The OPC’s draft Guidance on IPP3A is out and it’s clear, specific and operationally challenging

From 1 May 2026, agencies that collect personal information indirectly will need to notify individuals, unless an exception applies. The draft guidance is open for consultation until 25 June 2025.

What stands out is how clear the OPC is about what compliance looks like.

For example, the Guidance states:

▶️ A bank is collecting the information and plans to send it on to a financial services company. The bank needs to tell the individual the name of the company it is sending the information to.... It’s not enough to only say the type or class of agency.

This will require real operational change:

▪️ Organisations will need to have clear data lineage so they can identify the source of each data point and understand how it flows across systems.

▪️ Changes to any third party you collect data from or share data with, may require updates to individual notifications.

▪️ Large organisations often rely on many third parties. This can result in long notification lists and frequent updates as relationships change.

▪️ These changes will affect not just privacy teams, but also legal, contracting, IT and data governance.

The OPC also suggests that disclosing and collecting agencies make notification responsibilities part of their contracts. This means that if you are renegotiating third party agreements or data-related clauses this year, this should be a priority.

Even though the law hasn’t passed yet, Parliament has signalled a firm start date. This guidance gives the clearest picture yet of what compliance will require.

If you want to work out how these law changes will impact your organisation or how to incorporate these data requirements into your business, please reach out.