IPP3A is now in force: what NZ businesses need to know about the new Privacy Act notification rule
Quick summary
From 1 May 2026, New Zealand organisations have a new Privacy Act obligation under Information Privacy Principle 3A, known as IPP3A.
IPP3A applies when your organisation collects personal information about someone from a source other than the person themselves. This is called indirect collection.
In practical terms, if your business collects information from third parties, referrals, business partners, public sources, recruiters, background checks, marketing lists, or other external sources, you may now need to notify the person that you have collected their information.
The deadline has passed. Compliance is required now.
What is IPP3A?
IPP3A is a new notification requirement under the Privacy Act 2020.
Under the existing IPP3, organisations already need to tell people certain things when they collect personal information directly from them.
IPP3A extends a similar notification requirement to situations where personal information is collected indirectly, meaning from someone or somewhere other than the individual concerned.
For example, IPP3A may apply if your organisation collects personal information through:
recruiter CVs
referee or reference checks
credit checks
customer referrals
purchased marketing lists
data shared by business partners
public websites or directories
supplier, contractor, or employee information provided by someone else
information passed on during a business sale or handover
This change matters because many organisations collect personal information indirectly without thinking of it as “privacy collection”.
IPP3A is designed to give people greater transparency about who has their personal information, why it has been collected, and what they can do about it.
What’s the difference between IPP3 and IPP3A?
The key difference is where the information comes from.
IPP3 applies when you collect personal information directly from the person.
For example, someone fills out your contact form, applies for a job, signs up to your newsletter, completes an onboarding form, or gives you their details over the phone.
IPP3A applies when you collect personal information about someone from another source.
For example, someone refers a potential client to you and gives you their phone number. A recruitment agency sends you a candidate’s CV. A business partner shares a customer contact list. You buy a marketing database. You collect information from a public register.
In both cases, the person has privacy rights. The difference is that with indirect collection, they may not know your organisation has their information unless you tell them.
That is the gap IPP3A is intended to address.
Does IPP3A apply to information you already held before 1 May 2026?
No, not generally.
IPP3A applies to personal information collected indirectly on or after 1 May 2026. It doesn’t apply to personal information collected before that date.
However, that doesn’t mean organisations can ignore it.
If you’re still collecting information through the same channels after 1 May 2026, you need to understand where that information is coming from and whether IPP3A notification is required.
It’s also a good time to review your wider privacy documentation.
Many existing privacy statements were written with direct collection in mind, such as website forms, email enquiries, newsletter sign-ups, and customer onboarding. They may not properly cover indirect collection under IPP3A.
What do you need to tell people under IPP3A?
If IPP3A applies, your organisation must take reasonable steps to make sure the person is aware of certain matters.
This includes telling them:
that their information has been collected.
the purpose of collecting it.
who the intended recipients are.
the name and address of the agency collecting the information.
the name and address of the agency holding the information.
whether the collection is authorised or required by law, and which law applies.
that they have the right to access and correct their information.
The Privacy Commissioner’s guidance says these steps must be taken as soon as reasonably practicable after the information has been collected, unless the person has already been made aware of the required matters.
In other words, it is not enough to vaguely say, “We collect information from third parties.”
You need to think about what the person reasonably needs to know in the specific context.
What does this look like in real business situations?
IPP3A can show up in ordinary business activity. Here are a few practical examples.
Recruitment
If a recruiter sends you a candidate’s CV, or you collect information through reference checks, background checks, police vetting, or qualification checks, you may be collecting personal information indirectly.
You need to consider whether the candidate has already been told what will be collected, who it will be shared with, and how it will be used. If not, you may need to notify them.
Referrals
If an existing client refers someone to you and gives you their name, phone number, email address, or details about their situation, you have collected personal information from someone other than the person concerned.
You may need to tell that person that you received their information, why you have it, and what you intend to do with it.
Purchased marketing lists
If you buy or receive a marketing list, IPP3A is likely to be relevant.
You will need to consider whether the people on the list have already been told their information would be collected by your organisation, and whether you have evidence of that. Assuming they “probably know” is unlikely to be enough.
Credit checks and due diligence
If you collect information through a credit reporting agency, business partner, referee, public register, or other third party, you need to consider whether IPP3A notification is required.
This may apply in customer onboarding, supplier checks, tenancy-related processes, employment checks, lending, professional services, or commercial transactions.
Information from business partners
If another organisation shares personal information with you, both organisations need to understand who is responsible for telling the person what is happening.
In some cases, the first organisation may already have notified the person on your behalf. But if you rely on that, you should have evidence rather than an assumption.
Are there exceptions to IPP3A?
Yes. There are exceptions, but they need to be applied carefully.
For example, notification may not be required where:
the person has already been made aware of all the required matters.
the information is publicly available.
notification would not prejudice the person’s interests.
notification would prejudice the purpose of collection.
notification is not reasonably practicable in the circumstances.
notification would create a serious threat to public health or safety, or another person’s health or safety.
certain law enforcement, court, tribunal, national security, or public sector exceptions apply.
notification would disclose a trade secret or unreasonably prejudice someone’s commercial position.
The important point is this: exceptions are not a shortcut.
You need to be able to explain why an exception applies in the circumstances. If your reasoning is “it would take too long” or “the customer might not like it”, that is unlikely to be enough.
Why your current privacy statement may not be enough
Many organisations already have a privacy statement on their website.
That’s a good start, but it may not be enough for IPP3A.
A general privacy statement often focuses on the information people give you directly, such as contact forms, newsletter sign-ups, online enquiries, bookings, purchases, or account registrations.
IPP3A is different because it looks at information you collect about people when they may not be directly engaging with you.
That means your organisation may need to update more than the privacy statement on your website. You may also need to review:
recruitment processes
customer onboarding forms
supplier onboarding processes
referral processes
marketing list processes
CRM workflows
contracts with business partners
internal privacy procedures
staff training
privacy notices and email templates
data sharing arrangements
This is where many organisations will find gaps.
It’s not just a documentation issue. It is an operational issue.
The first step is understanding where your information comes from
Before you can comply with IPP3A, you need to understand where your organisation collects direct and indirect personal information from.
That usually means mapping your information flows.
But the value of data mapping is much broader than this one Privacy Act change.
A good data map can also help you understand your privacy risk, improve internal processes, respond faster during a privacy breach, and quickly see which people, systems, and third parties may be affected.
If something goes wrong, you don’t want to be working out where personal information lives for the first time during a breach response.
What happens if you get IPP3A wrong?
If your organisation doesn’t comply with IPP3A, the risk isn’t just technical non-compliance.
People can make complaints to the Privacy Commissioner. Your organisation may need to respond to enquiries, explain your processes, justify why you did not notify someone, and show what steps you took.
There is also a reputational risk.
People are becoming more aware of how their information is collected, used, shared, and stored. If someone discovers your organisation has personal information about them and they were never told, that can quickly affect trust.
For many businesses, that loss of trust is the bigger issue.
Privacy compliance is not just about avoiding complaints. It is about showing people that your organisation handles their information transparently and respectfully.
What should organisations do now?
If you haven’t already prepared for IPP3A, now is the time to act.
Start by asking:
Do we collect personal information from anyone other than the person concerned?
Where does that happen in the business?
What types of information are we collecting indirectly?
Do people already know we are collecting it?
Can we prove they have been told the required information?
Do we need a separate privacy notice, updated wording, or a new process?
Are we relying on an exception, and can we justify that?
Does our current privacy statement reflect what actually happens in the business?
Do our staff know what to do when they receive personal information from a third party?
For many organisations, IPP3A won’t require a complete overhaul. But it will require careful thought.
The aim is to make sure your privacy practices match what is now required under the law and what people increasingly expect from organisations they choose to deal with.
Need help working out how IPP3A applies to your business?
IPP3A is now in force, and the compliance deadline has passed.
If your organisation collects personal information indirectly, you need to understand where that happens, whether notification is required, and what practical changes need to be made.
I can help you review your current privacy statement, map your indirect collection points, identify gaps, and work out what you need to do next.
If you are unsure how IPP3A applies to your organisation, get in touch and let’s have a conversation.
