IPP3A is nearly in force – What agencies need to know

From 1 May 2026, agencies that collect personal information indirectly will need to comply with new Information Privacy Principle 3A (IPP3A). IPP3A was introduced by the Privacy Amendment Act 2025 and applies to personal information collected from 1 May 2026.

Now is the time for organisations to move from general awareness to implementation, if they haven’t already. As we’ve written about before, agencies need to know where indirect collection is happening, who is responsible for notification, which exceptions are genuinely available and what evidence they have to support their position.

What is IPP3A?

IPP3A is, in substance, the indirect collection counterpart to IPP3. If an agency collects personal information from someone other than the individual concerned, it must take reasonable steps, as soon as reasonably practicable after collection, to ensure the individual is aware of certain matters unless an exception applies.

The obligation under IPP3A sits with the agency collecting the information indirectly, not with the upstream party that disclosed it.

For most agencies, the immediate issue is how to operationalise IPP3A in day-to-day data flows. The checklist below is where agencies should focus.

1. Map indirect collection first

Start by identifying every point at which personal information is collected from someone other than the individual. That includes information received from group companies, customers, business partners, service providers, data brokers, public sources, family members and other third parties.

A threshold question is whether indirect collection is permitted under IPP2 in the circumstances. Only after that should the agency assess what notification is required under IPP3A.

In practice, for each indirect collection flow agencies should document:

• the source;

• the categories of information collected;

• the purpose;

• the recipients; and

• whether the agency has any usable contact mechanisms for notification.

Remember that section 11 of the Privacy Act 2020 still applies – if you are acting solely as a service provider on behalf of another agency in collecting and processing personal information, the principal agency remains responsible for any IPP3A obligation.

2. Assess whether exceptions apply

For each indirect collection, agencies should assess what notifications they currently make (if any) and whether any exceptions to compliance with IPP3A apply.

IPP3A imports the familiar IPP3 exceptions and also adds new indirect collection specific exceptions, including where the information is publicly available, where notification would prejudice New Zealand security, defence or international relations, where compliance would reveal a trade secret, and where notification would cause a serious threat to public health or safety.

This is a technical area, so agencies should consider taking legal advice. The main practical point is that exceptions must be substantiated. The guidance from the Office of the Privacy Commissioner (OPC) repeatedly points back to evidence, context and justification, and agencies should be ready to document why a particular exception applies in the actual circumstances of the collection.

The “previously been made aware” exception is likely to be relevant in many commercial data-sharing arrangements because indirect collection will often occur without direct access to an individual (and in some cases, several steps removed from direct collection). This is where privacy notices and contract chains matter. If the direct collector has clearly identified the downstream indirect collector and the relevant purposes in a way that satisfies IPP3A, the indirect collector may be able to rely on the “previously been made aware” exception.

It is not enough for the indirect collector to assume the upstream party has covered the issue. If an agency wants to rely on prior notification by another party, it should have good evidence that the earlier notice has made the individual aware of the specified matters. This includes being as specific as possible about who the indirect collector is. The OPC’s guidance indicates that this should include the name and address of the indirect collector, or equivalent contact details such as an email address or website. Broad wording such as sharing with “selected partners” is unlikely to give downstream recipients much comfort.

The “not reasonably practicable” exception should be treated with some caution. High volumes, legacy systems, administrative inconvenience or some additional cost will not by themselves make notification impracticable. However, the indirect collector is not expected to collect contact details solely for the purpose of notifying individuals. If an agency does rely on this exception, it should record what notification methods were considered, why they were not workable and what alternatives were explored.

The new “public availability” exception also should not be treated as a free pass. Agencies will need to question whether the information was genuinely publicly available in the statutory sense and whether the collection, use and downstream disclosure of that information remains justified under the rest of the Privacy Act 2020 framework.

3. Review the content of notices

The content requirements under IPP3A are substantially the same as under IPP3.

Individuals must be told:

• that the information has been collected;

• why it is being collected;

• who will receive it or the types of recipients;

• the name and address of the collecting agency and the agency that will hold the information;

• whether collection is authorised or required by law, and if so by which law; and

• the individual’s rights of access and correction.

Generic privacy language will not be enough. Purposes must be described clearly, and recipient descriptions should be as specific as reasonably possible. The OPC’s guidance does allow indirectly collecting agencies to describe classes or categories of recipients of the personal information collected where naming each one is impractical, but those descriptions still need to be specific about the type, sector, sub-sector and context of the recipients.

A practical step here is to update privacy notices, collection statements, onboarding materials, customer terms, portal disclosures and internal templates together rather than in isolation. IPP3 and IPP3A can usually be addressed in the same privacy documentation, provided the agency is clear about what it collects directly and what it collects indirectly.

4. Fix timing and delivery mechanisms

IPP3A allows notification after collection, but notice must be given as soon as reasonably practicable.

That is a context-driven standard, not a licence to wait until the timing is convenient. The OPC’s guidance indicates that agencies can take account of time, cost, technical constraints and resources, but system incompatibility on its own is not a satisfactory reason for delay. Agencies are urged by the OPC to build notification into the process of collecting information.

For operational purposes, agencies should decide now what their standard notification pathway will be for each indirect collection flow. That may include layered privacy notices. Where information is more sensitive, or where the possible impact on the individual is greater, the threshold for delaying notification becomes higher.

5. Use contracts to support compliance

For many agencies, IPP3A compliance will be supported in practice by contracting with another agency to provide the necessary notice. If an agency intends to rely on another party’s notice, the agreement should address that expressly.

At a minimum, agencies should consider clauses covering the following:

• The contractual allocation of responsibility to give compliant privacy notices. Whether the direct collector agrees to do this on behalf of the indirect collector may depend on whether the indirect collection is mutual.

• Warranties that compliant notices will be given, including notice that specifically identifies the downstream recipient where reliance on the “previously been made aware” exception is intended.

• A process for verification when that can’t be independently checked by the indirect collector e.g., rights to request evidence of compliance, including copies of notices.

• A process for updates when purposes or recipients change.

• Indemnities (or other remedies) where notification failures expose the indirect collector to loss or regulatory risk.

6. Build evidence, governance and training

Agencies should assume that IPP3A compliance will be judged not only by the final notice but by the quality of the underlying decision-making. That means keeping records – of indirect collection flows, notifications, exceptions relied on, decision rationales, review points and the person accountable for each process.

This shouldn’t sit only with legal or privacy teams. Training across the organisation should focus on identifying indirect collection, recognising when an exception may be contested and understanding that notification obligations cannot simply be outsourced without evidence and oversight.

Biometric processing and other high-sensitivity use cases warrant particular care, as we have written about before.

A practical implementation checklist

Agencies preparing for 1 May 2026 should be asking these questions:

• Have we identified all indirect collection flows across the organisation?

• For each flow, have we confirmed the lawful basis for collecting indirectly under IPP2?

• Do our current privacy notices clearly distinguish direct and indirect collection practices?

• Can we notify individuals ourselves, and if so, by what method and within what timeframe?

• If we intend to rely on an upstream party’s notice, do we have evidence that the notice specifically covers us and our purposes?

• If we intend to rely on an exception, have we documented why it applies and when that assessment must be revisited?

• Do our contracts allocate responsibility, require updated notices and give us enough information to justify reliance?

• Have we updated internal processes, templates and training so that we can remain IPP3A-compliant from commencement?

If your agency is preparing for IPP3A, our team can help you develop a practical implementation plan ahead of 1 May 2026.

‍