IPP3A – Why this amendment, and why now?

From 1 May 2026, a new Information Privacy Principle will apply in New Zealand: Information Privacy Principle 3A (IPP3A) under the Privacy Act 2020. This change comes through the Privacy Amendment Act 2025, which was passed in September.

IPP3A introduces a requirement for organisations that collect personal information indirectly (that is, not directly from the individual concerned) to notify that individual, unless a specific exception applies.

The amendment was presented as a way to strengthen transparency in New Zealand’s privacy framework and to bring us into closer alignment with international standards. But was it really necessary, and what does it mean in practice for businesses?

Harm vs benefit

The case for IPP3A is that people should know when their information has been collected, even if they were not the source. Without this transparency, individuals:

• lose visibility of where their information is held and how it is used

• cannot easily exercise their rights of access and correction

• may be blindsided if their information surfaces in an unexpected place

• may lose trust in organisations and systems that handle their information

• are more vulnerable if inaccurate information is passed along without their knowledge

These are important concerns in a world where data flows quickly and often invisibly, particularly with the growth of digital platforms, data brokers, and AI systems that draw on large data sets.

On the other hand, the reality in New Zealand has been somewhat different. Many agencies already addressed indirect collection in their privacy notices, and whole sectors had established processes for handling referrals or third-party data fairly.

The absence of a strict legal requirement has not generally been seen as a major gap in our privacy framework, particularly when compared with other missing rights such as a general right to erasure, a right to data portability, or stronger limits on automated decision-making. In many day-to-day contexts, indirect collection was accepted as a practical reality and not a point of significant public concern.

As a result, while IPP3A addresses a real principle of transparency, the actual level of harm it is intended to fix in the New Zealand context is debatable.

International comparison

Looking abroad, we see that IPP3A is not groundbreaking but rather New Zealand catching up with global peers.

• GDPR: Articles 13 and 14 expressly require notification when data is collected indirectly, with some exceptions.

• Australia: The Privacy Act requires organisations to take reasonable steps to notify individuals when information is collected from third parties.

By adding IPP3A, New Zealand aligns itself more closely with these standards. The change also helps protect New Zealand’s EU adequacy status, which is critical for the continued free flow of data with Europe, and therefore for trade, particularly in sectors that rely heavily on cross-border data transfers.

Business lens

The real challenge for organisations will be implementation. The OPC’s guidance on IPP3A sets a high bar. Agencies are expected to carefully review what information is collected, why, from whom, and who it will be shared with, and then communicate that clearly to individuals. This is much more than a tick-box exercise.

Concerns raised in submissions on the Bill included:

• Duplication of notices where multiple agencies are involved in a transaction or referral

• Notice fatigue, where individuals are inundated with repetitive information they are unlikely to engage with

• Unclear responsibility for compliance in multi-agency or contractual arrangements

• Significant compliance costs, particularly for small and medium-sized enterprises

Meeting these expectations will require many organisations to uplift their overall privacy programmes. That may involve:

• stronger governance and clearer internal accountability

• updated external privacy notices and internal policies

• better record-keeping and data inventories

• privacy by design practices in new systems and projects

• reviewing and updating contracts with third parties to allocate responsibilities

For larger organisations with existing privacy teams, this may be an extension of work already underway. For smaller businesses, however, the change could represent a significant new compliance burden.

There is real value in lifting privacy maturity across the board, and in the long term these changes may improve trust and resilience. But the timing is challenging. In the current New Zealand market, many businesses are under financial pressure, and taking on a significant compliance cost without a clear benefit or direct link to revenue will be a hard ask. Careful planning will be needed to meet the standard without over-investing in processes that deliver little commercial return.

This is not legal advice. If you want legal advice on the implications for your business, please contact me directly.

#Compliance #BusinessRisk #PrivacyLaw #DataProtection #NZLaw #IPP3A