Introduction
New Zealand is modernising its privacy framework. The Privacy Amendment Bill adds significant obligations for agencies collecting personal information from sources other than the individuals themselves. These changes are a response to gaps identified by the European Commission during New Zealand’s adequacy assessment and are designed to enhance transparency and strengthen individuals’ control over their data.
A new Information Privacy Principle 3A (IPP 3A) that brings indirect collection into sharper focus. Here's what organisations need to know.
IPP 3A
Under the current Privacy Act 2020, agencies are required to notify individuals when collecting their personal information directly. However, there has been no equivalent requirement for indirect collection until now. IPP 3A introduces a legal obligation to notify individuals when their personal information is collected indirectly. This means that if your organisation obtains data from a third party, e.g a data broker, partner agency, or another platform, you may need to inform the affected individuals unless an exemption applies.
Notification must include:
- The fact of collection,
- The purposes of the collection,
- Intended recipients,
- Name and address of the collecting agency and the agency that holds the information,
- Legal basis for collection (if any), and
- Rights of access and correction (IPP 6 and 7 rights).
An agency will be required to inform an individual as soon as reasonably practicable after the information has been collected. If the individual is already aware of this information, notification is not required. This mirrors the requirements for direct collection under IPP 3 but now applies to the entire data ecosystem.
Exceptions
IPP 3A includes the same exceptions as IPP 3 and adds four new ones. Notification may not be required if:
- The data is publicly available,
- Notification would harm national security or international relations,
- It would reveal a trade secret, and
- Notification would cause a serious threat to public health, safety, or the safety of another individual.
Agencies will need to document the grounds for relying on these exceptions and ensure those decisions can be justified if challenged.
Effective Date
- Part 1 (including IPP 3A) will now take effect on 1 May 2026, allowing a 6-month implementation period from the original date.
- Part 2 (technical amendments) will take effect the day after Royal Assent.
- Agencies should prepare for the transition now and ensure their internal processes are ready to support notification obligations by the 2026 deadline.
The Office of the Privacy Commissioner (OPC) is currently developing guidance, with resources expected well before commencement.
Other Amendments under the Bill
The Bill also includes several technical amendments to improve clarity and functionality:
- IPP 7 requests: Clarified responsibilities when requests are transferred to another agency
- The Bill updates the language in section 63 to clarify how agencies must handle correction requests when they are transferred between agencies. Currently, agencies must respond to correction requests under IPP 7 within 20 working days. However, the amendment ensures this timeline only applies when section 62 (which deals with transferring requests) does not apply.
- Refusal grounds for access: Expanded protections for individuals under 16 and those in custody.
- The amendments now allow agencies to deny access if releasing the information could negatively impact the well-being of a child (defined as anyone under the age of 16), whether that child is the requester or another individual mentioned in the information. Similarly, agencies can refuse access if releasing the information could jeopardize the safe custody or rehabilitation of someone who is currently or has previously been detained.
- International adequacy evaluations: Enables the Privacy Commissioner to assess privacy protections by blocs of countries, not just individual nations.
- Terminology updates for consistency across the Act.
- Exemptions: IPP 3A will not apply to intelligence agencies, personal/domestic affairs, or pre-1 June 2025 data collected under approved information-sharing agreements.
Compliance Steps
1. Map Your Data Collection Practices
Identify where personal information is collected indirectly. Understand your data flows, especially in partnerships, affiliate networks, and data enrichment processes. Your organization should create a register of your agency’s personal information collections and:
- Identify which are direct and which are indirect.
- For indirect collections, determine whether the following “primary exceptions” apply:
- The individual is already aware
- The data will only be used in a non-identifiable form
- The data will be used solely for research or statistics (with no identifying publication)
If these don’t apply, test for the other exceptions, such as security or public safety risks.
2. Use the IPP 3A Notification Flowchart
To determine whether notification is required under the new IPP 3A obligations, agencies should refer to the decision-making flowchart provided by the OPC. The flowchart offers a step-by-step guide to assessing whether your agency needs to notify individuals after collecting their personal information indirectly. This resource will help ensure you apply the right exceptions, timelines, and content requirements when indirect collection occurs.
3. Update Your Privacy Notices
Prepare layered privacy notices or indirect collection notifications tailored for these contexts. Consider digital delivery options (e.g., email, app, dashboard alerts).
4. Review Vendor Agreements
Ensure third-party data-sharing arrangements allow you to meet your notification obligations or shift the obligation upstream if feasible.
