For those who missed it in the blur of the school holidays, a Statutes Amendment Bill was introduced to Parliament (Statutes Amendment Bill) at the end of September. The Statutes Amendment Bill is an omnibus Bill that includes changes to over 40 different Acts, including the Privacy Act 2020 (Privacy Act). The amendments proposed to the Privacy Act are relatively minor but provide some helpful insights or clarification for those needing to interpret the Privacy Act. These changes are happening in parallel to the amendments proposed to the Privacy Act through the Privacy Amendment Bill (which you can read more about in our update: Amendment to the Privacy Act 2020 proposed). Consultation on the Privacy Amendment Bill closed on 14 June 2024 and, as we understand it, is still being considered by the Justice Committee.
Among the more significant changes to the Privacy Act proposed through the Statutes Amendment Bill:
- Currently, under the Privacy Act agencies can respond to access requests to say that the relevant information is not held in a way that enables it to be readily retrieved. However, there is not a corresponding ground to refuse the access request. To address this, the Privacy Act will be amended to allow agencies to refuse access requests where the information is not readily retrievable (and this will reinstate the position under the Privacy Act 1993).
- Information Privacy Principle (IPP) 12, regarding overseas disclosures, is to be amended to clarify that transfers are only permissible to prescribed countries where there is no prescribed limitation or qualification in relation to that country (ie limitations or qualifications relating to the type of person or entity in the prescribed country to whom information may be disclosed, or the type of information that be disclosed to the prescribed country). Interestingly, there are not currently any prescribed countries (or any prescribed limitations or qualifications) so this change may indicate that regulations in relation to overseas disclosures are on their way.
- The notifiable privacy breach regime is to be amended to clarify that anyone who holds information for or on behalf of the responsible agency will constitute an agent of that agency. We expect that this change is seeking to clarify that the existing rule in the Privacy Act that an agency is responsible for its agents also applies in relation to the notifiable privacy breach regime. This ultimately means that organisations are 'on the hook' for their service providers and so should (to the extent that they aren’t already doing so) ensure their service providers are contractually required to notify them of privacy breaches in a timely manner.
- The Privacy Act currently includes an exemption from IPPs 5 to 12 in relation to an individual who is holding personal information collected by a lawful means solely for the purpose of, or in connection with, the individual’s personal or domestic affairs. The Statutes Amendment Bill will expand this exemption to clarify that individuals will not be subject to IPPs 5 to 12 in relation to information that was received by them unsolicited or that they created.
- The Privacy Commissioner's discretion not to investigate complaints will be expanded to include where the Commissioner considers the investigation is "inappropriate". It is unclear when an investigation would meet this threshold but will give the Commissioner more discretion in terms of the investigations it chooses to focus its resources on.
The Bill has only just been introduced to Parliament, so will be subject to further review and debate through the legislative process.
Please get in touch with one of our team if you have any queries.
