As the most frequently visited provisions of our privacy law, there has been considerable interest in how they will change when the Bill comes into force next year. There has been various commentary on the differences but it has been difficult to find a side-by-side comparison. As someone who consults the privacy principles regularly (despite feeling they’re almost etched into the walls of my skull), I’d had enough of that so I’ve created such a comparison. Before I get to that, I’ll summarise the main changes to the IPPs.
The main changes to the IPPs, based on the version of the Bill reported back from the Select Committee, are as follows:
IPP1 (Purpose of collection of personal information)
In the Bill, IPP1 has a new paragraph (2) which reads:
“If the lawful purpose for which personal information about an individual is collected does not require the collection of an individual’s identifying information, the agency may not require the individual’s identifying information.”
One might ague that, strictly speaking, this doesn’t add anything of substance to the existing IPP1 but it is a helpful point of emphasis and it drives home the importance of agencies minimising the amount of identifying information they collect.
IPP2 (Source of personal information)
The Bill’s IPP2 has a new exception to match the same exception in some of the other IPPs. The new exception, in IPP2(2)(c)(v), enables an agency to collect personal information other than from the individual concerned if the agency believes, on reasonable grounds, that non-compliance is necessary “to prevent or lessen a serious threat to the life or health of the individual concerned or any other individual”. This flows from a Law Commission recommendation in its comprehensive review of the Privacy Act. The Law Commission said this:
“It is likely that there will be situations in which health or safety considerations mean that it is not possible to collect information from the individual concerned. An employer dealing with a workplace accident might, for example, need to get information about an injured worker from a family member; or a social worker might need to collect information from a third party in a case where a child appears to be at risk of harm. We acknowledge OPC’s point that existing exceptions can probably cover such situations, but we still think that agencies will find it helpful to have a specific exception (just as there is already a specific exception covering maintenance of the law).”
IPP3 (Collection of information from subject)
In the current Act, IPP3 says an agency collecting personal information from an individual “shall take such steps (if any) as are, in the circumstances, reasonable to ensure that the individual is aware of the matters listed in IPP3(1). In the Bill’s IPP3, the language has been modernised and the words “if any” have been dropped. Whether the dropping of the words “if any” has much of an impact in practice remains to be seen bit there is no longer a suggestion that, in some cases, it may be reasonable to take no steps to inform people of the matters in IPP3(1).
The exception in the current Act’s IPP3, where “non-compliance is authorised by the individual concerned”, has been removed from IPP3 in the Bill. This change flows from a recommendation of the Privacy Commissioner to the Law Commission during the review of the Privacy Act mentioned above. To my mind this is a helpful deletion, as the exception did not make a great deal of sense and, as the Privacy Commissioner put it to the Law Commission, it “could be seen as allowing organisations to seek authorisations on standard forms, in situations where there is an imbalance in the bargaining position between the individual and the agency”.
IPP4 (Manner of collection of personal information)
In the Bill’s IPP4, there is a new IPP4(2):
“When collecting personal information from children and young persons, an agency must take into account their vulnerability.”
This is an important addition. As the Select Committee observed, this “change seeks to protect young people, who may be more willing than adults to disclose their information online, and who may not be aware why an agency wants their information.” An agency collecting personal information from children and young persons will now need to ensure it has taken their vulnerability into account and, I suggest, will need to document that. A failure to document this consideration when required could expose an agency to allegations of infringing IPP4.
IPP8 (Accuracy, etc, of personal information to be checked)
In the current Act, IPP8 says that the accuracy (etc) of personal information is to be checked before use. The Bill’s IPP8 extends this to disclosure as well:
“An agency that holds personal information must not use or disclose that information without taking any steps that are, in the circumstances, reasonable to ensure that the information is accurate, up to date, complete, relevant, and not misleading.”
New IPP12 (Disclosure of personal information outside New Zealand)
The Bill contains a new IPP12 that regulates the disclosure of personal information outside New Zealand. As the Select Committee put it, “in most cases, an agency that wants to disclose personal information to a foreign person or entity would need to satisfy at least one of the criteria set out in … IPP 12(1):
- the individual concerned authorises the disclosure, after being expressly informed by the agency that the foreign person or entity may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the bill
- the foreign person or entity is carrying on business in New Zealand, and the agency believes, on reasonable grounds, that the foreign person or entity is subject to the bill
- the agency believes on reasonable grounds that the foreign person or entity is subject to privacy laws that, overall, provide comparable safeguards to those in the bill
- the agency believes on reasonable grounds that the foreign person or entity is a participant in a prescribed binding scheme
- the agency believes on reasonable grounds that the foreign person or entity is subject to privacy laws of a prescribed country
- the agency otherwise believes on reasonable grounds that the foreign person or entity must protect the information in a way that, overall, provides comparable safeguards to those in the bill.”
IPP12/13 (Unique identifiers)
The Bill’s IPP13 (previously IPP12) on unique identifiers adds a new circumstance in which an agency can assign a unique identifier to an individual that has already been assigned to the individual by another agency. That situation is where the agency will use the unique identifier for statistical or research purposes and no other purpose.
IPP13 also provides helpful clarification that an agency (A) does not assign a unique identifier to an individual by simply recording a unique identifier assigned to the individual by another agency (B) for the sole purpose of communicating with B about the individual.
The new IPP13 also requires agencies to take any steps that are, in the circumstances, reasonable to ensure that the risk of misuse of a unique identifier by any person is minimised (for example, by showing truncated account numbers on receipts or in correspondence).
Side-by-side comparison of IPPs in the current Act versus the Bill
The side-by-side comparison of the IPPs in the current Act versus the Bill looks like this: