Search Results

From 1 May 2026, a new Information Privacy Principle will apply in New Zealand. IPP3A will be added to the Privacy Act 2020 and requires businesses that collect personal information indirectly, not directly from the individual, to notify the person concerned. What must be notified? If you collect information indirectly, you must take reasonable steps, as soon as practicable, to make sure the person knows: • that their information has been collected • the purpose for the collection • the intended recipients (specific recipients, not just a class) • the name and address of the collecting and holding agency • any law authorising or requiring the collection • their rights to access and correct their information. When does it apply? IPP3A applies to all indirect collections made on or after 1 May 2026. It will not apply to information collected before that date. How long do I have to make the notification? Notification must be made as soon as reasonably practicable after collection. What is 'reasonable' depends on the circumstances. Sometimes this will mean immediate notification, for example during an online process. The OPC guidance also gives an example where notification is expected within three months. For each indirect collection, you will need to assess the timeframe and document your justification. Does it apply to processors? No. If your business is acting as a service provider or processor on behalf of another agency, you are not responsible for notification. The duty sits with the agency that decides how and why the information is collected and used. Are there exceptions? Yes. There are a range of situations where notification will not be required, many of them carried over from IPP3. IPP3A also adds some new exceptions that apply specifically to indirect collections. I will cover these in detail, with examples, in my next post. How wide is this? The scope is broad. IPP3A could apply to information such as credit reports, emergency contact details, referral letters, photographs, CCTV images, information drawn from social media or public registers, customer information purchased from a data broker, and referee details provided in recruitment. IPP3A represents more than a technical change. It signals a move toward stronger transparency and accountability. Agencies that prepare early will be better placed to meet their new obligations and to build trust by showing individuals exactly how their information is being used. If your business collects information from third parties, now is the time to get ready. At O’Brien Legal we can help you with the strategy for managing IPP3A, update your contracts and privacy notices, and ensure you have the right processes to document and justify any exceptions you rely on. This is not legal advice. If you want legal advice on the implications for your business, please contact me directly. IPP3A, Privacy Amendment Act 2025, Privacy Act 2020

A finance business recently found itself under scrutiny after a fraud incident exposed significant gaps in its privacy practices, including a failure to notify the Privacy Commissioner as required under the Privacy Act. A caller pretending to be a customer was able to mislead staff, access the customer’s account, and make unauthorised changes and transactions. Not once, but multiple times. Even though the customer raised repeated concerns that someone was accessing and using their personal information, the business only treated it as a fraud issue. But here is the thing. If someone uses personal information to gain access to accounts, bypass security, and cause harm, it is not just fraud. It is a privacy breach too. The Privacy Commissioner ultimately found breaches of Principle 5 (security safeguards), Principle 8 (accuracy), and Principle 11 (unauthorised disclosure), and criticised the business for failing to recognise its obligation to report the breach. What can we learn from this? ▪️ Fraud and privacy often go hand in hand. Do not silo your response. Assess both. ▪️ Breach reporting is not optional. If there is a risk of serious harm, notify OPC promptly. ▪️ Identity verification is critical. Robust checks could have stopped this at the first call. ▪️ Internal training and procedures matter. Multiple opportunities to stop the breach were missed. Privacy obligations are not just a compliance exercise. They are essential to maintaining trust, protecting your customers, and safeguarding your business. If your business is in a high-risk sector or handles sensitive information, now is the time to review your privacy breach response plan and your staff training. Case reference: CE03162 [2025] NZPrivCmr2 #PrivacyAct #NZPrivacyLaw #PrivacyBreach #FraudPrevention #FinanceCompliance #DataProtection #PrivacyTraining #CustomerTrust #OBrienLegal #PrivacyLawyerNZ Privacy Law: O'Brien Legal

A recent case from the NZ Privacy Commissioner, Case Note 329275 [2025] NZ Priv Cmr 2 , is a timely reminder that good intentions do not always equal lawful use. A company took a photo of a short-term employee during their factory work. The employee believed the photo was for internal use only. Two years later, after they had left the country, they discovered their image was being used widely in public marketing, including on the side of the building, in shopping centres, and in the company’s annual report. The employee had not agreed to this. They were distressed. The Office of the Privacy Commissioner got involved. Even though the company believed it had consent, the Privacy Act is clear: ✅ You must tell people how their personal information (including images) will be used ✅ You generally cannot use it for a different purpose without further consent or a lawful basis The case was resolved through conciliation. The company apologised, reviewed its processes, removed the image, and paid compensation, including for psychological harm and legal costs. Key takeaway for businesses : If you want to use staff images for external purposes like marketing, be explicit and get informed consent. A vague or one-off agreement is not enough. If you are unsure what is reasonable or what needs to be documented, now is the time to tighten things up. #privacy #dataprivacy #marketingethics #NZlaw #privacyact #businessrisk #datagovernance #consentmatters #obrienlegal

From 1 May 2026, agencies that collect personal information indirectly will need to notify individuals, unless an exception applies. The draft guidance is open for consultation until 25 June 2025. What stands out is how clear the OPC is about what compliance looks like. For example, the Guidance states: ▶️ A bank is collecting the information and plans to send it on to a financial services company. The bank needs to tell the individual the name of the company it is sending the information to.... It’s not enough to only say the type or class of agency. This will require real operational change: ▪️ Organisations will need to have clear data lineage so they can identify the source of each data point and understand how it flows across systems. ▪️ Changes to any third party you collect data from or share data with, may require updates to individual notifications. ▪️ Large organisations often rely on many third parties. This can result in long notification lists and frequent updates as relationships change. ▪️ These changes will affect not just privacy teams, but also legal, contracting, IT and data governance. The OPC also suggests that disclosing and collecting agencies make notification responsibilities part of their contracts. This means that if you are renegotiating third party agreements or data-related clauses this year, this should be a priority. Even though the law hasn’t passed yet, Parliament has signalled a firm start date. This guidance gives the clearest picture yet of what compliance will require. If you want to work out how these law changes will impact your organisation or how to incorporate these data requirements into your business, please reach out.

As a parent, it was heartbreaking to read how sensitive personal information was accessed and shared in ways that directly led to harm, including physical violence. And this is just a “snapshot” of what was reported. The reality is this: you can’t bolt privacy on after the fact. You need to build a culture that treats privacy as a layer of protection, not a layer of red tape. Without that mindset, even the best policies and procedures will fail. What stood out to me most was the quote that some social workers “hated” privacy and couldn’t see how it protected children. But privacy is protection. When you uplift privacy, you uplift the people you serve. You reduce harm. You build trust. I don’t doubt for a second that the people working at OT care deeply. This is not a failing of individual social workers. It’s a failing of the systems and policies that don’t reflect the true value of privacy or the very real harm caused when it’s breached. When privacy is treated as an admin task rather than a safeguard, the system breaks down and vulnerable people pay the price. Creating a privacy-aware culture is hard. But it’s possible and it’s essential. As lawyers, privacy professionals, and leaders, we need to show that privacy isn’t a compliance burden. It’s a tool to enable better, safer outcomes. Oranga Tamariki privacy breaches: Abused woman's file shared with father | RNZ News

A few commercial clients have asked how to manage tariff risks in their contracts. Tariff uncertainty is creating real challenges for businesses, from rising costs to supply chain disruptions. Reviewing key contract terms now can help mitigate risk. Key provisions to review: Force Majeure: May not cover tariffs unless clearly drafted. Change in Law/Tax Clauses: Can adjust pricing or timelines if tariffs impact costs. Termination Clauses: Consider exit options for tariff-driven price increases. Pricing Terms: Define who absorbs tariff costs, supplier or customer. Timelines & Performance: Address potential supply chain delays and liability. Dispute Resolution: Ensure governing law and resolution mechanisms align with strategy. With trade conditions shifting, now is the time to review contracts and ensure they provide the right protections. If your business is facing these challenges, I’m happy to help.

The Consumer Guarantees (Right to Repair) Amendment Bill has passed its first reading and is now open for public submissions. If passed, it would introduce new obligations for manufacturers and suppliers, ensuring consumers have better access to repairs and spare parts. The proposed changes would require manufacturers to: Keep repair facilities and spare parts available for a reasonable period. Provide consumers with repair information, software, and tools within 20 working days of a request. Other key proposals include: A right for consumers to request a repair instead of a replacement. An obligation on suppliers to complete repairs within a reasonable timeframe. The ability to seek redress from manufacturers when goods fail to meet the new guarantee. The repeal of section 42 of the CGA, which currently allows suppliers to refuse to provide repair facilities or spare parts if notified at purchase. While this bill is still in its early stages, all political parties have acknowledged the importance of discussing a Right to Repair regime. Given that regulatory change may be on the way, businesses should consider: Reviewing their returns and repair policies to ensure compliance. Submitting feedback on potential challenges, particularly for those sourcing goods from overseas manufacturers. Staying informed on legal developments as discussions continue. Submissions are open until 3 April 2025.