New Rules on Indirect Data Collection

Monday 15 April, 2024

An amendment to the Privacy Act 2020 has been introduced to Parliament with the aim of providing greater transparency for individuals whose personal information is being collected by organisations indirectly.

Why the Change?

At present, indirect collection of an individual’s personal information is permitted under the Privacy Act under certain circumstances. This has led to both public and private organisations being able to collect an individual’s personal information through indirect means without notifying the individual. The result being that individuals may not know that an agency holds their personal information. 

What’s being changed?

The Bill before Parliament proposes to alter the information privacy principles in the Privacy Act 2020 by requiring organisations to notify individuals where personal information is being collected indirectly from a third party. For example, debt collection agencies who collect personal information about individuals from their clients in order to chase outstanding debts.

The Bill aims to achieve this by introducing Information Privacy Principal (IPP) 3A which requires the a collecting entity to:

• Take all reasonable steps to ensure that the individual concerned is aware of the:
  • collection,
  • purpose for which the information is collected,
  • intended recipients of the information,
  • details of the agencies involved
  • law authorising collection, and
  • individual’s rights in terms of requesting access and the correction of stored information.

The Bill also introduces exceptions to the above that mirror those currently applied to information collected directly from individuals under IPP 3. For example, where the individual has previously been made aware of the organisation’s collection of the information or where compliance would:

• prejudice national security, defence, or international relations,
• reveal trade secrets; or
• cause a serious threat to health and safety.

The explanatory note to the Bill gives an example of an exception being a gun club receiving personal information from a member about another member that is concerning. The gun club may have reasonable grounds to believe that informing the member that it has indirectly collected information about them could cause the individual to react in a way that poses a serious threat to public safety. The gun club would therefore be justified in not informing the individual about the gathering of information under the exemptions of the Bill.

What are the implications of the change?

This Bill aims to protect the individual in light of the ever-increasing market for data. Arguably, it is a regulatory step in the right direction for the consumer and will likely lead to more detailed terms of service for users when accessing sites or using services. For businesses, contracts with third parties should be reviewed to ensure proper disclosures are made in relation to indirect data collection.

The application of the proposed amendments will depend on context. However, the changes moderate a movement towards increasing protection of the privacy rights of individuals against agencies collecting their data without notification.  

If you require advice about your obligations in relation to data collection and storage, please contact one of our experts.