Privacy update: overview of the notification requirements created by new Information Privacy Principle 3A

The Privacy Amendment Bill (Bill) is expected to pass its third reading this year, thereby amending the Privacy Act 2020 (Privacy Act) to include new Information Privacy Principle 3A (IPP3A) — placing new obligations on agencies to notify people when their personal information is collected indirectly.

This article comments on:

• background and objectives of IPP3A;
• new notification obligations introduced by IPP3A;
• exceptions to the new notification requirements; and
• how you can prepare for IPP3A.

Background and objectives

Under current Information Principle 3 (IPP3), agencies are required to take reasonable steps to notify an individual of various matters when that agency is collecting personal information directly from the individual concerned (unless an exception applies). These matters are:

• the fact that the information has been collected;
• the purpose of the collection of that information;
• the intended recipients of the information;
• the name and address of the agency that is collecting the information and the name of the agency that holds the information;
• whether the collection is authorised or required by law and, if so, which law; and
• the individual’s rights to access and correct their information,

(the Notifiable Matters).

In what some have described as a “gap” in New Zealand’s privacy framework, agencies are not currently required to make similar notifications where they have collected information about an individual indirectly (i.e. via any source other than the individual themselves).

This “gap” was also flagged in the European Union’s first review of New Zealand’s “adequacy status,” raising concerns that New Zealand’s adequacy status may be jeopardised in the long term if this omission was not addressed. Both the previous Government (which originally introduced the Bill) and the current Government, which has retained the Bill in a substantively similar form, have cited EU concerns as a key reason for the Bill.

Obligations introduced by IPP3A

Under new IPP3A, an agency that collects an individual’s personal information indirectly is required to take steps that are reasonable in the circumstances to notify the individual concerned of the Notifiable Matters (unless an exception applies). IPP3A will apply to all indirect collections of personal information which occur on or after 1 May 2026.

Agencies may notify individuals of the Notifiable Matters either prior to the indirect collection of the information, or subsequent to that collection. Subsequent notification is required to occur as soon as reasonably practicable in the circumstances, thereby introducing subjective considerations into the assessment of how soon notification is required.” In the Privacy Commissioner’s draft guidance on IPP3A (Draft Guidance), the Commissioner has given examples of “as soon as reasonably practicable” being both within days and within months. The Commissioner’s examples take into account the ease of notification and the specific circumstances of the collecting agency.

Exceptions to the new obligations introduced by IPP3A

Several exceptions apply to the notification requirements introduced by IPP3A. The list of exceptions matches those applying to notification under IPP3, with a few additions. These additional exceptions are:

• Prior notification of the Notifiable Matters has already been given: An agency is not required to notify an individual following indirect collection of personal information where that individual was already notified in advance of the Notifiable Matters prior to the indirect collection occurring. This advanced notification can be provided either by the disclosing party or the collecting party.
• Non-compliance with IPP3A will not prejudice the individual: An agency is not required to notify an individual where it believes on reasonable grounds that the individual will not be prejudiced by, or suffer any detriment as a result of, the agency not providing notification of the Notifiable Matters. The Draft Guidance states that what may be considered detrimental will depend on the individual concerned, but that this exception should only be used for low risk or common cases. The Commissioner proposes that agencies follow a “no surprises” test, under which if an agency considers it likely that an individual would be surprised by the indirect collection, then this exception should not be relied upon.
• It is not reasonably practical in the circumstances to inform the individual: An agency is not required to notify an individual where, in the specific circumstances, notification is not practical. The Draft Guidance confirms that merely the fact notification is inconvenient, expensive, and/or administratively burdensome does not automatically mean that notification is not necessary. Similarly, the fact an agency may have existing systems or processes which are incompatible with the requirements of IPP3A is not a valid reason to rely on this exception.

Additional guidance regarding exceptions

The Commissioner has also provided the following additional guidance regarding the exceptions to IPP3A:

• When assessing whether notification is or is not reasonably practical, consideration should be given to both the volume of information indirectly collected and the sensitivity of that information. The higher the volume and/or sensitivity of the information, the greater the expectation that the individual be informed.
• Cost may be a relevant factor when assessing whether notification is not practical where the notification exercise would be so expensive that the cost would be disproportionate to the benefits.
• Situations in which notification may be considered not reasonably practical may include where the agency either does not have any contact details of the individual or where it has a reasonable belief that the contact details held for the individual are incorrect or out of date.

How organisations can prepare for IPP3A

The following are some practical steps organisations can take to prepare for IPP3A taking effect on 1 May 2026 (assuming the Bill passes into law):

5. Review your collection practices: Gain an understanding of the means via which you currently collect personal information, and identify which of these will be captured by IPP3A.
6. Evaluate your indirect collection practices against the IPP3A exceptions: Consider which of your indirect collection practices do or do not have an available exception. Where exceptions apply, document which exceptions you are applying to which indirect collection practices, and set out your reasoning for doing so.
7. Develop notification procedures, workflows, and timeframes: For each of your indirect collection practices which do not have an available exception, consider whether it is possible for notification of the Notifiable Matters to be occur in advance of indirect collection. For those that cannot be notified in advance, consider how soon after each indirect collection practice constitutes “as soon as reasonably practical”. Ensure policies and procedures for notification are well documented and accessible to relevant personnel within your organisation.
8. Update your privacy policy: Update your privacy policy to provide your customers/clients with information about how you comply with IPP3A. If any of your indirect collection practices allow for notification of the Notifiable Matters in advance, in certain circumstances it may be possible to make this notification within your privacy policy.
9. Train your staff on your indirect collection procedures: Ensure staff are aware of the obligations your organisation holds under IPP3A and what needs to occur in order to comply with those obligations.

Conclusion

If you would like further information on the implications of IPP3A on your organisation, get in touch with our Privacy and Data Security team. 

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.