What you need to know about the new Information Privacy Principle 3A

Information Privacy Principle 3A (IPP3A) is expected to come into force on 1 May 2026.

By then, all organisations and businesses that handle personal information will need to have systems in place to meet the new requirements.

What is IPP3A?

IPP3A introduces a new obligation to notify individuals about indirect collection of their personal information.

It has been added to the Privacy Act to increase transparency about indirect collection, to help New Zealand maintain its “adequacy” status (that is, that our privacy protections are considered adequate in comparison to those under the European GDPR).

New Zealand’s current privacy law doesn’t include a requirement for an agency to notify an individual when it collects personal information about them indirectly, such as from a third party. As a result, an individual might not know that an agency holds their personal information.

What’s required to comply with IPP3A?

When an agency collects personal information from a third party (i.e. other than from the individual concerned), the agency will need to notify the individual about various things, including:

  • the fact of collection;
  • the purpose of collection;
  • the intended recipients of the information;
  • the name and address of the agency that has collected the information and is holding it;
  • any law authorising or requiring collection; and
  • the individual’s rights of access to and correction of the information.

These notification requirements mirror how IPP3 operates already, now extended to indirect collection.

Are there any exceptions?

Much like IPP3, there will be practical exceptions when the obligation to notify under IPP3A will not apply, such as where complying would prejudice the maintenance of the law or the personal information is publicly available.

Additionally, the obligation to notify won’t apply where an individual has previously been made aware of the required information. For example, if agency A notified the individual at the time of collection that it would be disclosed to agency B, agency B does not also have to notify the individual.

What do organisations and businesses need to do to get ready?

In advance of IPP3A becoming law, organisations and businesses should be reviewing:

  • their current practices relating to personal information collection, including auditing how they obtain information to identify indirect sources;
  • their privacy policies / statements to ensure they remain up-to-date with respect to indirect collection, including specifically stating when personal information is collected indirectly; and
  • contractual arrangements relating to data sharing between agencies to make sure they have strong and clear requirements around notification of indirect collection.

There’s a short timeframe to get ready for IPP3A, and depending on how your organisation or business operates there may be a fair bit of work required to meet the obligations. MoranLaw’s experienced team have been keeping an eye on these privacy law developments, and can help your business or organisation understand how to comply with the new IPP3A. Get in touch today.
Share on:
Tags:
You may also like
A New Era for Consumer Data in New Zealand
Team Updates - Shamara Polliack
Societies Incorporated as Boards - What you need to Know