Estimated reading time: 13 minutes
From 1 May 2026, The Human Rights Review Tribunal can award up to $350,000 in damages per complaint. The Privacy Commissioner can name your business publicly. And “we did not know” is not a defence.
What Happens If You Do Not Comply
The Privacy Act 2025 gives the Privacy Commissioner real enforcement teeth. If your business fails to meet its obligations under IPP 3A, here is what you are looking at:
- Compliance notices. The Privacy Commissioner can issue a formal notice requiring you to do something or stop doing something. This is legally binding. Failure to comply is a criminal offence.
- Fines up to $10,000 per offence from the Privacy Commissioner and $350,000 damages from the Human Rights Review Tribunal. This applies to failure to comply with a compliance notice, failure to notify of a breach, and obstruction of investigations.
- Complaints to the Human Rights Review Tribunal. Individuals whose privacy has been interfered with can take your business to the Tribunal, which can award damages up to $350,000. Remedies also include declarations, restraining orders, and orders requiring specific actions. This is not theoretical — the Tribunal regularly hears Privacy Act cases and has awarded five-figure sums for breaches involving humiliation and loss of dignity alone.
- Public naming. The Commissioner can publish your business name, details of the breach, and public commentary. For professional services firms, the reputational damage from a public naming can be worse than the fine.
- Loss of EU adequacy. New Zealand’s adequacy status under the GDPR is partly why IPP 3A was introduced. If NZ businesses collectively fail to comply, the European Commission could reassess NZ’s adequacy, affecting every NZ business that handles EU data.
- Client and insurer pressure. Cyber insurers are increasingly asking about privacy compliance. Large clients are putting privacy requirements into supplier contracts. Non-compliance does not just mean regulatory risk. It means commercial risk.
The OPC has said it will take a risk-based approach to enforcement, focusing on the impact of non-notification and the agency’s efforts to comply. Businesses that can show they took reasonable steps will be in a much better position than those who did nothing.
What Is Actually Changing
The Privacy Amendment Act 2025 introduces Information Privacy Principle 3A (IPP 3A). It changes what you are required to do when you collect someone’s personal information from a third party rather than from the person themselves.
This is not a minor technical update. If your business receives client referrals, runs credit checks, collects information from partner organisations, receives data from industry databases, or even gets a CV forwarded by a recruitment agency, IPP 3A likely applies to you.
This guide explains what IPP 3A actually requires, why it matters for your IT systems, and what you need to do before the deadline.
What Is IPP 3A (and What Is It Not)?
Under the existing Privacy Act 2025, businesses are already required to inform people when they collect personal information directly from them. That is IPP 3.
IPP 3A extends this to indirect collection. If your business collects someone’s personal information from a source other than the person themselves (another business, a referral partner, a public register, a data broker), you now have an obligation to tell that person.
Important: IPP 3A is about transparency and notification. It is not a new security standard, and it is not about how you store or protect data (that is already covered by IPP 5). IPP 3A is specifically about telling people that you have collected their information indirectly, and giving them specific details about the collection.
For more on how cybersecurity and data privacy work together in New Zealand, see our detailed guide.
The Privacy Amendment Act received Royal Assent on 23 September 2025. IPP 3A takes effect on 1 May 2026. It only applies to personal information collected from that date onwards.
What You Are Required to Tell People
When you collect personal information indirectly, you must take reasonable steps to make sure the person knows:
- That their information has been collected
- The purpose of the collection
- The intended recipients of the information
- The name and address of the agency collecting the information and the agency holding it
- Whether the collection is authorised or required by law (and which law)
- Their right to access and correct their information
The Office of the Privacy Commissioner has been clear: generic statements are not sufficient. Saying “we may collect information from third parties for business purposes” does not meet the standard. You need to be specific about what information, from whom, and why.
For example, if you are an insurance company collecting health information from a medical provider, you would need to tell the insured person: “We have collected your medical history from [specific provider name] for the purpose of assessing your insurance claim.”
When the Exceptions Apply
IPP 3A is not absolute. There are exceptions where notification is not required:
- The person has already been made aware of the collection (for example, the disclosing organisation told them in their own privacy notice, naming your organisation specifically)
- Non-compliance would not prejudice the interests of the person concerned (limited to routine, low-risk information)
- The information will not be used in an identifiable form (such as for anonymised research)
- The information is publicly available
- Notification is not reasonably practicable in the circumstances (but the OPC is clear that cost and inconvenience alone do not qualify)
- The information was collected for law enforcement or security purposes
Critical point: If you are relying on an exception, document your reasoning. The OPC has indicated it will take a risk-based approach to enforcement, and agencies that can demonstrate they considered their obligations and made a reasonable decision will be in a much stronger position than those who simply ignored the requirement.
What This Means for Your IT Systems
This is where most businesses will feel the practical impact. IPP 3A creates IT system requirements that many NZ businesses are not set up to handle:
1. Data flow mapping
You need to know where personal information enters your business from third-party sources. This means mapping every data flow: CRM imports, referral partner integrations, recruitment platforms, credit check services, API connections, manual data entry from external sources. If you cannot map it, you cannot comply. A technical business review is the fastest way to get this done.
2. Privacy notice automation
When indirect collection happens, you need a system to notify the person. For businesses processing high volumes (insurance, legal, financial services), this cannot be manual. You need automated notification workflows triggered by data ingestion events. This could be email notifications, app alerts, or SMS, depending on how you engage with the individual.
3. CRM and workflow updates
Your CRM or case management system needs to capture and flag indirect collections so your team knows when notification is required. This likely means new fields, new workflow triggers, and new reporting. If your systems do not distinguish between direct and indirect collection, they need to.
4. Third-party contract reviews
Your agreements with organisations that share personal information with you need to be reviewed. Can the disclosing organisation notify the individual on your behalf (which satisfies the exception)? If so, your contract needs to require this and specify the exact wording. If not, the notification obligation sits with you.
5. Privacy policy overhaul
Your privacy policy almost certainly needs updating. The OPC expects specific detail, not generic categories. If you receive personal information from named partners, those partners need to be listed. A layered approach works: a summary notice at the point of collection, with a link to full details.
6. Staff training
Your team needs to know what indirect collection looks like and what to do when it happens. The OPC has noted that agencies should give updated training covering how to identify indirect collection and how to handle exceptions. This should be part of your broader security awareness training programme.
Who Is Most Affected?
Any business that collects personal information from sources other than the individual. In practice, this hits some industries harder than others:
| Industry | Common Indirect Collection Scenarios |
| Legal firms | Receiving client information from opposing counsel, collecting information from Companies Office, receiving expert reports about individuals, police disclosures |
| Insurance | Collecting health information from medical providers, receiving claims data from partner agencies, third-party loss assessor reports, fraud database checks |
| Accounting and finance | Receiving financial records from banks, collecting client data from referral partners, credit check results, AML/CFT verification data from identity providers |
| Healthcare | Referrals from other providers, lab results, specialist reports, ACC claim data, pharmacy records |
| Recruitment | CVs forwarded by third parties, reference checks, background screening results, social media screening |
| Any business | Client referrals where the referrer provides contact details, lead lists from marketing partners, data enrichment from third-party databases |
A Practical IPP 3A Compliance Checklist
Use this to assess your readiness before 1 May 2026:
- Map all indirect data collection points. Where does personal information enter your business from third parties? List every source. Start with a technical business review to map your environment.
- For each source, determine if an exception applies. Use the OPC’s decision flowchart. Document your reasoning for each exception you rely on.
- Update your privacy policy. Name the specific organisations you collect from indirectly. Generic categories are not sufficient.
- Review third-party contracts. Can the disclosing party notify on your behalf? If so, put it in writing with specific wording requirements.
- Build notification workflows. When indirect collection occurs, how does the person get notified? Automate this where volume justifies it.
- Update CRM and case management systems. Add fields to flag indirect collection. Set up workflow triggers for notification.
- Train your team. Everyone who handles personal information needs to understand what indirect collection looks like and what to do.
- Document everything. The OPC takes a risk-based approach to enforcement. Evidence that you considered your obligations matters.
What to Do Between Now and 1 May 2026
You have limited time. Here is a month-by-month approach:
Now (March/April 2026): Complete your data flow mapping. Identify every indirect collection source. This is the foundation for everything else.
April 2026: Review third-party contracts and privacy policies. Start updating. Determine which exceptions apply and document the reasoning.
Late April 2026: Build and test notification workflows. Train staff. Run a tabletop exercise: if a referral comes in on 2 May, does your team know what to do?
1 May 2026: IPP 3A is live. All indirect collections from this date forward must comply.
IPP 3A Does Not Exist in Isolation
IPP 3A is one piece of the Privacy Act 2025. Getting notification right is important, but it is not the whole picture. Your business also needs to meet:
- IPP 5 (Storage and Security): Reasonable security safeguards for all personal information you hold. This is the security obligation, and it already exists. If your IT security is not up to scratch, start there.
- Mandatory breach notification: If a privacy breach causes serious harm, you must notify both the affected individuals and the Privacy Commissioner.
- IPP 12 (Disclosure outside NZ): If personal information leaves New Zealand, additional requirements apply.
If your IT environment is not secure (no MFA, no endpoint detection and response, no patch management, no backup testing), fixing that is at least as important as IPP 3A compliance. The two go hand in hand.
Need Help Getting Ready?
OxygenIT works with NZ businesses to map data flows, update privacy processes, and build the IT systems needed to support Privacy Act compliance. We are ISO 27001 and ISO 42001 certified, and we understand how the Privacy Act intersects with the technology your business runs on.
If you are not sure where you stand on IPP 3A, start with a conversation. We will walk through your current data collection practices, identify the gaps, and give you a practical plan to be ready before 1 May 2026.
Book a free Privacy Act IT compliance check: (0800) 242 206 or visit www.oxygenit.co.nz/contact
Frequently Asked Questions
IPP 3A is a new Information Privacy Principle introduced by the Privacy Amendment Act 2025. It requires New Zealand businesses to notify individuals when their personal information is collected indirectly, meaning from a source other than the person themselves. It takes effect on 1 May 2026 and applies only to personal information collected from that date onwards.
IPP 3 applies when you collect personal information directly from the individual (for example, through a form on your website or a face-to-face conversation). IPP 3A extends the same notification obligations to indirect collection, where you receive someone’s personal information from a third party such as another business, a referral partner, or a data broker.
IPP 3A takes effect on 1 May 2026. It does not apply retrospectively. Any personal information collected before 1 May 2026 is not subject to IPP 3A requirements.
The Privacy Commissioner can issue compliance notices (which are legally binding), impose fines of up to $10,000 per offence, and publicly name non-compliant businesses. Individuals can also take complaints to the Human Rights Review Tribunal, which can award damages up to $350,000. The $10,000 fine is the criminal penalty. The $350,000 is the civil liability ceiling — that is the number that should be in your risk register. See our guide to cybersecurity and data privacy for broader context on how privacy obligations intersect with security.
If your business collects personal information about individuals from any source other than the individual themselves, IPP 3A likely applies. This includes receiving client referrals with contact details, running credit or background checks, collecting information from partner organisations, receiving data from industry databases, or getting CVs forwarded by recruitment agencies. The only major exception is where a third party is acting purely as your service provider (for example, a cloud hosting company holding data on your behalf).
You must take reasonable steps to inform the individual that their information has been collected, the purpose of the collection, who will receive the information, the name and address of the collecting and holding agencies, whether the collection is required by law, and their right to access and correct their information. The OPC expects specific detail, not generic statements.
Yes. Notification is not required if the individual has already been made aware of the collection (for example, the disclosing organisation told them and named your business specifically), if non-compliance would not prejudice the individual’s interests, if the information will not be used in identifiable form, if the information is publicly available, if notification is not reasonably practicable, or if the collection is for law enforcement or security purposes. However, you must document your reasoning for relying on any exception.
Most businesses will need to map their data flows to identify all indirect collection points, build notification workflows (automated where volume justifies it), update CRM and case management systems to flag indirect collections, review third-party contracts, overhaul privacy policies with specific detail, and train staff to identify and handle indirect collection scenarios. A technical business review is the best starting point.
No. IPP 3A is specifically about notification when collecting personal information indirectly. The obligation to store and secure personal information with reasonable safeguards already exists under IPP 5 of the Privacy Act 2025. However, both obligations apply in parallel, and getting one right without the other still leaves your business exposed. Review your IT security posture alongside your IPP 3A readiness.
The Privacy Commissioner takes a risk-based approach to enforcement. The OPC will focus on the impact of non-notification on individuals and the agency’s efforts to comply. Businesses that can demonstrate they mapped their data flows, considered their obligations, documented their reasoning, and took reasonable steps will be in a much stronger position than businesses that did nothing. The Commissioner can investigate without receiving a complaint.
The Office of the Privacy Commissioner has published full guidance and a decision flowchart at privacy.org.nz. For IT system implementation support, including data flow mapping, notification workflow automation, CRM updates, and privacy policy reviews, OxygenIT provides IT compliance services for NZ businesses. Contact us at (0800) 242 206.
