What you need to know about the new Information Privacy Principle 3A

Information Privacy Principle 3A (IPP3A) came into force on 1 May 2026.

All organisations and businesses that handle personal information are now required to have systems in place to meet the new requirements.

What is IPP3A?
IPP3A introduces a new obligation to notify individuals about indirect collection of their personal information.

It has been added to the Privacy Act to increase transparency about indirect collection, to help New Zealand maintain its “adequacy” status (that is, that our privacy protections are considered adequate in comparison to those under the European GDPR).

Until now,New Zealand’s privacy law has not included a requirement for an agency to notify an individual when it collects personal information about them indirectly, such as from a third party. This meant that an individual might not know that an agency holds their personal information.

What’s required to comply with IPP3A?
When an agency collects personal information from a third party (i.e. other than from the individual concerned), the agency will now need to notify the individual about various things, including:

• the fact of collection;
• the purpose of collection;
• the intended recipients of the information;
• the name and address of the agency that has collected the information and is holding it;
• any law authorising or requiring collection; and
• the individual’s rights of access to and correction of the information.

These notification requirements mirror how IPP3 operates already, now extended to indirect collection.

Are there any exceptions?
Much like IPP3, there are practical exceptions when the obligation to notify under IPP3A does not apply, such as where complying would prejudice the maintenance of the law or the personal information is publicly available.

Additionally, the obligation to notify does not apply where an individual has previously been made aware of the required information. For example, if agency A notified the individual at the time of collection that it would be disclosed to agency B, agency B does not also have to notify the individual.

What do organisations and businesses need to do to be compliant?
If they haven't already, organisations and businesses should prioritise reviewing:

• their current practices relating to personal information collection, including auditing how they obtain information to identify indirect sources;
• their privacy policies / statements to ensure they remain up-to-date with respect to indirect collection, including specifically stating when personal information is collected indirectly; and
• contractual arrangements relating to data sharing between agencies to make sure they have strong and clear requirements around notification of indirect collection.

IPP3A has now come into effect, and depending on how your organisation or business operates there may still be some doubt about whether it is meeting its obligations. MoranLaw’s experienced team have been keeping an eye on these privacy law developments, and can help your business or organisation understand how to comply with the new IPP3A. Get in touch today.