Blog

New Zealand’s Privacy Shake-Up: Why IPP3A is a bigger deal than it sounds

Lycijoy Ferrer — Wed, 11 Mar 2026 20:38:00 GMT

Introduction

Privacy law rarely makes headlines, yet it quietly governs how organisations collect, use, and share personal information every day. A lot of people would expect there to be rules over how organisations can use their information when they give their data directly by filling in a form, or signing up for a service; however, a lot of personal information is now being collected by third parties and public records, and through data sharing and may not have been collected without the individual ever knowing about it.

The way in which data is collected indirectly has been a gap in the current privacy laws in New Zealand until now, with the introduction of the Privacy Amendment 2025. Amendment 2025 (the Amendment) introduces "Information Privacy Principle 3A" (IPP3A), which promotes accountability and transparency over how an organisation obtains information on an individual other than from the individual themselves, as of May 2026; organisations will generally have to inform the individual from whom they gathered their data, why they gathered it, and how they will use it.

This change may be considered an amendment to the existing system but demonstrates the overall movement to increase accountability and transparency of modern data practices; this understanding acknowledges that the need for privacy protection extends beyond the direct interaction between the data subject and the data collector (the organisation) and must also consider the data ecosystem.

The Transparency Gap that Sparked the Reform

Up until now, New Zealand’s privacy framework has been primarily focusing on collecting information directly from a person (for example, if you filled out a form, signed up to receive a service or applied for a job, then the organisation had to tell you how it used your personal information).

However, if the individual’s information was obtained from another organisation (e.g. another business or government department), a reference/intermediary, purchased dataset, or a publicly available source, then often the organisation would not have had the same obligation to notify you of any of those other forms of obtaining your personal information.

Essentially, there was a large and often significant, number of individuals whose personal information could be collected by numerous means without them even being aware that the information had been collected, who collected it, what had been done with it, and who it had been shared with.

Over the years as we have become much more reliant on transferring data between different types of organisations (for example; to share your data between organisations, subcontracting out the processing of your data to 3rd parties, collecting information from analytics programs, etc), it has become increasingly difficult to continue to justify not having an obligation to notify an individual whose personal information has been collected.

The intention of the new Information Privacy Principle 3A (IPP3A) is to address this gap.

So, what exactly is IPP3A?

This rule applies when an organisation gets personal data from a source other than the individual whose data is being gathered (for example, from another organisation) - this is called indirect collection. As a result of this rule, organisations are required to take reasonable steps to build awareness for individuals regarding their data being collected, how it will be collected, which organisations will receive it and how to contact those organisations, if the collection of their data has been legally required/authorised and if they have the rights to access or correct their personal information based on the fact that it has been indirectly collected. As a general rule, organisations are required to notify an individual as soon as practicable after the data has been collected.

The amendment also recognises that notification won’t always be appropriate or practical. IPP3A includes several exceptions, including where:

the individual has already been informed,
the information is publicly available,
telling the individual would undermine a lawful investigation,
notification is not reasonably practicable,
the data will not be used in identifiable form,
there is a serious threat to public safety or national security,
the data is used for research or archiving in the public interest.

“… if an organisation is collecting data about an individual… the organisation is now required to provide notification to the individual”

These exceptions matter. They allow IPP3A to operate sensibly in contexts like law enforcement, health research, and regulatory investigations. But they are not a free pass. Organisations will need to be able to justify when they rely on them.

In summary, if an organisation is collecting data about an individual and that individual is not aware of this collection, the organisation is now required to provide notification to the individual.

What counts as “Indirect” collection?

Indirect collection covers a wide range of everyday business practices, such as a lender obtaining credit information from a reporting agency, an employer receiving details about a candidate from a referee, an insurer collecting repair reports from a third party, a marketing company buying a contact list from another firm, and a business sourcing customer data from a public register.

What it does not cover is data handled by service providers acting purely on your behalf (like cloud hosting providers). That is still treated as direct collection.

Not a Ban – A Transparency Rule

Let's be clear about this: IPP3A will not stop indirect collection of data. What it will do is create more open data access. The amendment does not restrict the amount of data from flowing; however, it does ensure that there is transparency between individuals and the data collectors around how that data will flow.

This shift represents a new trend in the way that privacy laws all over the world are being developed. Rather than focusing solely on secrecy, the focus of privacy laws is now on transparency, sustainable accountability and informed individuals participating in the greater society.

Why does this look a lot like GDPR?

The EU’s GDPR already requires that organisations inform individuals when they collect or process their own personal information from a third party, which is similar to IPP3A. Article 14 of the GDPR requires organisations to provide individuals, at the time their data is collected or processed, with information about where their data was obtained from (the source of the data), why it is being processed (the purpose of processing), to whom it will be given (the recipients of the data), and what individual's rights are (the rights of the individual).

IPP3A is New Zealand's step towards this level of compliance, and since the EU had also created such regulations, this alignment will turn as an essential factor for allowing New Zealand companies to receive personal data from Europe, thereby ensuring "adequate" privacy protections exist between New Zealand and Europe. Therefore, while IPP3A addresses the collection of personal information within New Zealand's domestic legal framework, it is also a part of a broader international conversation about privacy.

That is, both IPP3A and Article 14 of the GDPR share the same overarching goal of ensuring that whenever an organisation collects or receives your personal information from another source (e.g., a third party), the organisation must inform you about it. Transparency and visibility of where your data came from and how that data will be used are at the core of both IPP3A and Article 14 of the GDPR.

The distinction between the two is in terms of how they are regulated. Whereas Article 14 of the GDPR contains very strict and prescriptive regulations that specifically delineate what information must be presented to the individual regarding their personal information within a specified timeframe, IPP3A provides the organisation with a broader degree of discretion and flexibility in complying with these regulations by only requiring the organisation to take what are considered "reasonable steps" to provide the individual with the required information about his or her collection of personal information and permitting much broader exceptions from compliance with the applicable regulations, thereby creating a significantly less rigid framework through which organisations can comply with this type of regulation.

Why this matters beyond legal compliance

There is much more than checking some boxes associated with this reform.

For individuals, IPP3A establishes visibility regarding: “Who has my information, and or how did they obtain it?” For organisations, it reinforces the notion that data handling practices must be transparent and not buried within a manual process or supply chain.

Trust in data handling isn’t built via silence;
trust is built on clarity, certainty, and communication.

IPP3A will begin to push organisations to adopt this type of thought process.

What organisations should start doing now?

As this new amendment comes into effect starting 1st May 2026, preparation is key to getting ready: here are some practical steps you can take: Mapping where your data originates; Identify all instances of indirect collection of personal data; Re-issue your current privacy notices to comply with the new regulations; Review your data-sharing agreements and ensure compliance; Provide privacy training to all staff who/are responsible for handling data.

A Minor Change with Major Significance

While the IPP3A amendment may appear to be simply a narrow technical change, it represents a far-reaching shift in terms of personal data from the perspective of:

“IPP3A represents a far-reaching shift in terms of personal data…”

Improved individual accountability and awareness;
Current expectations of data ecosystems worldwide;
International harmonisation; and
Transitioning from ‘silent processing’ to ‘visible governance’ of personal information.

It emphasises that when personal information flows through a third party/intermediary, it still retains its link to the individual from whom that information originated.

In Conclusion

The Privacy Amendment Act 2025 and IPP3A mark a quiet but important evolution in New Zealand’s privacy landscape.

Effective May 2026, all organisations will be required by this amendment to ensure that they do not overlook indirect collection as a means of circumventing their transparency obligations.

Individuals will have improved visibility of the pathways that their data travels, including when they provide it and how it subsequently moves outside their direct control.

Given the lack of permanence associated with data today, this visibility is not just a good legal outcome; it is a good governance outcome as well.

This article was researched and developed by Priya Narasimalu, CIPP(E), B.Com, LL.B (Hons), Specialisation in Data Privacy Law, Content Development Editor | LexisNexis Regulatory Compliance Global

Get started now and turn complex privacy obligations into a clear, manageable plan.

Fill out the form to download your complimentary IPP3A checklist today to quickly assess your current position and identify gaps, then take the next step by requesting a free trial of LexisNexis® RegCompliance+ platform.

See how streamlined monitoring, practical guidance, and actionable insights can help you simplify compliance and reduce risk.

Ethical AI in the Workplace: Reducing Workload, Improving Efficiency, and Managing Compliance Risks

Lycijoy Ferrer — Sun, 01 Feb 2026 08:46:00 GMT

Introduction

Artificial intelligence is reshaping the ways organisations manage the entire employment lifecycle, from screening resumes and identifying potential candidates to supporting employee development, analysing workforce skills, and assisting with HR processes. While AI offers powerful opportunities to reduce workload, improve efficiency, and transform how teams operate, its integration into the workplace also presents significant legal, ethical, and compliance challenges. Bias and discrimination risks, data processing and privacy concerns, and the rise of AI-powered workplace surveillance all require careful consideration and strong safeguards to ensure responsible and transparent use.

The Expanding Role of AI Across the Employment Lifecycle

From recruitment to workforce development, AI can be utilised to drive efficiencies across the entire employment lifecycle. Effective use of AI can reduce workload, enable teams to focus time and energy where it’s most needed, and also transform how teams manage work. For human resource management teams, some of the ways AI can be used include:

Screening large volumes of resumes to extract key skills and match candidates' experience to job descriptions
Scanning public profiles and job platforms to identify potential company fits
Recommending learning paths and stretch assignments based on an employee’s role, performance, and career aspirations
Performing a gap analysis of organisational skills and opportunities
Identifying patterns in employees' performance data
Providing HR assistance to build policies, programs, and
Assisting in the payroll process

While AI is a powerful tool to aid human resource management teams, its integration into the workforce presents legal and compliance challenges.

In an employment space, AI has been found to perpetuate gender and race discrimination in its hiring processes and can pose risks to an organisation’s compliance with anti-discrimination, human rights, and employment law.

Bias and Discrimination Risks

Large language models (LLM) are advanced machine learning models that are designed to understand and generate human language. They are trained on a vast amount of data and derive answers based on these data inputs. While answers from LLMs can read ‘human’ and include mannerisms and language not too dissimilar from any other colleague, LLMs are incapable of self-consciousness and emotional intelligence. Answers are derived from a mathematical ‘truth’ or probability based on its dataset. This means that if there is bias within the data LLMs are trained on, they are incapable of distinguishing that bias from a factual truth. It is inevitable that any answer generated by an LLM will reflect errors and biases that occur within its training data, and it is nearly impossible to provide an adequate amount of unbiased data to an LLM. In an employment space, AI has been found to perpetuate gender and race discrimination in its hiring processes and can pose risks to an organisation’s compliance with anti-discrimination, human rights and employment laws.^[1]An organisation intending to utilise AI in its employment processes may be at risk of perpetuating bias within its organisation without adequate controls and systems in place to mitigate it.

Data Processing

From storing contracts in a locked filing cabinet to managing documents entirely through an e-filing system, the way employee data is stored and utilised in the workplace has evolved over the last two decades. An employee’s initial consent for processing and storage of their data may not extend to the use of AI. Additionally, there may be legislative, privacy, and ethical barriers to the processing and use of sensitive personal information, including health records, criminal records and information relating to criminal records, and background checks through AI. This includes the geographical location of the storage and the risk of unnecessary exposure of the information. Through using AI in the workplace without the necessary controls and consent, an employer may unintentionally be infringing on an employee’s privacy rights.

Today, AI-powered monitoring systems are a common feature of remote and hybrid workspaces.

Workplace Surveillance, Approval, and Protection of Workers’ Privacy

Compared to the days of filing cabinets and punch cards, much has evolved at work. Contemporary workplaces operate with a plethora of digital dashboards and algorithmic management systems tracking how long a worker takes to complete a task, answer emails, and even moments of inactivity. Productivity, engagement, and prediction of potentially reaching burnout are increasingly carried out through management by AI and data analytics. While these tools have also improved efficiency, they raise some fundamental questions about trust, autonomy, and how far monitoring and control need to go.

From the patterns a person types on to e-mail behaviour to biometric inputs like facial recognition or voice analysis.

Today, AI-powered monitoring systems are a common feature of remote and hybrid workspaces. The tools gather data input via everything from the patterns a person types on to e-mail behaviour to biometric inputs like facial recognition or voice analysis. Sometimes, monitoring extends into workers’ homes, blurring the line between professional and personal life. The data is then analysed in search of trends, underperformance, or predictions of disengagement. Such insights can indeed help teams work well and take care of employee well-being, but biased conclusions are also a possibility. For example, slower task completion may be perceived as poor performance, even if one is managing health conditions or caregiving responsibilities.

Beyond productivity, AI can support employee welfare. By identifying early signs of stress, anxiety, or personal challenges, employers can intervene proactively, offering support before issues escalate. When implemented transparently, AI can instil trust and engagement, shifting perceptions of monitoring from a tool of control to one of support. AI can also improve adherence to ethical and legal norms, as it can alert an employer to potential policy or regulatory breaches early on, so they don't escalate.

It's further enhanced by webcams, wearables tracking attendance, workflow, and engagement in detail, and by smart sensors. While these systems bring about operational efficiency, they also raise serious privacy concerns. Continuous monitoring would erode trust and lead to biased evaluations, as the constant flow of data would be easily misinterpreted or applied in an unfair manner.

Best Practice

The use of AI in a workplace is inevitable, and controls and best practices are vital in ensuring ongoing compliance and ethical use of AI. Preparation can be done by:

✓ Implementing strong AI policies in line with local and international standard frameworks
✓ Promoting transparency and accountability in AI use
✓ Conducting privacy impact assessments and privacy action plans
✓ Implementing data minimisation principles
✓ Including a human in the loop
✓ Conducting audits for bias and accuracy
✓ Seeking clear and informed consent for processing

Organisations should consider various key ethical principles in implementing AI and biometric monitoring responsibly. Monitoring should be proportionate to genuine business needs; employees should be informed about what data is collected and how it will be used; fairness and bias mitigation must be integral to the development of AI systems; sensitive biometric data should be encrypted and access-controlled; and human oversight must guide decisions that have significant consequences.

AI-use policies set ethical boundaries, ensure accountability, and guarantee fairness in AI-driven decision-making.

Internal policies and privacy audits form an important part of responsible data use. Policies should detail what data is gathered, for what purpose, who has access to it, and employees' rights in terms of viewing or correcting their information. Privacy audits check for compliance, find the gaps, and minimise the risks of non-compliance. In the same way, AI-use policies set ethical boundaries, ensure accountability, and guarantee fairness in AI-driven decision-making. Organisations should train employees on these policies, review them periodically, and keep them aligned with the requirements for legality and ethics.

In sum, AI-driven surveillance will enhance efficiency, support employees' well-being, and engender more trust when it is transparent and ethical. Conversely, misuse of these tools can take a devastating toll on morale, compromise privacy, and harm organisational culture. This deliberate, human-centred approach means having clearly articulated policies and regular audits to review workplace monitoring's balance of technological innovation with respect for employee rights, privacy, and wellbeing.

[1] Yang Shen and ZXIuwu ZHanng, ‘The impact of artificial intelligence on employment: the role of virtual agglomeration’ (2024) 11 Humanities and Social Sciences Communications 122, Leonardo Nicoletti and Dina Bass, ‘Humans are Biased. Generative AI is Even Worse’ Bloomberg Technology (Report, 9 June 2023) <https://www.bloomberg.com/graphics/2023-generative-ai-bias/>.

This blog & whitepaper have been written and developed by:
Valentina Howlett, Content Developer – Financial Services, LexisNexis^® Regulatory Compliance
Priya Narasimhalu, Content Development Editor, LexisNexis Regulatory Compliance

Enter your details for instant access to this free whitepaper: Building Safe & Smart AI Practices in the Workplace

Our latest whitepaper unpacks what compliance professionals need to know to stay ahead of rapidly evolving regulatory and ethical expectations.

Blog

New Zealand’s Privacy Shake-Up: Why IPP3A is a bigger deal than it sounds

Introduction

The Transparency Gap that Sparked the Reform

So, what exactly is IPP3A?

“… if an organisation is collecting data about an individual… the organisation is now required to provide notification to the individual”

What counts as “Indirect” collection?

Not a Ban – A Transparency Rule

Why does this look a lot like GDPR?

Why this matters beyond legal compliance

Trust in data handling isn’t built via silence; trust is built on clarity, certainty, and communication.

What organisations should start doing now?

A Minor Change with Major Significance

“IPP3A represents a far-reaching shift in terms of personal data…”

In Conclusion

Get started now and turn complex privacy obligations into a clear, manageable plan.

Ethical AI in the Workplace: Reducing Workload, Improving Efficiency, and Managing Compliance Risks

Introduction

The Expanding Role of AI Across the Employment Lifecycle

In an employment space, AI has been found to perpetuate gender and race discrimination in its hiring processes and can pose risks to an organisation’s compliance with anti-discrimination, human rights, and employment law.

Bias and Discrimination Risks

Data Processing

Today, AI-powered monitoring systems are a common feature of remote and hybrid workspaces.

Workplace Surveillance, Approval, and Protection of Workers’ Privacy

From the patterns a person types on to e-mail behaviour to biometric inputs like facial recognition or voice analysis.

Best Practice

AI-use policies set ethical boundaries, ensure accountability, and guarantee fairness in AI-driven decision-making.

Enter your details for instant access to this free whitepaper: Building Safe & Smart AI Practices in the Workplace

Trust in data handling isn’t built via silence;
trust is built on clarity, certainty, and communication.