Revamping Data Collection: Proposed Regulatory Changes in NZ

Parliament is considering updates to privacy laws, requiring organisations to inform individuals when collecting personal information from sources other than the individuals themselves. This aligns with international privacy and data protection trends we have observed globally. In this discussion, we'll explore these changes, their practical implications, and future steps.

What is happening?

A Privacy Amendment Bill (Bill) introduced to Parliament proposes new disclosure requirements on organisations when indirectly collecting personal information. The Bill is available here.

What is the purpose of the Bill?

The Bill aims to address a perceived gap in the Privacy Act (Act), which is that the Act does not currently require organisations to notify an individual when it collects their personal information from a source other than the individual concerned.

As a result, an individual is unaware when organisations hold personal information about them if they do not directly engage with them. In turn, the individual is not in a position to enforce their privacy rights against that organisation.

When do organisations collect personal information indirectly?

Many organisations collect personal information indirectly. For example:

• Data brokers – many organisations purchase data from data brokers who compile and aggregate information from various sources. This data can include demographic information and purchasing behaviour, which companies use for marketing and customer analysis;
   
• Website analytics – organisations commonly collect data indirectly via website analytics tools to track user interactions with their websites, such as pages visited, time spent on pages, and click-through rates;
   
• Employee background checks – organisations conduct background checks on potential employees using third-party services to verify educational and employment history, criminal records, and other personal information;
   
• Partnerships – when organisations collaborate or form partnerships, they may share customer data indirectly for joint marketing efforts, cross-promotions, or to improve products and services; and
   
• M&A – companies engaged in mergers and acquisitions may collect information indirectly to assess the financial position and reputation of potential partners or acquisition targets.

What would change?

If the Bill is passed, organisations collecting personal information indirectly would need to take reasonable steps to ensure that the individual is aware that their information has been collected, why it has been collected, who it will be shared with, and what their rights are.

Are there any exceptions?

Yes. There are a few exceptions, such as where compliance would prejudice the interests of the individual or where the information is publicly available.

Importantly, organisations must take ‘reasonable steps’ to notify individuals of its data collection practices. What constitutes ‘reasonable’ will depend on the circumstances of the data collection, including:

• Sensitivity of the data, i.e. the more intrusive and sensitive the data, the more steps that may be expected to notify an individual;
   
• Possible adverse consequences for an individual, i.e. more steps may be required as the risk of adversity increases;
   
• Circumstances of the individual, i.e. collecting personal information indirectly from children or those with language impairments, may require taking additional steps to ensure the message is communicated in an easy-to-understand method; and
   
• Practicability, including the time and cost involved. That said, we anticipate that mere inconvenience or the fact that notifying might be time-consuming or impose some costs would not be an excuse to not taking any steps to notify.

What are the consequences?

We expect that the Bill will impact organisations for the following reasons:

• Communication channels – organisations often do not have direct contact with the data subjects when collecting data indirectly. This makes it challenging to provide notifications because there may not be an established communication channel;
   
• Supply chains – data may pass through multiple intermediaries or brokers before reaching the organisation. This complex supply chain can make it difficult to trace the source of the data and, consequently, to notify data subjects effectively;
   
• Data aggregation – data collected indirectly is often aggregated and anonymised for analytical purposes. This can make it challenging to identify specific individuals to notify;
   
• Trust – organisations may be concerned about reputational and brand implications when attempting to notify data subjects indirectly. Contacting individuals with whom they do not have a direct relationship could be perceived as intrusive or raise privacy concerns;
   
• Contact information – data subjects may have changed their contact information or may no longer use the email addresses or phone numbers on record with data brokers or other intermediaries. This can make successfully notifying these individuals difficult; and
   
• Privacy breach notifications – if an organisation collects personal information that, if misused, could expose an individual to a serious risk of harm, it will need to consider the ability to issue privacy breach notifications under the Act should an incident occur.

What should organisations do in response?

As a starting point, we recommend that organisations:

• Context – review and assess the circumstances of the data collection and whether the notification requirement is reasonable in the circumstances;
   
• Contract – establish clear agreements with third parties regarding data collection, use and notification responsibilities. These agreements will need to go beyond mere "comply with privacy law(s)" obligations. Instead, it will need to consider the content of collection notifications, ensuring there is a lawful basis to share the data, and setting out the mechanics of a data breach scenario (i.e. to contemplate the scenario where the breached organisation does not have a direct relationship with the impacted individual to notify them of an incident);
   
• Data mapping – establish a comprehensive data map that outlines the sources of indirect data, the types of data collected, and the purposes for which it is used; and
   
• Notices – craft clear and transparent notices or policies to explain how personal information is used and make these notices easily accessible through appropriate communication channels.

What’s next?

The Office of the Privacy Commissioner (OPC) has advised that the public can have their say on the proposed amendments by making submissions to the Justice Select Committee in 2024.

In the meantime, we recommend that organisations implement measures to mitigate the challenges of indirectly notifying data subjects when collecting their personal information.

While this would currently be best practice and not a technical legal requirement, it will demonstrate a commitment to privacy compliance and responsible data handling. It will also bring an organisation in line with global expectations of data handling practices, regardless of whether the Bill takes effect or not.

How can we help?

Clyde & Co’s Technology & Media Team houses the largest dedicated and market-leading privacy and cyber incident response practice across Australia and New Zealand.

We are focused on providing an end-to-end solution that covers all aspects of cyber, data protection and technology-related risk. Our service offering in New Zealand and around the world covers pre-incident, incident response and regulatory and litigation services.

By leveraging our global expertise, we are well-positioned to assist clients in New Zealand in making submissions on these issues and navigate ways to ensure compliance should these new measures be introduced.

For more information, please contact our Kiwi team – Richard Berkahn, Anthony Cooke, or Kate Cross.