IPP3A – The exceptions and what they mean for your business

In my previous posts I’ve covered:

1. IPP3A – Why this amendment, and why now?

2. IPP3A – From May 2026, what changes for you? Privacy Act 2020

In this article, I want to look more closely at the exceptions to IPP3A, when notification is not required, how the Office of the Privacy Commissioner (OPC) expects organisations to apply them, and what this means in practice.

The rule and the exceptions

From 1 May 2026, if your business collects personal information indirectly (not from the person themselves), you must notify that person unless an exception applies.

Full list of IPP3A exceptions

Notification is not required if:

• The individual has already been made aware

• The information won’t be used in an identifiable form

• The information is used for research or statistics and publishing won’t identify the individual

• Non-compliance wouldn’t prejudice the individual’s interests

• The information is already publicly available

• Telling the individual would prejudice the purpose of the collection

• Telling the individual is not reasonably practical in the circumstances

• The agency is assessing whether information is of enduring public value for archiving, and compliance would seriously impair that purpose

• Compliance would prejudice New Zealand’s (or associated territories’) security, defence, or international relations

• Compliance would reveal a trade secret

• Telling the individual would cause a serious threat to public health or safety, or to another individual’s health or safety

• Non-compliance is necessary for:

  • maintenance of the law

  • enforcement of the law that imposes a pecuniary penalty

  • protection of public revenue

  • conduct of court or tribunal proceedings.

How to apply the exceptions

The OPC’s draft guidance makes it clear that notification is the default and exceptions should be applied cautiously. Agencies are expected to be able to justify any decision not to notify. Some of the key points are:

1. Start with notification as the rule

Agencies must be able to show they actively considered notifying. Exceptions are not intended to be used as shortcuts or loopholes.

2. “Not reasonably practical” is a narrow test

• Cost, inconvenience or administrative burden are not enough on their own.

• Cost may be relevant only if it is truly disproportionate to the benefit of notifying.

• The more sensitive or extensive the personal information, the greater the expectation that you will make efforts to notify.

3. Systems or processes are no excuse

Incompatible technology, outdated systems, or poor processes are not valid reasons to avoid notification. Agencies are expected to plan for how they will meet IPP3A requirements and build notification into system design.

4. Lack of contact details is not the end of the story

If you do not hold contact details, or you reasonably believe they are out of date, you are not required to collect them solely for notification. However, you should still consider other steps such as:

• Posting a public notice (for example, on a website or social media page)

• Using a channel reasonably accessible to the affected individuals.

The OPC provides examples of when public notices may be appropriate, and when direct notification is still required.

5. Exceptions are not “blanket permissions”

Even where an exception applies, agencies should consider whether partial notification is possible. For example, you may not be able to contact every individual, but you could notify a significant proportion.

6. Consider timing

The obligation is to notify “as soon as reasonably practicable.” If you delay notification to avoid prejudicing an investigation, you should revisit the decision once the risk has passed.

7. Sensitive vs non-sensitive contexts

• Sensitive information (health, biometrics, children’s data) will almost always demand higher notification efforts.

• Large-scale collections raise the threshold for relying on exceptions.

• Information scraped from public sources may appear low-risk, but if used in sensitive ways, expectations to notify will increase.

8. Transparency beyond compliance

Even if an exception technically applies, think about customer expectations and trust. In some cases, notifying voluntarily may be the safer commercial decision.

9. Document your reasoning

If you rely on an exception, keep a clear record of your decision and why. This provides:

• An audit trail for the OPC

• Evidence to stakeholders that you are applying IPP3A responsibly

• Protection against claims of careless or opportunistic non-compliance.

10. Build into governance and contracts

Incorporate IPP3A exception assessments into privacy impact assessments (PIAs) and data governance processes.

Ensure contracts with third parties clarify who is responsible for notification and how exceptions will be assessed.

11. Monitor evolving practice

IPP3A is new. The OPC’s decisions, guidance updates, and emerging case studies will shape how exceptions are applied in practice. Agencies should keep policies under review and be ready to adjust.

Why this matters for your business

IPP3A significantly raises the bar for transparency in New Zealand. The exceptions balance important interests such as law enforcement, national security, and practicality, but they are narrow and fact-specific.

For businesses, the key message is simple:

• Assume notification will be required.

• Only rely on an exception where it clearly applies and you can defend that position.

Applying IPP3A carefully, and keeping good records, will not only reduce legal risk but also help build and maintain trust with customers, staff, and regulators.

This is not legal advice. If you want legal advice on the implications for your business, please contact me directly.