New Obligations for Businesses Collecting Personal Information from Third Parties

On 1 May 2026, Information Privacy Principle 3A (IPP3A) came into effect, expanding the notification requirement under the Privacy Act 2020 to cover indirect collection of personal information.

Previously, businesses had no obligation to notify individuals when collecting their personal information from a third party. IPP3A has changed that.

What your business must disclose: From now on, when your business collects personal information indirectly, you must take reasonable steps, as soon as is reasonably practicable, to make the individual aware of the:

•       Fact that their information has been collected

•       Purpose of the collection

•       Intended recipients of the information

•       Name and address of the agency, or agencies, collecting and holding the information

•       If applicable, which law authorises or requires the collection, and

•       Rights of the individual to access and correct their information.

Exceptions: IPP3A does not require notification in all circumstances. Exceptions include, but are not limited to, where: 

•       The individual has already been notified

•       The information is publicly available

•       Compliance is not reasonably practicable, and/or

•       It is necessary for law enforcement or court proceedings.

Please note the above is to be treated as a guide rather than an exhaustive list. We recommend seeking tailored legal advice before relying on any exception.

Next steps: If you haven’t already, you may want to consider building notification into your existing policies and this should be communicated clearly to individuals. The Office of the Privacy Commissioner has released guidance on IPP3A which provides a helpful starting point for understanding your obligations. Non-compliance may result in a complaint to the Privacy Commissioner, which may lead to a formal investigation and have potentially significant consequences for your business, so it is important you take steps now to ensure your processes are up to date.

If you have any questions about how IPP3A applies specifically to your organisation, please feel free to contact us.

DISCLAIMER: All the information published is true and accurate to the best of the authors’ knowledge. It should not be a substitute for legal advice. No liability is assumed by the authors or publisher for losses suffered by any person or organisation relying directly or indirectly on this article. Views expressed are those of individual authors, and do not necessarily reflect the view of this firm. Articles appearing in this newsletter may be reproduced with prior approval from the editor and credit given to the source. Copyright, NZ LAW Limited, 2019. Editor: Adrienne Olsen. E-mail: adrienne@adroite.co.nz. Ph: 029 286 3650 or 04 496 5513.