New Privacy Act disclosure obligation for indirect collection- from 1 May 2026
A significant change to the Privacy Act 2020 (Act) comes into force on 1 May 2026 via the new Information Privacy Principle 3A (IPP3A). The change will require all businesses and organisations (called “agencies” in the Act) to disclose information to individuals, when they collect personal information about those individuals indirectly (unless an exception applies). Indirect collection can happen in various ways, for example when talking to a referee of a job applicant or checking the applicant’s references. This change is significant because, under the Act, it has only been necessary to disclose information to individuals when collecting their personal information directly. Agencies usually provide the required disclosure in a privacy policy or privacy statement. The IPP3A disclosure obligation only applies to personal information collected indirectly from 1 May 2026 onwards.
This post summarises information on the IPP3A disclosure obligation in the following parts:
1. When must IPP3A information be disclosed?
2. What must be disclosed under IPP3A?
3. What are the disclosure exceptions?
4. What is indirect collection of personal information?
5. How can IPP3A information be disclosed?
6. What steps can an agency take to comply with IPP3A?
If you have any questions you are welcome to contact Simon Papa on 022 644 7193 or at simon@cynguslaw.nz. You can find information on Cygnus Law’s services in relation to Privacy Act compliance here. This post is not legal advice.
The Privacy Commissioner has published a detailed guide on IPP3A here. Information from that guide is referred to below.
1. When must IPP3A information be disclosed?
IPP3A information must be disclosed to individuals whose information is being collected indirectly, prior to collection or as soon as reasonably practicable after collection.
2. What must be disclosed under IPP3A?
Under IPP3A an agency is required to take steps that are, in the circumstances, reasonable to disclose the following to the individual whose personal information the agency has or will collect indirectly:
- the fact that the information has been collected
- the purpose for which the information has been collected
- the intended recipients of the information
- the name and address of (1) the agency that has collected the information and (2) the agency that is holding the information
- if the collection of the information is authorised or required by or under law, the particular law
- the rights of access to, and correction of, information provided as required by the Act
That information is almost the same as the information required to be disclosed by Information Privacy Principle 3 (IPP3) in relation to direct collection.
3. What are the disclosure exceptions?
There are various exceptions to the IPP3A disclosure obligations. Those exceptions are mostly the same as the exceptions in IPP3 (in relation to direct collection). Information on some key exceptions (but not all) is below together with examples of when they apply (in italics).
1. No Prejudice: Non-compliance would not prejudice the interests of the individual concerned
The guide says this exception should only be used for “common, low risk cases”. An example in the guide of when that exception could apply is –
collecting emergency contact information from an employee [- the agency] reasonably presumes that the employee has an existing relationship with their emergency contact and has made them aware that they are their emergency contact.
2. Publicly Available: The information is publicly available information
The Act defines “publicly available information” as information from a publication (this covers electronic and physical publications and includes the internet), including a register, list, or roll of data, that is generally available to members of the public free of charge or on payment of a fee.
Social media profiles and posts (e.g. LinkedIn profiles) are publicly available information, as long as the information is genuinely available to the public (e.g. information on social media isn’t publicly available to the public if it can only be viewed by “friends” or “contacts” of the account holder).
3. Court Proceedings: Non-compliance is necessary for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation)
An agency may be able to rely on this exception if, for example, the agency is involved in a serious dispute, and an agency receives information about a third party in connection with the dispute.
4. Not Reasonably Practicable: Compliance is not reasonably practicable in the circumstances of the particular case
The guide states that inconvenience, cost, or administrative burden don’t, in themselves, mean that this exception applies. It says that cost may be a factor, if it is disproportionate to the value to the person who receives the disclosure. The guide also says that the type of information will be relevant, for example if the information is “sensitive” it is less likely that the exception applies.
The guide states that
it may not be practicable for an agency to notify the person if they don’t hold any contact details for them. In this situation, the collecting agency isn’t expected to collect contact details for them solely for the purpose of notifying them.
This indicates a potentially wide exception but it needs to be considered in the specific circumstances.
5. Individual Not Identified/Statistical Purposes
This exception applies if the personal information:
- (i) will not be used in a form in which the individual concerned is identified; or
- (ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
6. Trade Secrets/Commercial Position
This exception applies if compliance would:
- (a) disclose a trade secret; or
- (b) be likely to unreasonably prejudice the commercial position of (i) the person who supplied the information; or (ii) the individual concerned.
The Act doesn’t define “trade secret”. The meaning of that term is very fact dependent. A trade secret might include chemical formulae of a product, designs, special methods of construction.
With respect to prejudice to the commercial position, this relates to the person who supplied the information or the individual, not the agency. So the agency would have to consider the circumstances of the information supplier or individual concerned.
7. Prejudice Purpose of Collection: Compliance would prejudice the purposes of the collection
The guide gives an example of:
You are collecting personal information for a fraud investigation and notifying the person concerned would undermine your investigation.
This exception should be used carefully.
4. What is indirect collection of personal information?
The default position in the Act (in Information Privacy Principle 2) is that personal information about an individual should be collected directly from that individual. The Act requires that any indirect collection be authorised by the relevant individual, with some exceptions.
IPP3A applies when an agency “collects” “personal information” about an individual other than from that individual. “Personal information” is information about an identifiable individual.
“Collection” of personal information occurs if the agency takes steps to seek personal information. Personal information won’t be captured by IPP3A, if the agency did not seek it. For example, there is unlikely to be “collection” by an agency if someone provides information about an individual to the agency in error, for example by including the wrong attachment in an email.
The IPP3A obligations apply whether or not the individual whose personal information is collected indirectly is a customer of the agency. So, for example, an agency (Agency B) that provides services to another agency (Agency A) that involves receiving and processing personal information of customers of Agency A, may be obliged to provide IPP3A disclosure to those customers (see the examples in the next paragraph). That may be case even though Agency B may have no direct connection with the customers of Agency B. See Part 5 below for some disclosure options in that case.
The situation above is also likely a relevant consideration for Agency A. As noted above, Agency B, by indirectly collecting that personal information, may have to make IPP3A disclosure to Agency A’s customers. Examples of where that may occur include where:
- Agency B provides compliance verification services to Agency A, for example where it reviews Agency A’s customer records to check that Agency A has complied with its obligations at law to its customers.
- If Agency A is a service provider, Agency B could include Agency A’s professional indemnity insurance provider, and its broker, where Agency A may have to notify an actual or potential claim by a customer.
However, IPP3A won’t apply to law firms with respect to personal information about third parties that law firm clients provide to the firms in connection with the provision of legal services. While that is indirect collection by the firms, legal professional privilege will likely apply and override IPP3A disclosure obligations that the firms may otherwise have.
5. How can IPP3A information be disclosed?
The Act does not require any particular method of disclosure of the IPP3A information. In many cases it will likely be easiest to disclose the information in the agency’s existing privacy policy or statement.
If an agency (Agency A) gets another agency (Agency B) to (1) collect personal information on behalf Agency A or (2) otherwise obtains personal information from Agency B (which is indirect collection by Agency A), an option is to get Agency B to disclose Agency A’s IPP3A information on its behalf. That disclosure will most likely be in Agency B’s own privacy policy or statement. The Privacy Commissioner recommends imposing that as a contractual obligation on Agency B and being reasonably sure that it will comply (and to check that it does). It won’t be enough for Agency B to refer to Agency A generically e.g. via the description “service providers”. In its disclosure Agency B would need to name an Agency A, provide Agency A’s contact details, and explain the purpose of collection, how Agency A will use the information and who Agency A may provide the information to.
6. What steps can an agency take to comply with IPP3A?
The Act does not require that agency to implement or use any particular internal procedures in relation to disclosure compliance. It’s up to the agency how it complies and there are different ways to approach compliance. An example of steps that an agency could take to comply with IPP3A are:
- Review the agency’s business and identify situations when indirect collection occurs or may occur and document that.
- Review those situations and the information collected to identify if any of the exceptions apply and document that.
- Where no disclosure exceptions apply, decide how the agency will make IPP3A disclosure to relevant individuals including how they will be contacted and how the disclosure will be provided.
- Develop policies, procedures, documents and systems (as necessary) to support compliance including by embedding them within a CRM system (if relevant) and updating the agency’s current privacy policy or statement.
An agency may also want to identify which other agencies it provides personal information to (if any) that may themselves have to provide IPP3A disclosure to the relevant individuals (see the examples noted in Part 4 above). The agency can then consider whether it wants to place some controls around that including potentially providing the required IPP3A disclosure itself on behalf of the relevant agencies.