Search Results

A recent Human Rights Review Tribunal ruling (is a powerful reminder that privacy risks go well beyond data breaches and cyberattacks. The Tribunal found a New Zealand primary school unlawfully collected and misused highly sensitive medical information about a mother and her son, including details of past drug use and sex work. The information was used to form prejudicial views that shaped how the pair were treated. The result was humiliation, loss of dignity and real harm. For NZ businesses and organisations, this case illustrates something that often gets lost in privacy conversations. The biggest privacy risks are not always about hackers or lost laptops. They can be about collecting too much information, using it inappropriately, and allowing inaccurate or irrelevant information to drive decisions about people. What Happened: Privacy Misuse at a NZ School The case, DNO & BPQ v Board of TRS School [2026] NZHRRT 8, involved a NZ primary school that unlawfully collected and misused highly sensitive medical information about a mother and her son. In the boy's second week of school, a Starship community nurse provided copies of the mother's medical records to school staff during a meeting about the child's learning support needs. Auckland District Health Board later acknowledged the disclosure was wrong and formally apologised. The file included an 11-page child protection report containing sensitive medical, family and social history. The Tribunal found a senior teacher used this information to label the mother a "liar", a "meth addict" and a "street worker", and warned other staff that she was dangerous. The Tribunal determined the school should never have held this information. It found the medical records were used to form views that led to the mother and child being treated differently and poorly compared to others. The school was ordered to pay $29,100 in damages for humiliation, loss of dignity and harm. Privacy Risks Beyond Data Breaches: Why Over-Collection and Misuse Matter When most organisations think about privacy risk, they think about data breaches. Cyberattacks, lost USB drives, emails sent to the wrong person. Those are real risks. But this case shows three other types of privacy harm that deserve just as much attention. Over-collection. The school held an 11-page medical file it had no business possessing. Under the Privacy Act 2020, IPP 1 requires that personal information only be collected for a lawful purpose connected to the agency's function, and IPP 4 says collection must not be unfair or unreasonably intrusive. Holding sensitive medical history about a parent's past goes well beyond what a school needs to support a child's learning. Inappropriate use. Even where information is lawfully held, IPP 10 limits how it can be used. Information collected for one purpose should not be repurposed to judge, label or discriminate against someone. In this case, medical records collected for child welfare purposes were used to form negative views about a parent and, by extension, her child. Access to incorrect or misleading information leading to bias and discrimination. The Tribunal found that the senior teacher cherry-picked from the records, drew inaccurate conclusions and dismissed later paediatric assessments showing the child was developing well. The Tribunal concluded the mother was deemed "less deserving of empathy" based on her past, and those views were likely shared with staff working with the boy. IPP 8 requires agencies to take reasonable steps to ensure information is accurate, up to date, complete, relevant and not misleading before using it. This case shows what happens when that principle is ignored. Incomplete or outdated information does not just create administrative problems. It can lead to biased treatment and real discrimination against the people it relates to. It is worth noting that the Tribunal found the school had actively collected this information, not merely received it. Even where information arrives without being requested, once an agency holds personal information, the Privacy Act still applies. The safest response to receiving personal information you did not ask for is to ask whether you should hold it at all. What Would Have Changed Under IPP 3A? This case arose in 2019. Had the new IPP 3A been in force, the school would have been required to take reasonable steps to notify the mother that it had collected her personal information from a third party. That single step could have surfaced the problem much earlier and potentially prevented the harm that followed. IPP 3A requires agencies that collect personal information indirectly to tell the individual concerned about the collection, including what was collected, the purpose, and their right to access and correct the information. IPP 3A comes into force on 1 May 2026. For any organisation that collects personal information from sources other than the individual themselves, this is a timely reminder to have notification processes ready. Internal Sharing and Access Controls One of the more troubling aspects of this case is how the sensitive information spread within the school. The medical records were shared among staff without any apparent controls on who could access them or why. The senior teacher shared her views about the mother with other staff, and those views shaped how the child was treated in the classroom and playground. This raises a practical question every organisation should be asking. Who in your business can access sensitive personal information? Is there any process for limiting that access to those who genuinely need it for their role? Without clear access controls and policies, sensitive information can easily move beyond the people who need it and into the hands of people who may misuse it, whether intentionally or not. The Cost of Denial There is one more lesson worth drawing from this case. The school repeatedly denied having received or holding the medical records. The Tribunal ultimately rejected those denials. The mother told the Herald she probably would not have gone to the Tribunal had the school acknowledged wrongly using the records. She said she probably would have accepted an apology and moved on. This is a pattern that plays out regularly. When organisations respond to a privacy complaint with denial or defensiveness, they often escalate a situation that could have been resolved early. A prompt, honest acknowledgement of what went wrong, a genuine apology and clear steps to prevent it happening again will almost always produce a better outcome than years of litigation. For the school, denial turned what could have been a difficult conversation into a Tribunal proceeding, public scrutiny and a damages award. What Regulators Are Signalling Privacy Commissioner Michael Webster has raised concerns about the broader risks of inaccurate information driving decisions, warning of inaccurate predictions, discrimination, unexplainable decisions, and lack of accountability. While he was speaking in the context of automated decision making, the principle applies just as strongly to human decision makers relying on outdated or irrelevant data. The Privacy Commissioner has also been vocal about the need for stronger enforcement tools, including a potential civil penalty regime. If that eventuates, the financial consequences of mishandling personal information could increase significantly. But even under the current framework, the Tribunal can award damages of up to $350,000. This case shows those consequences are not hypothetical. Practical Steps Worth Taking This case is a prompt for any organisation that collects personal information to ask some hard questions. Audit what you hold. Consider reviewing the personal information your organisation holds. Are you collecting more than you need? Are you holding historical information that is no longer relevant to your purpose? Limit access to sensitive information. Consider whether the right people, and only the right people, have access to sensitive personal information. Put clear policies in place about who can see what and why. Check how information is being used. It may be worth reviewing whether personal information is being used only for the purpose it was collected. Staff who have access to sensitive information should understand the boundaries on how it can be used. Think about accuracy and relevance. Before relying on personal information to make decisions about someone, consider whether the information is current, accurate, complete and relevant. Out-of-date or incomplete information can lead to biased and harmful decisions. Prepare for IPP 3A. If your organisation collects personal information from third parties rather than directly from individuals, make sure you have processes ready to notify those individuals by 1 May 2026. Respond well when things go wrong. If a privacy issue is raised, take it seriously. Acknowledging a mistake early, apologising and taking corrective action is almost always less costly than denial and litigation. Train your people. Privacy is not just a policy exercise. The people who handle personal information day to day need to understand their obligations. This case shows how a single staff member's misuse of sensitive records can cause significant harm and a costly legal outcome. Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz . This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice.

A data breach has happened. Files were accessed. A laptop was stolen. An email went to the wrong person. The question every in-house team faces next is: do we need to notify the Privacy Commissioner? Getting this assessment wrong carries real consequences. Failing to report a notifiable privacy breach is an interference with privacy under the Privacy Act 2020. But over-reporting is not ideal either, as it can create unnecessary alarm and reputational risk. The key lies in understanding what the Act means by "serious harm", and how to apply that test under pressure. What Makes a Privacy Breach Notifiable in New Zealand Under Part 6 of the Privacy Act 2020, an organisation must notify both the Office of the Privacy Commissioner (OPC) and affected individuals if a privacy breach has caused, or is likely to cause, serious harm to any affected person. The trigger is not just whether a breach has occurred. It is whether it has caused, or is likely to cause, serious harm. That distinction matters. Not every breach meets the threshold. But many more do than organisations expect. The Privacy Commissioner has made clear that the expectation is to notify within 72 hours of becoming aware that a breach is notifiable. That leaves very little time to conduct the assessment, which is why having a framework ready before a breach happens is critical. How to Assess Whether a Breach Is Likely to Cause Serious Harm The Act does not define "serious harm." Instead, it sets out factors organisations must consider when making the assessment. These include: The nature of the information involved. Health data, financial details, and government identifiers are more likely to cause serious harm than a name or business email address. What action the organisation has taken to reduce the risk. If you have contained the breach quickly, encrypted the data, or confirmed it has not been accessed, that may reduce the likelihood of harm. Whether the information is protected by a security measure. Encrypted data that remains encrypted is less likely to cause harm than data stored in plain text. The nature of the harm that could result. This includes financial loss, identity theft, physical safety risks, psychological harm, and reputational damage. The Privacy Commissioner has indicated that organisations should err on the side of notifying. If there is genuine uncertainty about whether the threshold is met, it is generally safer to report than to stay silent. What the Manage My Health Inquiry Signals for In-House Teams The Privacy Commissioner's inquiry into the Manage My Health breach, announced in January 2026, is worth watching closely. The inquiry is examining the adequacy of security safeguards in place at the time of the breach, as well as the scale of data affected and whether certain communities were disproportionately impacted. This inquiry is being conducted under section 17(1)(i) of the Privacy Act. It signals that the Commissioner is willing to use formal inquiry powers where the breach involves sensitive data at scale. For in-house teams, the message is clear: the Commissioner is looking not just at what happened, but at whether the organisation was adequately prepared. The first phase of the inquiry is expected to report by 30 April 2026, and its findings may well set expectations for what "reasonable security safeguards" look like in practice. What the Privacy Commissioner Expects From Organisations The OPC's guidance makes several expectations clear. Organisations should have a breach response plan in place before an incident occurs. They should be able to identify and contain a breach quickly. And they should be ready to notify within 72 hours of determining the breach is notifiable. The Commissioner has also signalled a desire for stronger enforcement powers. In late 2025, the Commissioner stated publicly that the Privacy Act "needs further changes." While no legislative reform has been introduced yet, in-house teams should be aware that the regulatory direction is towards greater accountability, not less. The Human Rights Review Tribunal can award damages of up to $350,000 per affected person for interferences with privacy. That figure alone should prompt organisations to take the notification assessment seriously. Practical Steps Worth Taking Consider building a breach assessment framework now, before a breach occurs. A simple decision tree that maps the "serious harm" factors to your organisation's data types can save critical time during an incident. It may be worth reviewing your breach response plan to check it includes clear escalation paths, designated decision-makers, and template notification letters for both the OPC and affected individuals. Think about whether your team knows where your most sensitive personal information is held. If you cannot quickly identify what data was affected in a breach, your 72-hour clock becomes much harder to meet. Consider running a tabletop exercise with your team. Walking through a simulated breach scenario exposes gaps in your process that are easier to fix before the pressure is real. It may be worth seeking legal advice on your current breach readiness, particularly if your organisation handles health data, financial information, or large volumes of personal information. Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz . This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice. Privacy Breach NZ

Facial recognition technology is arriving in New Zealand retail, fast. Bunnings has announced it will roll out facial recognition technology in all 42 of its New Zealand stores, starting in Hamilton in April 2026. Briscoes is already trialling it. So is Rebel Sport. And behind the scenes, a landmark Australian tribunal decision has just reshaped how businesses everywhere should think about deploying this technology. If your business is considering facial recognition technology in New Zealand, or is already using any form of biometric processing, now is the time to understand what the rules require and where the real risks lie. What the Australian Tribunal Decided In February 2026, the Administrative Review Tribunal (ART) delivered its decision in Bunnings Group Limited and Privacy Commissioner [2026] ARTA 130. A bit of background. Bunnings deployed facial recognition technology in stores across Australia between 2018 and 2021. The system scanned the faces of everyone entering and compared them against a database of people who had previously engaged in violence, retail crime, or other harmful behaviour at Bunnings stores. The Australian Privacy Commissioner investigated and found Bunnings had breached several Australian Privacy Principles (APPs). Bunnings appealed. The ART's decision was mixed. It upheld three of the Privacy Commissioner's findings. Bunnings breached APP 1.2 by failing to implement appropriate practices, procedures, and systems around its FRT deployment. It breached APP 1.3 because its privacy policy made no mention of FRT at all. And it breached APP 5.1 by failing to give customers adequate notice that their faces were being scanned. All three of those findings stood. What the Tribunal did overturn was the finding that Bunnings had unlawfully collected sensitive biometric information without consent (APP 3.3). The Tribunal found that a "permitted general situation" under APP 3.4(b) and section 16A of the Privacy Act applied. In short, it was satisfied that Bunnings' deployment of FRT was a reasonable and proportionate response to a genuine threat, namely the prevention of serious retail crime and the protection of staff and customers from violence and abuse. In reaching that conclusion, the Tribunal assessed whether the FRT was a suitable and effective response to the problem of repeat offenders, whether there were comparable less privacy-intrusive alternatives available (it found there were not), and whether the privacy impact was proportionate to the benefits achieved. Bunnings succeeded on all three. On the risk assessment point, the Tribunal was pointed in its criticism. It found that Bunnings had taken "random enquiries and actions" rather than conducting the "formal, structured and documented" privacy risk assessment that a deployment of this kind required. The headline takeaway for businesses is this: even where a permitted general situation may apply, failing to be transparent about what you are doing, and failing to document your privacy assessment properly, are breaches in their own right. Why This Matters for NZ Businesses The ART decision is an Australian ruling applying Australian privacy law. It is not binding in New Zealand. But it is highly instructive, particularly now that Bunnings is actively rolling FRT out across its NZ stores and other retailers are following. The parallels between what the Australian Tribunal examined and what the NZ Code requires are striking. The Biometric Processing Privacy Code 2025 came into force in New Zealand on 3 November 2025. It introduces 13 rules that apply specifically to biometric processing activities, replacing the corresponding information privacy principles under the Privacy Act 2020 for those activities. If you are already using biometric processing, your grace period to align with the new rules ends on 3 August 2026. The parallels between what the Australian Tribunal examined and what the NZ Code requires are striking. What the NZ Biometric Code Actually Requires Under the NZ Code, collecting and processing biometric information must be lawful, necessary, and proportionate to the privacy risks involved. Critically, organisations must genuinely assess whether a less privacy-intrusive alternative could achieve the same purpose just as effectively. If a swipe card or PIN could reasonably do the job, biometric processing may not be justified. Transparency requirements are explicit. Organisations must provide clear and conspicuous notice to individuals, including identifying the agency collecting the information, the intended recipients, and individuals' rights to complain to the Privacy Commissioner. For a retail setting, this typically means clear signage at entry points where capture is occurring. Safeguards must be adopted and documented before collection begins. The Code also requires organisations to consider the cultural impacts of biometric processing on Māori, which goes beyond a simple tick-box exercise. The NZ Privacy Commissioner's June 2025 inquiry into Foodstuffs North Island's FRT trial is also relevant context. The Commissioner found that Foodstuffs' trial complied with the Privacy Act, given the significant safeguards in place, including a tightly scoped watchlist, exclusion of children and young people, and deletion of 99.999% of facial images within one minute. But the Commissioner was clear that effectiveness alone does not justify FRT use. It must also be necessary and proportionate. A Distinctly NZ Risk: Accuracy, Bias, and Te Tiriti One issue the NZ Commissioner specifically flagged, and which does not feature as prominently in the Australian decision, is accuracy risk across New Zealand's diverse population. FRT systems trained primarily on overseas datasets may perform less accurately for Māori and Pacific peoples. This raises both a direct compliance risk under the Code and a broader reputational and equity concern that businesses operating in NZ need to take seriously. Practical Steps Worth Taking Before deploying any FRT or biometric system, complete a formal, structured, and documented privacy impact assessment. The ART decision makes clear that informal or ad hoc steps are not enough. The tribunal described Bunnings' approach as "random enquiries and actions" and that was not a compliment. Review your transparency and notice arrangements. Clear signage at entry points is a minimum. Think carefully about what you are telling people, when, and whether it actually gives them the information the Code requires. Document your assessment of less privacy-intrusive alternatives. It is not enough to have considered them in passing. Record why you concluded that biometric processing is necessary and proportionate for your specific purpose. If you are considering an FRT system, ask your vendor about its accuracy rates across different ethnicities, and specifically how it performs for Māori and Pacific peoples in the New Zealand context. If you are already using biometric processing, check whether the 3 August 2026 deadline applies to you, and map what changes are needed to align with the Code before that date. Get legal advice early, and be aware of the difference between legal advice and privacy consulting. A lawyer advising you on your biometric deployment can provide advice protected by legal professional privilege. That privilege can matter significantly if you later face a regulatory investigation or complaint to the Privacy Commissioner. Privacy consultants, however skilled, are not regulated professionals and cannot provide legally privileged advice. Where the stakes are high, that distinction is worth understanding. Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz . This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice. Facial Recognition Technology (FRT) use in New Zealand and Privacy Act 2020

Great to hear from Michael Webster, New Zealand’s Privacy Commissioner, at the Buddle Findlay event a few weeks ago. He covered key privacy challenges, including: Recent breaches and lessons learned. IPP5 expectations—security and third-party sharing. Biometrics and the progress of the new Privacy Code. GDPR adequacy status and its implications. Employee browsing risks—a growing concern. On employee browsing, the Commissioner highlighted that this is an increasingly serious risk, especially for organisations handling highly confidential data. He noted that: This is a common type of privacy breach. It poses one of the greatest threats to workplace security. It’s only a matter of time before employees in sensitive roles are targeted by organised crime. Clearly, this issue is high on the Office of the Privacy Commissioner’s agenda. Now is the time for organisations to assess their risk exposure and address legal and compliance gaps. If this is a concern for your business, let’s talk . #privacy #privacylawyer #dataprotection

The Office of the Privacy Commissioner has highlighted a pattern of breaches across utilities including power, gas and broadband. The common theme is weak identity verification that made it easy for fraudsters to impersonate customers. The consequences were significant. Accounts were opened in the wrong person’s name. Debt piled up and was sent to collections, damaging credit scores. Contact details were changed so that correspondence went astray. For many victims, the first sign of trouble was financial harm or service disruption. At the centre of the problem is over reliance on basic data points such as name, date of birth or driver licence number. In an a ge where this information is readily available through social media, public records or historic data breaches, those checks are no longer sufficient. The Privacy Act requires agencies to put in place safeguards that are reasonable in the circumstances to prevent unauthorised access. What is reasonable will depend on the context, but utilities hold information that can be used as a stepping stone to wider fraud. Forward looking providers are already lifting their standards. They are implementing multi factor verification, requiring secure passwords or PINs, and using trusted identity verification services. These are not just compliance box ticks. They are essential measures to reduce customer harm and maintain market confidence. For boards and executives in the utilities and telco sector, the message is clear. Weak identity checks are no longer a minor operational gap. They represent a material risk to customers, compliance and brand trust. Now is the time to review and strengthen your processes before regulators, customers or competitors force your hand. If your organisation needs advice on responding to breaches or boosting your privacy program, I would be happy to help. Get in touch . Office of the Privacy Commissioner | Compliance comment - Utility providers' poor ID verification processes lead to customer harm Weak ID checks are not just a privacy gap, they are a business risk #Privacy #DataProtection #OBrienLegal #PrivacyLawyer

On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in European Data Protection Supervisor v Single Resolution Board  ( Case C-413/23 P, EU:C:2025:645 ). The Court addressed a question at the heart of modern data protection law: when pseudonymised data is shared, is it still personal data? For years, the assumption has been that pseudonymised data is always personal data, because the key to re-identification exists somewhere. This decision shifts that approach and brings nuance for data-driven sectors. Background The Single Resolution Board (SRB), an EU institution, invited affected shareholders and creditors to provide comments. To analyse those comments, the SRB sent them to Deloitte. Before sharing, the SRB replaced names with alphanumeric codes. Deloitte received only the coded comments and had no access to the re-identification key. Several stakeholders complained that the SRB’s privacy notice had not mentioned Deloitte as a recipient. The European Data Protection Supervisor (EDPS) agreed, finding a breach of transparency obligations. The General Court overturned that decision, but on appeal the CJEU sided largely with the EDPS, providing detailed guidance. The Court’s findings Personal opinions are personal data: The Court held that opinions and views, as expressions of a person’s thoughts, necessarily “relate to” that person. No further analysis was required. A relative test for pseudonymised data: Pseudonymised data is not always personal data in all cases. Whether information is personal depends on whether re-identification is reasonably likely  for the party holding it. For the SRB (which retained the key), the comments remained personal data. For Deloitte (which had no key and no realistic means of re-identification), the data could be considered anonymous. This confirms a contextual approach: the same dataset may be personal for one party but not for another. Transparency obligations remain with the controller: The duty to inform individuals about recipients is assessed at the time of collection and from the perspective of the controller. Controllers cannot avoid transparency obligations by pseudonymising data. Broader implications in Europe AI training : Data providers remain responsible for pseudonymised data, but AI developers who receive safeguarded datasets may, in some contexts, work outside GDPR. Contractual safeguards are critical : Organisations disclosing pseudonymised data must implement strict contractual terms prohibiting recipients from attempting re-identification. These clauses, combined with technical and organisational measures, are essential to reduce risk and support a contextual assessment that the data may not be 'personal data' in the recipient’s hands. Transparency as a baseline : The ruling underlines that pseudonymisation is not a compliance shortcut. Privacy notices and governance documents must still identify recipients, even if the recipient cannot re-identify individuals. Why this matters for New Zealand New Zealand has traditionally taken a broad approach to identifiability. In Proceedings Commissioner v Commissioner of Police  [2000] NZAR 277 (CRT) at 285, it was held that identifiability “can be made on the basis of a link identifying the individual, whether that link is obtained from the recipient's own knowledge or by other means.” The Privacy Act 2020 reinforces this by including exceptions for agencies that believe information will not be used in identifiable form  (for example, under IPPs 2, 3, 10 and 11). Those exceptions would be unnecessary if such information were not already treated as 'personal information'. In reality, not all forms of pseudonymisation are the same or provide the same level of protection. The actual interpretation may be context specific, particularly where pseudonymisation achieves a level of protection that is functionally equivalent to anonymisation. For New Zealand organisations, the implications include: Opportunity : This opens the door to more nuanced conversations (or legal challenges in Court) about whether pseudonymised data should always be captured by the Privacy Act. It could enable greater flexibility for innovation, particularly in AI and research. Contractual safeguards are critical : Agencies disclosing pseudonymised data should use contracts to prohibit re-identification and to set clear technical and organisational limits on how the data can be used. This will be key to arguing that data is effectively anonymous for the recipient. Uncertainty : It remains to be seen whether New Zealand courts would follow Europe’s contextual approach or continue with the broader “if anyone can link it, it’s personal” view. Either way, the message is clear: pseudonymisation can reduce risk, but it does not remove accountability. Transparency, governance, and contractual controls remain essential. Takeaway The CJEU’s decision in EDPS v SRB  is a turning point. It confirms that pseudonymisation can, in some contexts, push data into anonymity, but not for the original controller, and never at the expense of transparency. For New Zealand, it raises an important question: will our courts stick with the traditional broad definition of personal information, or align with Europe’s risk-based, contextual approach? Either way, agencies handling data need to be prepared. If your organisation is exploring AI projects, marketing partnerships, or new ways to share information, now is the time to revisit your privacy notices, contracts, and governance frameworks. O’Brien Legal can help you design for innovation while staying compliant and transparent. How does pseudonymisation impact the definition of personal information?

The Office of the Privacy Commissioner (OPC) has released its final guidance on Information Privacy Principle 3A (IPP3A), setting a clearer and more practical path for compliance ahead of its commencement on 1 May 2026. The new guidance refines the earlier draft released for consultation earlier this year, responding to strong feedback from both public and private sector organisations. The result is a more workable and balanced approach that recognises operational realities while maintaining a strong focus on transparency and individual rights. At its core, IPP3A requires agencies that collect personal information indirectly, meaning from someone other than the individual concerned, to notify that individual about the collection unless a specific exception applies. This principle represents a significant evolution in transparency under the Privacy Act 2020 and will affect most organisations that receive data through third parties, intermediaries, group companies or service providers. Key Changes in the Final Guidance 1. Multiple Indirect Collectors The OPC now confirms that several agencies in a chain can each be an indirect collector. One agency can notify on behalf of others, but only where there is clear evidence of this arrangement and contractual responsibility is properly allocated. This clarification helps avoid duplication of notifications and highlights the importance of clear legal terms between data-sharing partners. 2. Reasonable Steps Clarified The final guidance provides a structured checklist of what counts as reasonable steps when notifying individuals. Factors include the sensitivity of the data, potential impact on individuals and practicality in the specific context. The OPC encourages the use of layered or advance notices so people receive meaningful information without being overwhelmed. 3. Recipients and Level of Detail Organisations can now, in some instances, describe categories of recipients instead of naming every recipient individually, as long as those categories specify the type, sector and location. This change will be a relief for many businesses. Under the draft guidance, naming each recipient could have created an unrealistic and costly compliance burden for complex or large-scale data flows. The OPC expects these categories to be as specific as reasonably possible about the recipient’s type, industry and location. 4. Timing and Documentation Notification should occur as soon as reasonably practicable. The OPC expects agencies to document reasons for any delay and to embed notification into existing systems and processes such as onboarding, forms and data transfer workflows. This means compliance should be built into day-to-day operations rather than treated as a separate legal exercise. 5. Exceptions Refined and Expanded The commercial exception now covers situations where notification would unreasonably prejudice the commercial position of either the supplier or the individual. Other exceptions have been clarified, including: National security and international relations, which now includes relations with the Cook Islands, Niue and international organisations. Public health and safety, where the OPC encourages organisations to delay notification where necessary rather than rely on the exception to avoid it entirely. These refinements show a more balanced approach between legitimate business, operational and safety concerns and the principle of transparency. 6. Acting on Behalf The guidance explains when collection is considered direct under the PPPR Act, meaning IPP3 applies, and when it remains indirect. It includes examples of what reasonable steps look like when collecting through representatives or authorised agents. What Organisations Should Do Now The OPC’s final guidance makes clear that compliance will depend on preparation, documentation and collaboration across business, privacy and legal teams. The following steps will help build readiness ahead of May 2026. 1. Review Existing Data Sharing Arrangements Identify all situations where your organisation receives personal information from another party. Review contracts and data sharing agreements to ensure responsibilities for notification, evidence and timing are clear. Each party should know who is notifying and how compliance will be demonstrated. If a third-party provider handles information on your behalf, your organisation remains responsible for meeting IPP3A obligations. 2. Map Indirect Collection Points Create or update your data inventory to show where personal information comes from, how it moves between systems and teams, and where it leaves your organisation. This mapping provides the foundation for identifying where IPP3A applies and which exceptions may be relevant. 3. Update Privacy Notices Ensure your privacy notices and public statements reflect the IPP3A requirements. Notices should include: A clear statement that personal information may be collected indirectly. Categories of recipients, including type, sector and location, where naming each one is not practicable. The purposes for which the information is collected. Ensure the notice is accessible and consistent across platforms such as websites, forms and onboarding materials. 4. Strengthen Governance and Accountability Maintain records of decisions on notification timing, reliance on exceptions and allocation of responsibility. A clear governance structure will support consistency, accountability and trust and provide an audit trail if the OPC reviews your practices. 5. Integrate IPP3A into Procurement and Third Party Management Update procurement templates, outsourcing agreements and partnership frameworks to include IPP3A obligations. Contracts should specify: Which party is responsible for notification. Evidence or reporting required to demonstrate compliance. How exceptions will be documented and reviewed. Embedding these terms early will reduce compliance risk and ensure clarity in multiparty data flows. Why This Matters The final IPP3A guidance strikes a strong balance between transparency and practicality while raising expectations for accountability and legal defensibility. Organisations that wait until 2026 risk finding that their current contracts, notices and governance frameworks are not sufficient to demonstrate compliance. By starting now, agencies can build a legally sound and operationally sustainable approach to indirect collection and notification that supports trust, efficiency and compliance in equal measure. How O’Brien Legal Can Help O’Brien Legal brings together expertise in privacy, data and commercial law. We help organisations prepare for IPP3A by reviewing contracts, updating notices and implementing governance frameworks that align with both the Privacy Act and business objectives. Our focus is on practical, evidence-based compliance that meets legal standards and works in real-world operations. For tailored advice or to arrange an IPP3A readiness review, contact us at www.obrienlegal.co.nz Reference: OPC IPP3A Guidance Note, October 2025 .

Australia has just (31/03/2025) released its draft Children's Online Privacy Code for public consultation. The Code, developed by the Office of the Australian Information Commissioner (OAIC), sets out new rules for how online services handle children's personal information. Consultation closes on 5 June 2026, and the final Code must be registered by 10 December 2026. This matters for NZ businesses for two reasons. First, if you operate services accessible to Australian users, you may be directly caught. Second, New Zealand's Privacy Commissioner has been signalling a growing focus on children's privacy for some time. The question is no longer whether NZ will act, but when and how. What the Australian Children's Code Covers The Code applies to organisations bound by Australia's Privacy Act 1988 that provide online services likely to be accessed by a child. That includes social media platforms, messaging apps, video calling tools, online games with chat functions, streaming services, cloud storage, and even consumer Internet of Things devices like smart watches. The scope is deliberately broad. If a service is likely to be accessed by a child, the obligations apply. You do not need to be specifically targeting children. Key obligations in the draft Code include: Best interests of the child as the primary test for decisions about children's data. Organisations would need to consider whether their data practices serve the child's interests, not just commercial objectives. Privacy by default. Privacy settings must be set to the highest level by default. Geolocation, for example, would need to be switched off unless it is essential to the service and in the child's best interests. Restrictions on profiling and marketing. Commercial profiling and targeted marketing directed at children would be restricted unless essential to the service and in the child's best interests. Child-focused impact assessments. Organisations would need to carry out privacy impact assessments specifically considering the effects on children's data and rights. Data deletion. Children may be given the right to request deletion of their data, and automatic deletion after periods of inactivity may be required. These are significant obligations. For businesses that have not previously thought about children as a distinct user group, the compliance effort could be substantial. What This Could Mean for NZ Businesses Even if your business operates only in New Zealand, there are good reasons to pay attention. The NZ Privacy Commissioner launched the Children's Privacy Project in September 2023. The Office released a report in April 2024 summarising findings from consultations with government agencies, professionals working with children, and non-governmental organisations. Since then, the OPC has released guidance on photography and filming involving children (May 2025) and education sector privacy guidance. Importantly, the Privacy Act 2020 already gives the Privacy Commissioner the power to issue codes of practice that become part of the law. A children's online privacy code is well within the Commissioner's existing authority. No legislative change would be needed. Privacy Commissioner Michael Webster has also been vocal about the challenges of protecting children online. He has raised concerns about social media age verification, warning that blanket bans on under-16s may push young people towards less regulated platforms with fewer safety controls. NZ is also progressing its own Social Media (Age-Restricted Users) Bill, which would require platforms to take reasonable steps to prevent under-16s from accessing accounts. The direction of travel is clear. Children's online privacy is a regulatory priority in NZ. Whether that leads to a dedicated code of practice, amendments to the Privacy Act, or sector-specific guidance, businesses that collect data from users under 18 should be thinking about this now. What Regulators Are Signalling This is not just an Australia and NZ conversation. The UK's Age Appropriate Design Code (also known as the Children's Code) has been in force since 2021, and the EU's General Data Protection Regulation already includes specific protections for children's data. Australia's Code is the latest in a global trend towards treating children's privacy as requiring specific, enforceable standards rather than relying on general privacy principles alone. The NZ Privacy Commissioner's sustained focus on children's privacy, combined with the existing power to issue codes of practice, suggests NZ may follow a similar path. The OPC has not yet announced a children's privacy code, but the groundwork has clearly been laid. Practical Steps Worth Taking Consider whether your services are likely to be accessed by children. This is the threshold question under the Australian Code, and it is likely to be relevant in any future NZ framework. Think broadly. If your service does not actively exclude children, they may be using it. Review your privacy settings and defaults. Are your default settings set to the highest privacy level? If not, consider whether "privacy by default" should be your standard approach, particularly for any service accessible to young users. Assess your data practices through a "best interests" lens. Ask whether the data you collect from younger users is genuinely necessary for the service, or whether it serves primarily commercial purposes. Check your data retention and deletion processes. Do you have a clear process for deleting data when requested? Do you retain children's data longer than necessary? Keep an eye on the NZ Privacy Commissioner's next steps. The OPC's Children's Privacy Project is ongoing, and further guidance or regulatory action may follow. Every business is different, and whether these issues apply to you will depend on your specific circumstances. If you would like to talk through what this means for your business, I would love to help. Get in touch at rachel@obrienlegal.co.nz or visit obrienlegal.co.nz . This post is general information only and is not legal advice. If you have specific questions about your situation, please seek independent legal advice.

The Biometric Processing Privacy Code 2025 is now law under the Privacy Act. It introduces a specific and enforceable set of rules for any organisation in New Zealand using biometric technologies such as facial recognition, voice ID, fingerprints, or similar tools to identify, verify, or categorise individuals. Key Dates The Code comes into force on 3 November 2025 Organisations already using biometric systems must comply by 3 August 2026 This Code substitutes the 13 standard privacy principles with 13 targeted rules specifically designed for biometric information. It brings much-needed clarity and structure to the regulation of biometric technologies. What Has Changed? The Code introduces new legal thresholds for the collection and use of biometric data. Under Rule 1, biometric data must only be collected if: It is for a lawful purpose connected to the organisation’s functions It is effective at achieving that purpose The same result cannot reasonably be achieved as effectively by another means that carries less privacy risk The organisation has implemented appropriate privacy safeguards The processing is proportionate, taking into account privacy risk and cultural impacts (including on Māori) These are not soft guidelines. Organisations must be prepared to evidence their decision-making and justify their use of biometric tools. Restrictions on High-Risk Uses The Code also restricts certain high-risk uses of biometric information, called "biometric categorisation". In most cases, organisations cannot use biometric data to infer or detect: Emotions Mental state Fatigue or alertness Health status Age, sex, ethnicity, or other characteristics that may involve discrimination risks. These uses are only permitted in limited situations, such as for accessibility support or public safety purposes, and must still meet strict conditions. Transparency and Rights of Individuals The Code places a strong emphasis on individual rights and transparency. Organisations must clearly inform people: That biometric data is being collected The purpose for collection Whether any alternatives are available Their rights to access and correct their information How long the data will be kept How to raise concerns or make complaints These obligations apply whether the system is in full use or being trialled. What Your Business Should Do Now If your business currently uses or is considering the use of biometric systems, the following steps will help you prepare for compliance: Review your biometric systems and clarify their purposes Assess whether each use meets the legal thresholds of necessity, effectiveness, and proportionality Document your assessment, including any less privacy-intrusive alternatives considered and your justification for proceeding Consider cultural impacts, including specific risks or impacts for Māori Review your data storage, disposal practices, and vendor arrangements Update privacy notices, consent communications, and internal training Seek legal advice, particularly where use is novel, high-risk, or involves sensitive decision-making O’Brien Legal supports businesses across New Zealand to navigate these new privacy obligations with clarity and confidence. If you would like a confidential discussion about how the Code applies to your organisation, please get in touch. #privacy #biometrics #NZprivacy #privacycode #dataprotection #facialrecognition #OBrienLegal #datagovernance #compliance #privacylawyer Biometric Processing Privacy Code 2025 This image is AI generated.

A practical legal guide to what IPP3A means for your business, how to prepare, and how to keep compliance proportionate and defensible. From Principles to Practice Over the past few weeks, this series has unpacked what IPP3A is, why it matters, the exceptions and how it will change the way organisations collect, use and share personal information. These earlier posts are available here: IPP3A – Why this amendment, and why now? IPP3A – From May 2026, what changes for you? IPP3A – The exceptions and what they mean for your business This final post brings it all together and looks at what your business can do now to prepare. As a lawyer who spends much of my time advising businesses on privacy and data, I see two common reactions to reforms like IPP3A. Some move quickly to get ahead of the change. Others wait, hoping it will be another regulatory update that never quite bites. Both are understandable. But the real question is not whether you do something. It is how much you need to do to be defensible when questioned, and to do the right thing by your customers and your staff. That is where proportionate, legally grounded preparation matters most. Why the Legal Lens Matters Privacy compliance is often treated as a policy, risk or IT exercise, but the real exposure usually lies elsewhere. For IPP3A, a large part of it sits in the contracts that define how information is shared, the supplier arrangements that determine who touches and uses the data, and the governance structures that decide who is accountable when something goes wrong. The New Zealand Privacy Act 2020 does not carry the same financial penalties as overseas regimes such as the GDPR or the Australian Privacy Act. However, reputational harm can be significant. Being publicly called out by the Privacy Commissioner or finding your organisation on the front page of the newspaper, is not an experience most businesses would choose. What IPP3A really demands is transparency and alignment between what your business says and what it does. It requires a clear understanding of where your data comes from, how it is collected, and what people are told about it. This is where legal advice becomes critical. The law expects businesses to be able to explain and justify their actions. Legal guidance helps you move beyond checklists and templates to decisions that are proportionate, commercially practical, and defensible when questioned. What Businesses Need to Do Now There are five key areas every business should focus on. 1. Transparency The draft guidance for IPP3A makes it clear that transparency is at the heart of compliance. Your privacy policy and notification processes must now do more than describe the type or class of personal information collected. They must identify, wherever possible, the specific source of that information. If your organisation collects personal information indirectly, your privacy policy should name the business or organisation that supplied it. For example, if you obtain information from a credit reporting agency or marketing data provider, you should name that company and, where feasible, include a link to its website. Generic descriptions such as “third party suppliers” or “data partners” will no longer be sufficient. Your policy should also explain what information was collected, how it is used, and who it may be shared with. The aim is for individuals to understand how their information came to you and what will happen to it next. You need a process to ensure the policy remains accurate over time. This can be achieved through an annual review cycle or a trigger-based process that requires a review whenever new data sources, suppliers or collection methods are introduced. The important thing is that your privacy statement always reflects current practice, not what used to occur. Timing of notification is also critical. The Office of the Privacy Commissioner’s draft Guidance expects notification to occur as soon as reasonably practicable after the information has been collected. In practice, this requires a judgment call. Your decision on when and how to notify individuals should be proportionate and documented, taking into account the nature and sensitivity of the information, what you already know about the individuals concerned, the cost and effort involved, and the most effective way to communicate the notice. Getting this right is not just a compliance exercise. It demonstrates accountability and respect for the people whose information you hold. A well written and actively maintained privacy policy should give individuals a clear, accurate and timely understanding of how their data reaches you and how you handle it. 2. Contracts Your contracts are where IPP3A obligations become enforceable. Review all agreements involving personal information, including supplier contracts, marketing partnerships, data sharing arrangements and cloud or software agreements. Update clauses to clarify how notification obligations under IPP3A will be met where personal information is collected indirectly. Under IPP3A, there is an exception where individuals have already been made aware of the collection by the third party that gathered their information directly. In practice, this will be one of the most commonly relied on exceptions, as many organisations will depend on their suppliers or partners to have met the notification requirement. If your business intends to rely on this exception, the contract must make that reliance explicit. A general understanding or assurance is not enough. Include clear, precise wording that allocates responsibility and confirms that the third party has met, or will meet, its obligation to notify affected individuals of the indirect collection by your business, including your business’s name and address. You should also ask suppliers to confirm that their processes support these obligations and keep a record of your legal reasoning for any proportional or risk based approach you adopt. Strong contracts demonstrate that privacy risks are being managed as part of your commercial framework, not left to assumption. 3. Awareness Policies and contracts only work when people understand them. Your staff need to know what IPP3A means in practice, including who collects what, who informs individuals, and what to do when something changes. Communicate the new obligations across your organisation, particularly to those handling customer data, employee data, managing suppliers or approving marketing activity. Refresh training materials and keep records of completion. Encourage a culture where staff pause and ask questions before bringing in new data sources or tools. It is far easier to fix a privacy issue before it happens than after. Awareness is where policy turns into behaviour. It is the difference between compliance on paper and compliance in practice. 4. Mapping You cannot manage privacy risks if you do not know where your data comes from or where it goes. Create a straightforward map of your data sources, including indirect and third party inputs. Record what is collected, from whom and why. Review the map regularly as suppliers and systems change. Data mapping gives you visibility, and visibility gives you control. 5. Change Many privacy issues arise not in steady state but when something changes. When you change suppliers, add a system, or expand how data is used, privacy considerations can easily be overlooked. IPP3A obligations should be incorporated into your Privacy Impact Assessment process so that indirect collection and notification requirements are considered whenever new initiatives are reviewed. You should also ensure that you have the right triggers in place. Build these into your procurement, IT and project management workflows so that any new system, data source or partnership automatically prompts a privacy review. This does not need to be complicated. Even a short checklist or sign-off step can identify most issues before they occur. What matters is consistency. Involve legal early, not after the contract is signed or the tool is live. Change management is the thread that keeps compliance together. Without it, even the best privacy frameworks can quickly fall behind. The Cost of Doing Nothing Because the Privacy Act’s financial penalties are low, many organisations assume the risk is minimal. It is not. The real costs lie in the loss of customer trust, the disruption of an investigation or breach and the urgent remediation that follows. Being named publicly by the Privacy Commissioner can cause lasting reputational damage. The businesses that fare worst are not those that make mistakes but those that cannot show a structured, reasonable response. Proportionate and Defensible Compliance IPP3A does not expect perfection. It expects reasonableness and accountability. In practice, most businesses are not looking for a gold plated or overly engineered approach. They want to be compliant, meet their legal obligations, and do the right thing by their customers and staff. The goal is to demonstrate that the organisation has understood its risks, taken proportionate steps to address them, and can explain and evidence those decisions if questioned. A proportionate, defensible approach is built on three things: knowing your risks, documenting your reasoning, and being able to show why the actions you took were fair, reasonable and aligned with the Privacy Act. This is where good legal advice adds real value. It translates broad privacy principles into tailored, commercially workable steps that fit the size, structure and risk profile of your organisation. It helps you achieve compliance that is both practical and principled, robust enough to stand up when tested without overburdening the business. Board and Leadership Accountability IPP3A readiness is not just a compliance exercise. It is a governance responsibility. Boards should treat privacy as part of their duty to manage organisational risk. Directors should be asking: Do we know where our personal information comes from? Have we reviewed our contracts and privacy policies? Do staff understand their responsibilities? Do we have a plan if something goes wrong? Being able to answer those questions and show evidence of oversight is now a hallmark of sound governance. How I Help At O’Brien Legal, I offer a one stop privacy service that combines privacy law, commercial contracting and privacy compliance. This means my clients can manage every aspect of their privacy obligations through a single, integrated legal partner. I help businesses develop privacy frameworks that are both legally robust and commercially workable. My focus is on practical, proportionate solutions that protect your organisation, meet legal requirements and make sense in day to day operations. I support clients with: Drafting and updating contracts and commercial agreements to reflect IPP3A obligations and clearly allocate privacy responsibilities. Reviewing and rewriting privacy policies and internal frameworks to meet the new transparency requirements. Designing defensible action plans to implement IPP3A efficiently and proportionately. Creating board reporting templates, accountability maps and leadership briefings to demonstrate governance oversight. Embedding supplier and change management processes with built in IPP3A triggers. Conducting Privacy Impact Assessments and preparing PIA templates and guidance materials that can be used across the business. Providing breach response advice and supporting businesses through investigations or notifications. You do not always need a large compliance project to meet IPP3A. What matters is a coordinated framework that integrates privacy law, commercial contracting and operational compliance. Whether you are building a full privacy programme or refining existing processes, the goal is to create an approach that is proportionate, defensible and aligned with your business. Final Thoughts IPP3A is more than a technical amendment. It signals a shift toward greater accountability in how businesses handle personal information. It is also more work than many people realise. Understanding your data flows, updating contracts and privacy statements, and building change management processes all take time. It is far better to start now and ensure your business is ready before May 2026, when these changes come into effect. While New Zealand’s privacy law may lack financial teeth, the reputational and operational impacts of getting it wrong are real. The good news is that compliance can be proportionate, practical and strategic when led through a legal lens. If you want to understand what good looks like and how to make it defensible, now is the time to start. Privacy Act 2020, IPP3A Amendment

In my previous posts I’ve covered: IPP3A – Why this amendment, and why now? IPP3A – From May 2026, what changes for you? Privacy Act 2020 In this article, I want to look more closely at the exceptions to IPP3A, when notification is not required, how the Office of the Privacy Commissioner (OPC) expects organisations to apply them, and what this means in practice. The rule and the exceptions From 1 May 2026, if your business collects personal information indirectly (not from the person themselves), you must notify that person unless an exception applies . Full list of IPP3A exceptions Notification is not required if: The individual has already been made aware The information won’t be used in an identifiable form The information is used for research or statistics and publishing won’t identify the individual Non-compliance wouldn’t prejudice the individual’s interests The information is already publicly available Telling the individual would prejudice the purpose of the collection Telling the individual is not reasonably practical in the circumstances The agency is assessing whether information is of enduring public value for archiving, and compliance would seriously impair that purpose Compliance would prejudice New Zealand’s (or associated territories’) security, defence, or international relations Compliance would reveal a trade secret Telling the individual would cause a serious threat to public health or safety, or to another individual’s health or safety Non-compliance is necessary for: maintenance of the law enforcement of the law that imposes a pecuniary penalty protection of public revenue conduct of court or tribunal proceedings. How to apply the exceptions The OPC’s draft guidance makes it clear that notification is the default and exceptions should be applied cautiously. Agencies are expected to be able to justify any decision not to notify. Some of the key points are: 1. Start with notification as the rule Agencies must be able to show they actively considered notifying. Exceptions are not intended to be used as shortcuts or loopholes. 2. “Not reasonably practical” is a narrow test Cost, inconvenience or administrative burden are not enough on their own. Cost may be relevant only if it is truly disproportionate to the benefit of notifying. The more sensitive or extensive the personal information, the greater the expectation that you will make efforts to notify. 3. Systems or processes are no excuse Incompatible technology, outdated systems, or poor processes are not valid reasons to avoid notification. Agencies are expected to plan for how they will meet IPP3A requirements and build notification into system design. 4. Lack of contact details is not the end of the story If you do not hold contact details, or you reasonably believe they are out of date, you are not required to collect them solely for notification. However, you should still consider other steps such as: Posting a public notice (for example, on a website or social media page) Using a channel reasonably accessible to the affected individuals. The OPC provides examples of when public notices may be appropriate, and when direct notification is still required. 5. Exceptions are not “blanket permissions” Even where an exception applies, agencies should consider whether partial notification is possible. For example, you may not be able to contact every individual, but you could notify a significant proportion. 6. Consider timing The obligation is to notify “as soon as reasonably practicable.” If you delay notification to avoid prejudicing an investigation, you should revisit the decision once the risk has passed. 7. Sensitive vs non-sensitive contexts Sensitive information (health, biometrics, children’s data) will almost always demand higher notification efforts. Large-scale collections raise the threshold for relying on exceptions. Information scraped from public sources may appear low-risk, but if used in sensitive ways, expectations to notify will increase. 8. Transparency beyond compliance Even if an exception technically applies, think about customer expectations and trust. In some cases, notifying voluntarily may be the safer commercial decision. 9. Document your reasoning If you rely on an exception, keep a clear record of your decision and why. This provides: An audit trail for the OPC Evidence to stakeholders that you are applying IPP3A responsibly Protection against claims of careless or opportunistic non-compliance. 10. Build into governance and contracts Incorporate IPP3A exception assessments into privacy impact assessments (PIAs) and data governance processes. Ensure contracts with third parties clarify who is responsible for notification and how exceptions will be assessed. 11. Monitor evolving practice IPP3A is new. The OPC’s decisions, guidance updates, and emerging case studies will shape how exceptions are applied in practice. Agencies should keep policies under review and be ready to adjust. Why this matters for your business IPP3A significantly raises the bar for transparency in New Zealand. The exceptions balance important interests such as law enforcement, national security, and practicality, but they are narrow and fact-specific. For businesses, the key message is simple: Assume notification will be required. Only rely on an exception where it clearly applies and you can defend that position. Applying IPP3A carefully, and keeping good records, will not only reduce legal risk but also help build and maintain trust with customers, staff, and regulators. This is not legal advice. If you want legal advice on the implications for your business, please contact me directly. Notification under IPP3A Privacy Act 2020

From 1 May 2026, a new Information Privacy Principle will apply in New Zealand: Information Privacy Principle 3A (IPP3A) under the Privacy Act 2020. This change comes through the Privacy Amendment Act 2025, which was passed in September. IPP3A introduces a requirement for organisations that collect personal information indirectly (that is, not directly from the individual concerned) to notify that individual, unless a specific exception applies. The amendment was presented as a way to strengthen transparency in New Zealand’s privacy framework and to bring us into closer alignment with international standards. But was it really necessary, and what does it mean in practice for businesses? Harm vs benefit The case for IPP3A is that people should know when their information has been collected, even if they were not the source. Without this transparency, individuals: lose visibility of where their information is held and how it is used cannot easily exercise their rights of access and correction may be blindsided if their information surfaces in an unexpected place may lose trust in organisations and systems that handle their information are more vulnerable if inaccurate information is passed along without their knowledge These are important concerns in a world where data flows quickly and often invisibly, particularly with the growth of digital platforms, data brokers, and AI systems that draw on large data sets. On the other hand, the reality in New Zealand has been somewhat different. Many agencies already addressed indirect collection in their privacy notices, and whole sectors had established processes for handling referrals or third-party data fairly. The absence of a strict legal requirement has not generally been seen as a major gap in our privacy framework, particularly when compared with other missing rights such as a general right to erasure, a right to data portability, or stronger limits on automated decision-making. In many day-to-day contexts, indirect collection was accepted as a practical reality and not a point of significant public concern. As a result, while IPP3A addresses a real principle of transparency, the actual level of harm it is intended to fix in the New Zealand context is debatable. International comparison Looking abroad, we see that IPP3A is not groundbreaking but rather New Zealand catching up with global peers. GDPR : Articles 13 and 14 expressly require notification when data is collected indirectly, with some exceptions. Australia : The Privacy Act requires organisations to take reasonable steps to notify individuals when information is collected from third parties. By adding IPP3A, New Zealand aligns itself more closely with these standards. The change also helps protect New Zealand’s EU adequacy status, which is critical for the continued free flow of data with Europe, and therefore for trade, particularly in sectors that rely heavily on cross-border data transfers. Business lens The real challenge for organisations will be implementation. The OPC’s guidance on IPP3A sets a high bar. Agencies are expected to carefully review what information is collected, why, from whom, and who it will be shared with, and then communicate that clearly to individuals. This is much more than a tick-box exercise. Concerns raised in submissions on the Bill included: Duplication of notices where multiple agencies are involved in a transaction or referral Notice fatigue, where individuals are inundated with repetitive information they are unlikely to engage with Unclear responsibility for compliance in multi-agency or contractual arrangements Significant compliance costs, particularly for small and medium-sized enterprises Meeting these expectations will require many organisations to uplift their overall privacy programmes. That may involve: stronger governance and clearer internal accountability updated external privacy notices and internal policies better record-keeping and data inventories privacy by design practices in new systems and projects reviewing and updating contracts with third parties to allocate responsibilities For larger organisations with existing privacy teams, this may be an extension of work already underway. For smaller businesses, however, the change could represent a significant new compliance burden. There is real value in lifting privacy maturity across the board, and in the long term these changes may improve trust and resilience. But the timing is challenging. In the current New Zealand market, many businesses are under financial pressure, and taking on a significant compliance cost without a clear benefit or direct link to revenue will be a hard ask. Careful planning will be needed to meet the standard without over-investing in processes that deliver little commercial return. This is not legal advice. If you want legal advice on the implications for your business, please contact me directly. *Flowchart from www.digital.govt.nz #Compliance #BusinessRisk #PrivacyLaw #DataProtection #NZLaw #IPP3A