IPP3A: What you need to know

From 1 May 2026, a new privacy principle will come into force under the New Zealand Privacy Act 2020 (Act): the Information Privacy Principle 3A (IPP3A).

Under the existing Information Privacy Principle 3 (IPP3), agencies (which includes individuals and entities) are required to notify individuals of specific information when collecting their personal information directly.  The IPP3A expands on this, by including similar obligations for indirect collection of personal information.

What is indirect collection of personal information?

Indirectly collecting personal information occurs when an agency obtains the personal information from a source other than the individual themselves. Common examples may include an agency obtaining credit history from a credit reporting agency, an agency verifying a job applicant’s employment with previous employers, or an agency requesting medical records from a doctor or clinic.

IPP3A notification requirements

The IPP3A notification requirements largely mirror those in IPP3, and include advising the individual of the following:

• that the personal information has been collected, and what this personal information is;
• the purpose for collection;
• the persons or entities to whom the personal information will be disclosed;
• the name and address of the agency that is collecting the personal information and the agency that holds the personal information;
• whether the collection is authorised or required by law and if so, the applicable law; and
• how the individual can access and correct their personal information.

Under the IPP3A, agencies must take “reasonable steps” to notify individuals of the above.  What is “reasonable” depends on the circumstances, but agencies should typically consider the following factors:

• how sensitive the personal information is;
• the possible harm or negative effects on the individual if they are not informed;
• any particular requirements the individual may have, such as language or accessibility needs; and
• practical factors, including time and expense, while noting that difficulty or cost by itself does not relieve an obligation to comply.

Notification can occur before collection, or as “reasonably practicable” following collection. Again, what is “reasonably practicable” depends on the circumstances.

There is no required format for the notification.  Individuals may be notified of IPP3A matters through a variety of methods, provided the communication is clear and easy to comprehend. Most commonly, agencies will use their privacy policy to meet this requirement, similar to IPP3 notifications. However, agencies can also implement a layered approach, giving a comprehensive explanation first via their privacy policy with subsequent shorter reminders.

Exceptions to IPP3A notification

Not every instance of indirect collection requires notification. There are various exceptions to the IPP3A notification requirements, most of which are the same as those in IPP3.  Below are some of the most common exceptions:

• the individual is already aware of the disclosure;
• the personal information is publicly available;
• non-disclosure would not prejudice the interests of the individual;
• telling the individual would prejudice the purpose of collection;
• telling the individual is not reasonably practicable; or
• the personal information will be used in a way that does not identify the individual.

The Privacy Commissioner provides commentary on how each IPP3A exception may apply in practice. The guidance can be accessed here.

In practice, these exceptions should be applied cautiously.  Agencies must be able to justify their reliance on an exception, and ensure that the decision and supporting evidence are properly documented.

How to comply with IPP3A (practical steps)

The Act does not prescribe specific internal processes that agencies must follow to meet their notification obligations under the IPP3A.  Agencies have flexibility in determining how they comply, and there are a variety of ways to approach it, including:

• identifying internal flows of indirect collection of personal information;
• assessing each instance of indirect collection to determine where notification is required, or whether any statutory exceptions apply;
• where no exceptions apply, considering the method of notification under the IPP3A;
• updating privacy policies and/or contractual arrangements, and establishing new systems as needed to support compliance; and
• training employees on new obligations.

We can help

The IPP3A will apply to the indirect collection of personal information from 1 May 2026, so agencies must be prepared to comply from that date.  If you have any questions about how the new IPP3A applies to your business, or need guidance on compliance, please get in touch.