of the particular case;
• compliance would prejudice the security of New Zealand or the international relations of the Government;
• compliance would reveal a trade secret;
• compliance would cause a serious threat to public health or safety or the health or safety of another individual;
• the information would not be used in a form in which the individual concerned is identified; or  
• the information would be used for statistical or research purposes and would not be published in a form that could reasonably be expected to identify the individual concerned.

An agency is further exempted from the obligations under IPP 3A:

• in relation to the collection of personal information if the individual concerned has previously been made aware by any means of, all of the matters specified in IPP 3(A)(1) in relation to the agency's collection of the information;
• if the personal information is collected before June 1, 2025;
• if an agency that is an individual and is collecting personal information solely for the purposes of, or in connection with, the individual's personal or domestic affairs;
• when the personal information is collected by an intelligence and security agency; or
• to any personal information collected before, on, or after June 1, 2025, under an approved information-sharing agreement that is in force immediately before that date.

Prima facie, IPP 3A mirrors the requirements contained in Article 14 of the General Data Protection Regulation (GDPR), however, a closer look at IPP 3A reveals that the information obligations are slightly less extensive than the GDPR. Further, the exemptions provided under IPP 3A are broader than the GDPR, and notably, take into account the trade secrets of agencies. Additionally, the exemptions give the agencies autonomy to decide if compliance with the information obligation would prejudice the purposes of the collection or prejudice the interests of the individuals concerned. While there is no further clarification on what would be considered as prejudice, it would be interesting to see how the authorities interpret these terms and how best practices on this are developed.

Part two amendments

The other notable amendments, as provided under part two of the bill, include clarification regarding the Minister's responsibilities under Article 18(2) of the Privacy Act. Article 18(2) of the Privacy Act requires the Office of the Privacy Commissioner of New Zealand (OPC) to provide advice on whether the privacy laws of a country, overall, provide comparable safeguards to those in the Privacy Act. The Bill proposes that Article 18(3) would require that the OPC may assess the privacy laws of a particular country on an individual basis or on the basis of the country being a member of a bloc of countries however described. Notably, the bill provides an example of the bloc country as a specified country being a member of the EEA and therefore, subject to the GDPR.

Further, the Bill seeks to broaden the protection of individuals as a reason for refusing access to personal information as contained in Article 49 of the Privacy Act. In relation to minors, the bill proposes to protect the disclosure of the information that would be contrary to the interests of the minor (individual under the age of 16 years) but also the disclosure of information that would be contrary to another minor to whom the information relates.

Similarly, the protection is extended to the disclosure of the information that would be likely to prejudice the safe custody or the rehabilitation of another individual to whom the information relates who has been convicted of an offense or is or has been detained in custody.

What are the next steps?

The bill is currently undergoing its First Reading in the Parliament of New Zealand. The Billl would become effective once it is approved by the Parliament and receives the Royal Assent. If enacted, part one of the bill will enter into effect on June 1, 2025, and part two on the date of the Royal Assent.

Madhura Sakharam Bhandarkar Privacy Analyst
[email protected]