Key changes to New Zealand’s Privacy Act 2020 (the Act) have been passed by Parliament.

The most significant change is the introduction of a new Information Privacy Principle – IPP3A – which specifically addresses the indirect collection of personal information. Several technical amendments have also been made to address minor issues that have arisen since the Act first came into force.

The Office of the Privacy Commissioner (OPC) released guidance on IPP3A (the Guidance) for public consultation earlier this year. The Guidance is only a draft but gives some insight into how IPP3A will be enforced.

IPP3A

Under the Act, agencies were required to notify individuals when collecting personal information directly from them (IPP3), but there was no requirement for notification when information was collected from other sources (indirectly). As such, individuals could be unaware that an agency held and used their personal information, and this lack of transparency meant they were unable to exercise their rights to access, correct, or object to the use of their information.

IPP3A now requires agencies to take reasonable steps to notify individuals when their personal information is collected indirectly, unless one of the listed exceptions apply. The rule will only apply to personal information collected from 1 May 2026.

This change helps align New Zealand’s privacy law with international best practice and supports the country’s ongoing EU adequacy status, which facilitates the free flow of personal data from the European Union to New Zealand. IPP3A also brings New Zealand into line with the Australian legal position.

Notification requirements

As we have discussed before, new IPP3A is largely based on existing IPP3. The notification must include:

• The fact that the information has been collected;

• The name and address of the agency collecting and holding the information;

• The purposes for which the information is being collected;

• The recipients of the information;

• Whether the collection is authorised or required by law; and

• The individual’s rights of access to, and correction of, the information.

Notifications must be specific and clear. The OPC expects agencies to use plain language and, where possible, to name the third parties involved (more on this later).

Timing of notification

An agency is required to inform an individual as soon as reasonably practical after the information has been collected, unless the notification steps have already been taken.

The Guidance states that what is reasonably practical will “depend on the circumstances of the indirect collection, taking into consideration the available knowledge, cost, and effort involved”. For example, if an agency would need to hire additional staff to meet the notification requirements within two weeks but could notify with existing staff within four weeks, then what is reasonably practical would be to notify within four weeks.

Exceptions

There are practical exceptions to the notification requirement, such as when the individual is already aware of the collection, when compliance would be impractical or undermine the purpose of collection, where there is no prejudice to the individual from non-notification, or where information is anonymised, or used for statistical purposes. These exceptions are the same that apply in respect of IPP3.

IPP3A also introduces additional exceptions specifically for indirect collections. These apply in a more limited way, and include when an agency collects personal information for archiving purposes, and notification is likely to seriously impair achievement of this; where compliance would prejudice the security or defence of New Zealand, or the international relations of the Government of New Zealand; and where informing the individual concerned would cause a serious threat to public health or safety, or to the health or safety of another individual.

The Guidance notes that once an agency can no longer rely on an exception, it should notify the individual that it has collected their information indirectly. Agencies therefore need to be regularly assessing the situation as it evolves to determine whether an exception continues to apply.

Intermediaries

An important practical exception to IPP3A is when the individual has already been notified of the indirect collection. For example, if one agency (the disclosing agency) collects personal information directly from an individual and shares it with another agency (the collecting agency), the collecting agency does not need to comply with IPP3A if the disclosing agency has already informed the individual of the indirect collection.

The Guidance gives a clear steer on what is required to rely on this exception:

• If the disclosing agency is to be responsible for the notification requirements, it will need to be specific about who is indirectly collecting the personal information i.e., by naming specific organisations or companies rather than just describing a type or class of agency. For example, it is not sufficient to say, “we may share your information with a credit reporting agency”. However, if the disclosing agency knows that in certain situations it will always share information with specific agencies, it can notify individuals generally of the circumstances in which it would always send information to those agencies.

• The collecting agency will need to have a “sound basis” for believing the disclosing agency has informed the individual. This should be based on evidence rather than an assumption. One way to ensure this is to make the notification requirements part of the contractual arrangement i.e., both agencies agree that the organisation that originally collects the information from the individual concerned will make them aware of the required information, so that the collecting agency does not need to notify them again.

• The collecting agency will still need to have “reasonable grounds” to believe that the disclosing agency is in fact informing individuals as required. This could be achieved by receiving and filing a copy of a form signed by an individual, or through regular contract reporting requirements.

Note also that if an agency is using a third party provider (e.g., an IT service provider) that does not collect and use the information for its own purposes, then section 11 of the Act will continue to apply, and the agency will remain responsible for complying with IPP3A (not the third party).

IPP3A checklist

So, what should organisations do to prepare for IPP3A?

Understand data collection practices

Organisations should first audit their data collection practices to identify all instances where personal information is collected from sources other than the individual (e.g., from third parties or public records) and to understand whether (and how) individuals are notified of the indirect collection.

Assess whether exceptions apply

When there is indirect collection, organisations should assess whether there are any exceptions to IPP3A notification that they can rely on. This is a technical area, so agencies need to stay updated with the OPC’s evolving guidance and should consider taking legal advice.

When relying on an exception, agencies should document their decisions and reasoning as this may be scrutinised later by the OPC. The intention of IPP3A is to give people more information and control over who has their personal information, and we can expect the OPC to assess exceptions through this lens. The Guidance reflects the OPC’s general view that even though an organisation may not be required to notify individuals of indirect collection, that doesn’t mean it shouldn’t notify anyway.

Remember that agencies cannot automatically rely indefinitely on an exception to notification. Agencies need to have operational processes to regularly assess whether an exception continues to apply and to act to meet the notification requirements if circumstances change.

Review and update third party contracts

If an organisation receives indirect collection from an intermediary agency, it should confirm that the intermediary is contractually obligated to:

• Provide all necessary notifications to the individuals concerned; and

• Supply the organisation with enough information to reasonably conclude that IPP3A compliance obligations are being met. This could include copies of signed forms or consent documents, periodic compliance reports, or regular audits.

Businesses that manage data on behalf of clients (e.g., cloud or IT service providers) should ensure their contracts specify that responsibility for notifications to customers remains with the client to avoid doubt. Where such businesses also use client data for their own purposes (e.g., improving their products or services), then they will need to also ensure that the client is contractually obligated as set out above.  

Develop notification processes

Where there is no statutory exception, agencies will need to develop procedures to notify individuals either before indirect collection or as soon as reasonably practical after. Remember that what is reasonably practical will depend on the circumstances of the indirect collection, weighing up the cost, effort, and available knowledge. Inconvenience, expense, or administrative burden do not automatically mean notification is “not reasonably practical”.

Organisations need to ensure that notifications cover all the required details (fact of collection, purpose, recipients, agency name and address, legal basis, and rights of access/correction). It should be explained in plain language, where possible. Automated notifications can ensure consistency and timeliness.

Review and update privacy policies

Agencies should review and update their privacy policies to ensure they clearly explain indirect collection practices, specifying what information is collected, the purposes, and who it will be shared with. Remember the requirement for specificity – based on the Guidance, organisations need to be explicit about the type of information and the intended recipients, including naming third party organisations.

This may be an area where the Guidance is refined following public consultation, as this level of specificity is a material change to the way privacy statements are currently prepared. Constantly updating notifications to change the specifics could present significant administrative cost for organisations with large-scale or complex data environments. Overly frequent or duplicate notifications might also reduce the effectiveness of privacy communications and increase “notification fatigue” among individuals.

Implement training

Many organisations will benefit from giving updated training to their people about the new requirement and the specific steps needed for compliance. This will likely include training on identifying when indirect collection occurs and how to handle exceptions. The OPC has said it will take a risk-based approach to enforcement of IPP3A, focusing on the impact of non-notification and the agency’s efforts to comply.

Meet the deadline

The new requirements are planned to take effect from 1 May 2026 (an extension from the original 1 June 2025 commencement date), so there is time for organisations to review and update their systems and processes.

Putting privacy principles into practice often involves navigating complex issues. We’re here to help – contact us anytime for support.