Privacy is at the forefront of many minds, particularly in an age where vast amounts of personal information are collected and disseminated by both public and private sector organisations (referred to as agencies in our legislation). The Privacy Amendment Bill, which was introduced into Parliament on 6 September 2023, aims to address a deficiency within the Privacy Act 2020 regarding the collection of personal information from sources other than the individual concerned.
Filling the void
At present, a public or private sector agency must notify an individual when it collects personal information directly from the individual concerned. However, there is no requirement for an agency to notify an individual when it collects personal information about that individual indirectly, meaning that in some situations those individuals may not be aware that their personal information has been collected.
In response to this gap, the Bill proposes a new information privacy principle, IPP 3A, dealing specifically with the indirect collection of personal information. This new principle is aligned with the current IPP 3 concerning direct collection of personal information.
Understanding the New Privacy Principle
So, what does the proposed IPP 3A entail? It will compel public and private sector agencies that gather information indirectly to take reasonable steps, considering the circumstances, to ensure that the relevant individual is informed about several aspects:
- the fact that the information has been collected;
- the purpose behind the collection;
- the intended recipients of the information;
- the name and address of the agency or agencies responsible for collecting and holding the information;
- if the collection is authorised or required by law, the specific law that applies to the collection; and
- the individual’s rights of access to, and correction of, information under the Privacy Act.
As with IPP 3, these steps will need to be taken promptly, as soon as reasonably practicable after the information’s collection.
However, disclosure may not be required if the individual has previously been informed by the agency that initially collected the information directly from the individual of the subsequent collection by the second agency (ie the agency that is collecting the information indirectly). Many privacy policies already do this, and if all details have been provided by the initial agency, then a further disclosure will not be required. For agencies that collect personal information indirectly via an agency that deals with the individual directly we recommend that it requires that initial agency to provide the required information as a part of that initial agency’s notification obligations under IPP3. This may require some privacy policies to be updated with additional details related to the subsequent agency’s notification requirements to enable compliance.
Where an agency collects personal information both directly from an individual and indirectly, we recommend that the agency’s privacy policies cover both the direct and indirect collection, to the extent that they do not already do so.
As with the current IPP 3, there are exceptions to this proposed disclosure obligation. These include where:
- non-compliance does not prejudice the interests of the relevant individual;
- the personal information is already publicly available;
- compliance would prejudice the purposes of the collection;
- compliance is not reasonably practicable in the circumstances; or
- the information will not be used in a form in which the individual concerned is identified.
IPP 3A would also not apply to an agency that is an individual who collects the personal information for the sole purposes of the individual’s personal or domestic affairs.
The Bill also proposes several other adjustments to correct a few minor gaps in the Privacy Act. Of note is a change in the assessment of foreign privacy laws. The Bill proposes that when determining whether the privacy laws of a country offer comparable safeguards to those in the Privacy Act, the Privacy Commissioner may now consider a country’s privacy laws based on its membership in a bloc of countries, such as those that fall within the scope of the General Data Protection Regulation (GDPR), rather than just its own laws.
In practice, many agencies that collect personal information may already address both direct and indirect collection within their privacy policies, statements, and consent forms. These documents often clarify whether and how information is gathered from other sources or disclosed to third parties. For agencies that need to align with IPP 3A, the Bill aims to provide ample time for adjustment, as it is proposed that IPP 3A will only apply to personal information collected from 1 June 2025.
At this time there are a number of additional stages that the Bill must progress before it becomes law. With Parliament having been dissolved for the upcoming election, no further progress will be possible until the next Government is formed. We will continue to monitor progress of this Bill as it works its way through Parliament.
Please get in touch with our corporate team if you would like further information on this proposed change to the Privacy Act.