Closing the Gap: New Privacy Obligations for Indirect Collection of Personal Information under IPP 3A

IPP 3A is a new requirement under New Zealand’s Privacy Act 2020 that applies when an agency collects personal information indirectly rather than from the individual concerned. In most cases, the agency must take reasonable steps to notify the individual that their information has been collected, why it has been collected, who will receive it, and their rights to access and correct that information.

What is IPP 3A?

The Privacy Act 2020 has recently been amended to introduce Information Privacy Principle 3A (IPP 3A), an addition that addresses a longstanding gap in New Zealand’s privacy framework. This new principle imposes obligations on both public and private agencies when they collect personal information indirectly, rather than directly from the individual concerned.

Why was IPP 3A introduced?

Previously, the Privacy Act required agencies to inform individuals when collecting personal information directly from them (under IPP 3). However, no equivalent duty existed for indirect collection (where information is obtained from another source, such as third-party databases, public records, or referrals).

This omission created a transparency issue, leaving individuals unaware that their data was being captured or used by agencies they had never interacted with.

When does IPP 3A apply?

IPP 3A now requires agencies to notify individuals when their personal information is collected indirectly, unless a practical exemption applies. The principle mirrors IPP 3 but extends its application to non-direct sources of collection.

What must agencies tell individuals under IPP 3A?

Under IPP 3A, where an agency receives personal information about an individual from a source other than the individual, the agency must take reasonable steps to ensure the individual is made aware of:

1. The fact their information has been collected;
2. The purpose of the collection;
3. Who will receive or use the information;
4. The name and address of the collecting agency;
5. Any legal basis authorising the collection; and
6. The individual's rights to access and correct their information.

When does an agency not need to notify the individual?

To balance transparency with practicality, IPP 3A contains several exceptions. Agencies do not need to notify individuals if:

• The information is publicly available;
• Notification would compromise national security or defence;
• Compliance would disclose a trade secret; or
• Disclosure would pose a serious threat to public health or safety.

These carve-outs ensure that operational efficiency and public interest considerations are preserved.

What does this mean for businesses and public agencies?

Agencies, whether businesses or public bodies, that obtain personal information from sources other than the individual should now review their data handling and notification practices. Examples of indirect collection include:

• Acquiring customer data from a partner organisation;
• Receiving referrals or reports about individuals;
• Accessing government or commercial data sets.

How should agencies prepare for IPP 3A compliance?

• Auditing your data collection practices to identify indirect sources;
• Update your privacy policies and procedures to include IPP 3A compliance;
• Ensure systems are in place to issue notices where required; and
• Train relevant staff to recognise when indirect collection triggers notification duties.

Note that if the data is publicly available, such as from a published directory or official register, no notification is required under IPP 3A.

Final Thoughts

IPP 3A marks a shift toward greater transparency and individual control over personal information. While many agencies may already have robust privacy frameworks in place, additional diligence is now required where indirect collection is involved. Legal and compliance teams should act early to ensure their practices align with the new principle and that any reliance on exceptions is well-founded and documented.

If you require assistance reviewing your data collection procedures or updating your privacy policies in line with IPP 3A, please contact Sarah Churstain or Jordan Todd.

--------------------------------------------------------------------

Disclaimer

The information on this webpage provides you with general information that is true and accurate to the best of Ford Sumner’s knowledge.

Ford Sumner may change, delete, add to, or otherwise amend the information contained on this webpage without notice.

Information on this webpage is not business, tax, or legal advice. You should take specific, professional advice before taking any action based on this information.

While Ford Sumner has taken all reasonable care in placing the correct information on this webpage, it cannot be liable for any inaccuracy, error, omission, or any other kind of inadequacy, deficiency, or flaw in, or in relation to the information contained on this webpage.

Ford Sumner fully excludes any and all liability of any kind to any person or entity that chooses to rely upon the information.

FAQs about IPP 3A and indirect collection of personal information