Introduction Privacy law rarely makes headlines, yet it quietly governs how organisations collect, use, and share personal information every day. A lot of people would expect there to be rules over how...
Having a governance structure around privacy is vital to your business which is why we are offering you a free checklist from LexisNexis® Regulatory Compliance. This checklist has been designed to...
Introduction Artificial intelligence is reshaping the ways organisations manage the entire employment lifecycle, from screening resumes and identifying potential candidates to supporting employee development...
AI-enabled monitoring, biometrics, and algorithmic management are reshaping today’s workplace — and with that shift comes a new compliance frontier. From privacy and data governance to bias...
Authored by Tania Goatley, Partner at Bell Gully and LexisNexis ® Regulatory Compliance legal expert, this checklist provides you with guidance on your compliance obligations, to ensure your business...
Privacy law rarely makes headlines, yet it quietly governs how organisations collect, use, and share personal information every day. A lot of people would expect there to be rules over how organisations can use their information when they give their data directly by filling in a form, or signing up for a service; however, a lot of personal information is now being collected by third parties and public records, and through data sharing and may not have been collected without the individual ever knowing about it.
The way in which data is collected indirectly has been a gap in the current privacy laws in New Zealand until now, with the introduction of the Privacy Amendment 2025. Amendment 2025 (the Amendment) introduces "Information Privacy Principle 3A" (IPP3A), which promotes accountability and transparency over how an organisation obtains information on an individual other than from the individual themselves, as of May 2026; organisations will generally have to inform the individual from whom they gathered their data, why they gathered it, and how they will use it.
This change may be considered an amendment to the existing system but demonstrates the overall movement to increase accountability and transparency of modern data practices; this understanding acknowledges that the need for privacy protection extends beyond the direct interaction between the data subject and the data collector (the organisation) and must also consider the data ecosystem.
Up until now, New Zealand’s privacy framework has been primarily focusing on collecting information directly from a person (for example, if you filled out a form, signed up to receive a service or applied for a job, then the organisation had to tell you how it used your personal information).
However, if the individual’s information was obtained from another organisation (e.g. another business or government department), a reference/intermediary, purchased dataset, or a publicly available source, then often the organisation would not have had the same obligation to notify you of any of those other forms of obtaining your personal information.
Essentially, there was a large and often significant, number of individuals whose personal information could be collected by numerous means without them even being aware that the information had been collected, who collected it, what had been done with it, and who it had been shared with.
Over the years as we have become much more reliant on transferring data between different types of organisations (for example; to share your data between organisations, subcontracting out the processing of your data to 3rd parties, collecting information from analytics programs, etc), it has become increasingly difficult to continue to justify not having an obligation to notify an individual whose personal information has been collected.
The intention of the new Information Privacy Principle 3A (IPP3A) is to address this gap.
This rule applies when an organisation gets personal data from a source other than the individual whose data is being gathered (for example, from another organisation) - this is called indirect collection. As a result of this rule, organisations are required to take reasonable steps to build awareness for individuals regarding their data being collected, how it will be collected, which organisations will receive it and how to contact those organisations, if the collection of their data has been legally required/authorised and if they have the rights to access or correct their personal information based on the fact that it has been indirectly collected. As a general rule, organisations are required to notify an individual as soon as practicable after the data has been collected.
The amendment also recognises that notification won’t always be appropriate or practical. IPP3A includes several exceptions, including where:
These exceptions matter. They allow IPP3A to operate sensibly in contexts like law enforcement, health research, and regulatory investigations. But they are not a free pass. Organisations will need to be able to justify when they rely on them.
In summary, if an organisation is collecting data about an individual and that individual is not aware of this collection, the organisation is now required to provide notification to the individual.
Indirect collection covers a wide range of everyday business practices, such as a lender obtaining credit information from a reporting agency, an employer receiving details about a candidate from a referee, an insurer collecting repair reports from a third party, a marketing company buying a contact list from another firm, and a business sourcing customer data from a public register.
What it does not cover is data handled by service providers acting purely on your behalf (like cloud hosting providers). That is still treated as direct collection.
Let's be clear about this: IPP3A will not stop indirect collection of data. What it will do is create more open data access. The amendment does not restrict the amount of data from flowing; however, it does ensure that there is transparency between individuals and the data collectors around how that data will flow.
This shift represents a new trend in the way that privacy laws all over the world are being developed. Rather than focusing solely on secrecy, the focus of privacy laws is now on transparency, sustainable accountability and informed individuals participating in the greater society.
The EU’s GDPR already requires that organisations inform individuals when they collect or process their own personal information from a third party, which is similar to IPP3A. Article 14 of the GDPR requires organisations to provide individuals, at the time their data is collected or processed, with information about where their data was obtained from (the source of the data), why it is being processed (the purpose of processing), to whom it will be given (the recipients of the data), and what individual's rights are (the rights of the individual).
IPP3A is New Zealand's step towards this level of compliance, and since the EU had also created such regulations, this alignment will turn as an essential factor for allowing New Zealand companies to receive personal data from Europe, thereby ensuring "adequate" privacy protections exist between New Zealand and Europe. Therefore, while IPP3A addresses the collection of personal information within New Zealand's domestic legal framework, it is also a part of a broader international conversation about privacy.
That is, both IPP3A and Article 14 of the GDPR share the same overarching goal of ensuring that whenever an organisation collects or receives your personal information from another source (e.g., a third party), the organisation must inform you about it. Transparency and visibility of where your data came from and how that data will be used are at the core of both IPP3A and Article 14 of the GDPR.
The distinction between the two is in terms of how they are regulated. Whereas Article 14 of the GDPR contains very strict and prescriptive regulations that specifically delineate what information must be presented to the individual regarding their personal information within a specified timeframe, IPP3A provides the organisation with a broader degree of discretion and flexibility in complying with these regulations by only requiring the organisation to take what are considered "reasonable steps" to provide the individual with the required information about his or her collection of personal information and permitting much broader exceptions from compliance with the applicable regulations, thereby creating a significantly less rigid framework through which organisations can comply with this type of regulation.
There is much more than checking some boxes associated with this reform.
For individuals, IPP3A establishes visibility regarding: “Who has my information, and or how did they obtain it?” For organisations, it reinforces the notion that data handling practices must be transparent and not buried within a manual process or supply chain.
IPP3A will begin to push organisations to adopt this type of thought process.
As this new amendment comes into effect starting 1st May 2026, preparation is key to getting ready: here are some practical steps you can take: Mapping where your data originates; Identify all instances of indirect collection of personal data; Re-issue your current privacy notices to comply with the new regulations; Review your data-sharing agreements and ensure compliance; Provide privacy training to all staff who/are responsible for handling data.
While the IPP3A amendment may appear to be simply a narrow technical change, it represents a far-reaching shift in terms of personal data from the perspective of:
It emphasises that when personal information flows through a third party/intermediary, it still retains its link to the individual from whom that information originated.
The Privacy Amendment Act 2025 and IPP3A mark a quiet but important evolution in New Zealand’s privacy landscape.
Effective May 2026, all organisations will be required by this amendment to ensure that they do not overlook indirect collection as a means of circumventing their transparency obligations.
Individuals will have improved visibility of the pathways that their data travels, including when they provide it and how it subsequently moves outside their direct control.
Given the lack of permanence associated with data today, this visibility is not just a good legal outcome; it is a good governance outcome as well.
This article was researched and developed by Priya Narasimalu, CIPP(E), B.Com, LL.B (Hons), Specialisation in Data Privacy Law, Content Development Editor | LexisNexis Regulatory Compliance Global
Fill out the form to download your complimentary IPP3A checklist today to quickly assess your current position and identify gaps, then take the next step by requesting a free trial of LexisNexis® RegCompliance+ platform.
See how streamlined monitoring, practical guidance, and actionable insights can help you simplify compliance and reduce risk.