Introduction
New Zealand has modernised its privacy framework with the Privacy Amendment Act 2025 (Amendment Act), which received royal assent on September 24, 2025. The Amendment Act has already introduced several changes, with most of the amendments taking effect immediately. However, a key element, the new Information Protection Principle (IPP) 3A, will not be fully implemented until May 1, 2026.
The Amendment Act also adds significant obligations for agencies collecting personal information from sources other than the individuals themselves. These changes are a response to gaps identified by the European Commission during New Zealand’s adequacy assessment and are designed to enhance transparency and strengthen individuals’ control over their data.
Here's what the organisations need to know.
IPP 3A
Previously, agencies were required to notify individuals when collecting their personal information directly and there was no equivalent requirement for indirect collection. . However, as per the Amendment Act’s IPP 3A, controllers are required to notify individuals when their personal information is collected indirectly. This means that if your organisation obtains data from a third party, e.g a data broker, partner agency, or another platform, you may need to take reasonable steps to inform the affected individuals unless an exemption applies.
Notification must include:
- That the information has been collected,
- The purposes of the collection,
- Intended recipients,
- Name and address of the collecting agency and the agency that holds the information,
- Legal basis for collection (if any), and
- Rights of access and correction (IPP 6 and 7 rights).
An agency will be required to inform an individual as soon as reasonably practicable after the information has been collected. If the individual is already aware of this information, notification is not required. This mirrors the requirements for direct collection under IPP 3 but now applies to the entire data ecosystem.
Exceptions
IPP 3A includes the same exceptions as IPP 3 and adds four new ones. Notification may not be required if:
- The data is publicly available or is being collected by galleries, libraries, archives, and museums for public interest archiving,
- Notification would harm national security or international relations,
- It would reveal a trade secret, and
- Notification would cause a serious threat to public health, safety, or the safety of another individual.
Agencies need to document the grounds for relying on these exceptions and ensure those decisions can be justified if challenged.
Effective Dates
- Part 1 (including IPP 3A) will now take effect on 1 May 2026, allowing a 6-month implementation period from the original date. It is important to note that IPP 3A will apply exclusively to personal information collected on or after May 2026. Any personal information gathered before May 1, 2026, will not be subject to the requirements of the new IPP 3A
- Part 2 (technical amendments) took effect on 24 September 2025.
- Agencies should prepare for the transition and ensure their internal processes are ready to support notification obligations by the 2026 deadline.
The Office of the Privacy Commissioner (OPC) is currently developing guidance, with resources expected well before commencement.
Other Amendments under the Amendment Act
The Amendment Act also includes several technical amendments to improve clarity and functionality:
- IPP 7 requests: Clarified responsibilities when requests are transferred to another agency
- The Amendment Act updates the language in section 63 to clarify how agencies must handle correction requests when they are transferred between agencies. Previously, agencies were required to respond to correction requests under IPP 7 within 20 working days. However, the Amendment Act ensures the 20-working-day response timeline only applies when section 62 (which deals with transferring requests) does not apply.
- Refusal grounds for access: Expanded protections for individuals under 16 and those in custody.
- The Amendment Act allows agencies to deny access if releasing the information could negatively impact the well-being of a child (defined as anyone under the age of 16), whether that child is the requester or another individual mentioned in the information. Similarly, agencies can refuse access if releasing the information could jeopardize the safe custody or rehabilitation of someone who is currently or has previously been detained.
- International adequacy evaluations: Enable the Privacy Commissioner to assess privacy protections by blocs of countries, not just individual nations.
- Terminology updates for consistency across the Amendment Act.
- Exemptions: IPP 3A will not apply to intelligence agencies, personal/domestic affairs, or pre-1 June 2025 data collected under approved information-sharing agreements.
Compliance Steps
1. Map Your Data Collection Practices
Identify where personal information is collected indirectly. Understand your data flows, especially in partnerships, affiliate networks, and data enrichment processes. Your organization should create a register of your agency’s personal information collections and:
- Identify which are direct and which are indirect.
- For indirect collections, determine whether the following “primary exceptions” apply:
- The individual is already aware
- The data will only be used in a non-identifiable form
- The data will be used solely for research or statistics (with no identifying publication)
If these don’t apply, test for the other exceptions, such as security or public safety risks.
2. Use the IPP 3A Notification Flowchart
To determine whether notification is required under the new IPP 3A obligations, agencies should refer to the decision-making flowchart provided by the OPC. The flowchart offers a step-by-step guide to assessing whether your agency needs to notify individuals after collecting their personal information indirectly. This resource will help ensure you apply the right exceptions, timelines, and content requirements when indirect collection occurs.
3. Update Your Privacy Notices
Prepare layered privacy notices or indirect collection notifications tailored for these contexts. Consider digital delivery options (e.g., email, app, dashboard alerts).
4. Review Vendor Agreements
Ensure third-party data-sharing arrangements allow you to meet your notification obligations or shift the obligation upstream if feasible.
