top of page

OPC Finalises IPP3A Guidance: What Changed and What Organisations Need To Do Before 1 May 2026

  • Writer: R O'Brien
    R O'Brien
  • Nov 6
  • 4 min read

The Office of the Privacy Commissioner (OPC) has released its final guidance on Information Privacy Principle 3A (IPP3A), setting a clearer and more practical path for compliance ahead of its commencement on 1 May 2026.


The new guidance refines the earlier draft released for consultation earlier this year, responding to strong feedback from both public and private sector organisations. The result is a more workable and balanced approach that recognises operational realities while maintaining a strong focus on transparency and individual rights.


At its core, IPP3A requires agencies that collect personal information indirectly, meaning from someone other than the individual concerned, to notify that individual about the collection unless a specific exception applies.


This principle represents a significant evolution in transparency under the Privacy Act 2020 and will affect most organisations that receive data through third parties, intermediaries, group companies or service providers.


Key Changes in the Final Guidance


1. Multiple Indirect Collectors


The OPC now confirms that several agencies in a chain can each be an indirect collector. One agency can notify on behalf of others, but only where there is clear evidence of this arrangement and contractual responsibility is properly allocated.


This clarification helps avoid duplication of notifications and highlights the importance of clear legal terms between data-sharing partners.


2. Reasonable Steps Clarified


The final guidance provides a structured checklist of what counts as reasonable steps when notifying individuals. Factors include the sensitivity of the data, potential impact on individuals and practicality in the specific context.


The OPC encourages the use of layered or advance notices so people receive meaningful information without being overwhelmed.


3. Recipients and Level of Detail


Organisations can now, in some instances, describe categories of recipients instead of naming every recipient individually, as long as those categories specify the type, sector and location.


This change will be a relief for many businesses. Under the draft guidance, naming each recipient could have created an unrealistic and costly compliance burden for complex or large-scale data flows.


The OPC expects these categories to be as specific as reasonably possible about the recipient’s type, industry and location.


4. Timing and Documentation


Notification should occur as soon as reasonably practicable. The OPC expects agencies to document reasons for any delay and to embed notification into existing systems and processes such as onboarding, forms and data transfer workflows.


This means compliance should be built into day-to-day operations rather than treated as a separate legal exercise.


5. Exceptions Refined and Expanded


The commercial exception now covers situations where notification would unreasonably prejudice the commercial position of either the supplier or the individual.


Other exceptions have been clarified, including:

  • National security and international relations, which now includes relations with the Cook Islands, Niue and international organisations.

  • Public health and safety, where the OPC encourages organisations to delay notification where necessary rather than rely on the exception to avoid it entirely.


These refinements show a more balanced approach between legitimate business, operational and safety concerns and the principle of transparency.


6. Acting on Behalf


The guidance explains when collection is considered direct under the PPPR Act, meaning IPP3 applies, and when it remains indirect. It includes examples of what reasonable steps look like when collecting through representatives or authorised agents.


What Organisations Should Do Now


The OPC’s final guidance makes clear that compliance will depend on preparation, documentation and collaboration across business, privacy and legal teams. The following steps will help build readiness ahead of May 2026.


1. Review Existing Data Sharing Arrangements


Identify all situations where your organisation receives personal information from another party.

Review contracts and data sharing agreements to ensure responsibilities for notification, evidence and timing are clear. Each party should know who is notifying and how compliance will be demonstrated.


If a third-party provider handles information on your behalf, your organisation remains responsible for meeting IPP3A obligations.


2. Map Indirect Collection Points


Create or update your data inventory to show where personal information comes from, how it moves between systems and teams, and where it leaves your organisation.


This mapping provides the foundation for identifying where IPP3A applies and which exceptions may be relevant.


3. Update Privacy Notices


Ensure your privacy notices and public statements reflect the IPP3A requirements.


Notices should include:

  • A clear statement that personal information may be collected indirectly.

  • Categories of recipients, including type, sector and location, where naming each one is not practicable.

  • The purposes for which the information is collected.


Ensure the notice is accessible and consistent across platforms such as websites, forms and onboarding materials.


4. Strengthen Governance and Accountability


Maintain records of decisions on notification timing, reliance on exceptions and allocation of responsibility.


A clear governance structure will support consistency, accountability and trust and provide an audit trail if the OPC reviews your practices.


5. Integrate IPP3A into Procurement and Third Party Management


Update procurement templates, outsourcing agreements and partnership frameworks to include IPP3A obligations.


Contracts should specify:

  • Which party is responsible for notification.

  • Evidence or reporting required to demonstrate compliance.

  • How exceptions will be documented and reviewed.


Embedding these terms early will reduce compliance risk and ensure clarity in multiparty data flows.


Why This Matters


The final IPP3A guidance strikes a strong balance between transparency and practicality while raising expectations for accountability and legal defensibility.


Organisations that wait until 2026 risk finding that their current contracts, notices and governance frameworks are not sufficient to demonstrate compliance.


By starting now, agencies can build a legally sound and operationally sustainable approach to indirect collection and notification that supports trust, efficiency and compliance in equal measure.


How O’Brien Legal Can Help


O’Brien Legal brings together expertise in privacy, data and commercial law. We help organisations prepare for IPP3A by reviewing contracts, updating notices and implementing governance frameworks that align with both the Privacy Act and business objectives.


Our focus is on practical, evidence-based compliance that meets legal standards and works in real-world operations.


For tailored advice or to arrange an IPP3A readiness review, contact us at www.obrienlegal.co.nz


.

ree

 
 
 

Comments

bottom of page