In a digital world where personal data flows more freely than ever, it’s no surprise that privacy laws are evolving to keep pace. The Privacy Amendment Bill, introduced to Parliament in 2023, represents a significant shift in how New Zealand agencies must handle personal information—particularly when it’s collected indirectly.
At the heart of this Bill is a new Information Privacy Principle: IPP3A. With an anticipated commencement date of 1 May 2026, it’s time for businesses and organisations to get ahead of the curve.
Why the Change?
The current Privacy Act 2020 is built on 13 core Information Privacy Principles (IPPs) that regulate how personal information is collected, stored, used, and disclosed. While robust in many respects, the Act hasn’t required agencies to inform individuals when their information is collected indirectly—that is, from a third party rather than the individual themselves.
Enter IPP3A. This new principle strengthens transparency and accountability, aligning New Zealand more closely with international privacy frameworks like the European Union’s General Data Protection Regulation (GDPR).
What is IPP3A?
In essence, IPP3A will require agencies to notify individuals when they collect personal information about them from someone else, unless an exception applies.
Under the current law, there’s no express obligation to disclose this kind of collection. But from May 2026 onwards, if your organisation collects personal data through an intermediary—say, another business, an online platform, or a referral—you will generally need to let the individual know.
What Counts as “Indirect Collection”?
Any situation where an individual’s personal information is gathered from someone other than that individual qualifies as indirect collection. This could include:
- Collecting health information from a GP on behalf of an insurer
- Receiving a client’s details via a referral from a partner agency
- Gathering contact data from a public database or social media
While the information may be lawful to collect under IPP2, the new principle places a separate obligation on agencies to inform the individual after the fact.
When Must You Notify?
If you’ve collected someone’s personal information indirectly, IPP3A requires you to take “reasonable steps” to let them know:
- That their information has been collected
- The purpose for collection
- Who the information will be shared with
- The name and address of the agency collecting and holding the information
- Whether collection is authorised by law (and which law)
- That they have the right to access and correct their information
The notice should be given as soon as reasonably practicable after the collection takes place.
Are There Exceptions?
Yes—but they are limited. Exceptions to IPP3A relate only to the obligation to notify, not to the collection itself. For instance, if giving notice would:
- Pose a serious threat to someone’s health or safety
- Prejudice the maintenance of the law
- Involve confidential references or evaluative material
Then an exemption may apply. However, agencies will still need to show that they considered notification and had a valid reason for not doing so.
Real-World Scenarios
Let’s break down how this might look in practice:
The Insurance Claim
InsureCo receives client information from a broker. Under IPP3A, InsureCo must inform the client that it has collected their information—unless an exception applies. The broker also needs to comply with the disclosure rules under IPP11.
The Third-Party Provider
Vaultora, a data-hosting platform, holds client information on behalf of businesses but doesn’t use it for its own purposes. The obligation to notify under IPP3A sits with Vaultora’s clients—not Vaultora itself.
The Referral
Branda, a marketing agency, refers a client to Samantha Jones PR. Either Branda or Samantha must notify the client about the collection and explain why it occurred. A simple email or phone call could satisfy the IPP3A requirement.
What Should You Do Now?
While 1 May 2026 may seem a while away, compliance with IPP3A will require both system and process updates. Here’s what your organisation should consider doing now:
✅ Audit your data flows
Identify where and how you collect personal information indirectly.
✅ Update privacy policies and agreements
Ensure your documentation reflects IPP3A disclosure obligations, especially in third-party service arrangements.
✅ Revise onboarding processes
Consider whether individuals are notified at the right stage—and whether that communication is clear, complete, and timely.
✅ Clarify internal responsibilities
Make sure your staff and any external partners know who is responsible for notifying individuals when data is shared or referred.
Need help getting ready for IPP3A?
Our team is here to support your business in preparing for these upcoming changes. Whether it’s reviewing contracts, revising your privacy statements, or developing practical notification procedures—we can help ensure your systems are fit for purpose by 2026.
