On 1 May 2026, a new information privacy principle – IPP 3A – will come into effect. IPP 3A requires organisations to give people privacy notice about the collection of personal information from third parties. Until now, the law only required organisations to give privacy notice when they collected personal information directly from the people concerned.
Time is running out for organisations to ensure that their transparency practices are compliant with this new principle.
Scope and impact of IPP 3A
IPP 3A will apply to the collection of personal information from a third party, which could be another organisation or individual. For example, it will apply to the collection of personal information about a job applicant from their referee, or the collection of criminal offence information from the Ministry of Justice.
However, IPP 3A will not apply to the collection of personal information from a third party that is acting as a service provider, such as a market research agency that is running market research on an organisation’s behalf. In this case, the organisation will be collecting personal information directly from the individual concerned, albeit via the service provider.
Where IPP 3A applies, organisations will need to ensure that they have provided notice to individuals about the collection of personal information from the third party. Like existing IPP 3, the notice will need to inform individuals about:
- the fact that the information has been, or will be, collected;
- the purpose for the collection;
- the intended recipients of the information;
- the name and address of the organisation that is collecting the information;
- whether the collection is authorised or required by law; and
- their right to access and correct their information, once it has been collected.
Further, like IPP 3, IPP 3A will include a set of exceptions that will permit organisations not to provide notice. Organisations are not required to notify individuals if:
- they have already been made aware of the collection (for example, because the collection is already outlined in the organisation’s privacy statement, the individual authorised the collection and was made aware at that time, or the disclosing organisation has already made the individual aware);
- the information will not be used in an identifiable form (for example where it is being collected for research purposes);
- the information is being collected from a publicly available source (such as the Internet);
- telling the individual is not reasonably practicable in the circumstances (for example where the organisation does not hold contact information about the individual concerned);
- telling the individual would prejudice the purposes of collection (for example where the organisation is investigating a suspect fraud case and is collecting information from a witness); or
- telling the individual would cause a serious threat to public health or safety, or to the health and safety of the individual or another individual.
Finally, for the purposes of the IPPs, “collect” does not include the receipt of unsolicited information (see section 7(1) of the Privacy Act), and so IPP 3A will not apply where organisations receive personal information from a third party unsolicited.
In its final guidance, the Office of the Privacy Commissioner has noted helpfully that IPP 3A requires organisations to take reasonable steps to ensure that people are made aware, and what is reasonable will depend on many factors, including the sensitivity of the information, any possibility of negative impacts on the individual as a result of the collection, and practicality considerations. Certainly, there will be many scenarios in which the inclusion of privacy notice about indirect collections in an organisation’s general privacy statement will be reasonable for the purposes of compliance with IPP 3A
What this means for organisations
Before 1 May 2026, organisations will need to take steps to ensure they are prepared for this new compliance obligation. We are generally recommending that these steps should include the following:
- Review all collections of personal information, and identify which collections are direct (from the individual concerned) and which collections are indirect (from a source other than the individual concerned).
- For all indirect collections, determine whether one of the exceptions applies to permit the organisation not to notify the individuals concerned.
- For any indirect collections to which an exception does not apply, determine whether the collection has already been addressed in the organisation’s privacy statement(s).
- If an indirect collection has not already been addressed in the privacy statement(s), determine whether any additional steps need to be taken to provide notice to people about the collection.
Simply Privacy has been assisting several clients with preparations for this new obligation. For large or complex organisations, we’re finding that the information gathering process is taking a long time to complete. So, we would recommend that if you have not already commenced this work, start it soon.