A new Privacy Amendment Bill (the Bill) has been introduced to Parliament and can be read here. The Bill proposes changes to the Privacy Act 2020, including imposing new information disclosure requirements on organisations that indirectly collect personal information.
Who is affected?
Any organisation that collects personal information about an individual from a source other than from the individual concerned will be affected by the proposed amendments.
Why is the change required?
The key purpose of the Bill is to improve transparency for individuals about the collection of their personal information and better enable individuals to exercise their privacy rights. The explanatory note of the Bill states that the proposed changes seek to address a perceived gap in the Privacy Act where there is no requirement for an organisation (public or private) to notify an individual when it collects personal information by indirect means. In such circumstances, the effect is that an individual may not know that the organisation holds and uses their personal information.
The Office of the Privacy Commissioner has also noted that the proposed amendment is “about keeping up with international best practice”, alluding to the fact that many jurisdictions, including some of our major trading partners such as Australia, already have equivalent obligations under their privacy laws.
What is being changed?
To rectify this gap, the Bill introduces a new information privacy principle 3A (referred to as IPP 3A). It is closely based on the existing IPP 3 requirements which apply to the collection of information directly from an individual, and will require any agency collecting personal information from a source other than from the individual concerned to take reasonable steps to ensure that the individual is aware of:
- the fact the information has been collected;
- the purpose for which it is has been collected;
- the recipients of the information;
- the name and address of the agency collecting and holding the information;
- whether the collection is authorised or required by law; and
- the individual’s rights of access to and correction of the information.
The information set out above must be provided as soon as is reasonably practicable after the information has been collected.
As with IPP 3, the Bill does include certain exceptions which excuse an organisation from complying with IPP 3A, including where:
- the individual has previously been made aware of the organisation’s collection of the information;
- non-compliance would not prejudice the interests of the individual concerned;
- non-compliance is necessary to avoid prejudice to the maintenance of the law or enforcement of a law;
- compliance would prejudice the purposes of the collection;
- compliance is not reasonably practicable in the circumstances; or
- the information will be used in a form that does not identify the individual or will be used for statistical or research purposes.
Importantly though, the Bill clarifies that IPP 3A does not apply to personal information collected before 1 June 2025, meaning it will not have retrospective effect.
What does this mean in practice?
The proposed changes will introduce a new compliance step for organisations who collect personal information from other agencies. This may include the need to update existing privacy policies to ensure they are clear about whether information is collected from third party sources, and reviewing existing customer onboarding and engagement processes to ensure the required information is provided to individuals as early as possible in the customer journey.
However, we expect that it may be more challenging for some organisations to work through exactly how this information could practically be made available to individuals, particularly in situations where the organisation does not have a direct contractual relationship with the individual.
What’s next?
The Bill is currently awaiting its first reading after being introduced to Parliament last week. Guidance from the Office of the Privacy Commissioner has indicated that the public will have an opportunity to have their say on the proposed amendments by making submissions to the Justice Select Committee some time in 2024.
If you would like further information about how the proposed amendments may impact your current information disclosure practices, or would like assistance with understanding whether changes to your existing privacy policies or customer engagement processes may be required, please get in touch with one of our experts below.
Key contacts
Speak with one of our experts.
