Information Privacy Principle 3A — Notification of Indirect Collection of Personal Information

May 2026 isn't the deadline. It's the day the questions start

Usually lands when personal information reaches you through referrals, reference checks, recruiters, brokers, or other third-party sources — now with a May 2026 deadline attached.

Talk through this requirement See where you stand first

This page helps when

Referral, screening, broker, or partner workflows send personal information into your business without direct collection
Teams are still discovering where indirect collection happens and which exceptions they rely on
The May 2026 date is close enough that mapping, procedure design, and training can no longer wait

Best next move

Start with Baseline.

The timing is already active. Start with a working session if this requirement is blocking procurement, insurer conversations, privacy readiness, or leadership confidence.

Deadline Passed

Effective 1 May 2026

IPP 3A takes effect on 1 May 2026. Organisations that collect personal information from third-party sources need compliant notification processes in place before this date. The preparation window is closing — begin your readiness programme now.

Where This Starts To Hurt

The buyer moment that makes this rule urgent

The moment usually arrives when a referral partner, recruiter, or credit-check feed surfaces a source you can't show it has ever notified

IPP 3A is the Privacy Act change that catches businesses saying, "We did not collect that from them directly." From 1 May 2026, if your organisation receives personal information from another source, you may need to notify the individual that the collection happened and explain the relevant details.

That affects more organisations than first expected. Recruitment and reference checks are obvious examples, but so are customer referrals, broker introductions, insurance claims, credit checks, healthcare referrals, partner-supplied contact lists, and information passed between group entities or service providers. Many teams already do this work as part of normal operations without treating it as a dedicated privacy obligation.

The real challenge is operational. IPP 3A is not mainly about knowing the rule exists. It is about mapping where indirect collection happens, deciding when notification is required, documenting exceptions, and building repeatable notification steps into day-to-day workflows before the deadline arrives.

What Starts Breaking

What stalls: deals, audits, or insurer renewals

IPP 3A matters because most affected organisations will have more indirect collection than they think. Once you start tracing referrals, screening, partner handoffs, and third-party data feeds, the obligation usually touches more teams than just legal or privacy.

The May 2026 deadline also makes this a timing issue rather than a someday issue. If you wait until shortly before commencement, it may still be discovering sources and exceptions while trying to write procedures and train staff at the same time.

There is also a trust angle. People are more likely to object when they discover information was collected about them without visibility. A working IPP 3A process reduces that surprise, gives you a clearer compliance story, and avoids turning a routine third-party information flow into a complaint or enforcement problem.

What You Will Need To Prove

The first controls, owners, and evidence to put in place

The 'reasonable steps' test decides what notification looks like — mapping indirect sources and documenting Section 11 exceptions carry first weight

See the main requirements

Notification When Collecting Indirectly

When your organisation collects personal information about an individual from a source other than the individual, you must take reasonable steps to make the individual aware of the collection. This includes informing them of the fact of collection, the source, the purpose, and their rights under the Privacy Act.

Reasonable Steps to Support Awareness

The obligation is to take 'reasonable steps' — what is reasonable depends on the circumstances, including the sensitivity of the information, the practicability of notification, and the nature of the relationship with the individual. Organisations must be able to demonstrate that their approach to notification is proportionate and genuine.

Exceptions to the Notification Obligation

IPP 3A includes exceptions where notification is not required. The most significant is the Section 11 agent exception — where information is collected by an agent acting on behalf of another organisation, the agent may not need to separately notify. Other exceptions include where the information is publicly available, where notification would prejudice the purpose of collection, or where it is not reasonably practicable.

Documentation of Indirect Collection Sources

Organisations should maintain records of their indirect collection practices, including the types of personal information collected indirectly, the sources, the notification methods used, and any exceptions relied upon. This documentation supports both compliance and accountability under the Privacy Act.

How We Help You Answer It

When the business usually calls us

We usually get called inside a 60-day window to May 2026 — indirect collection needs mapping before the notification procedure can land

Stop searching ten systems every time a customer asks for their data

IPP 3A compliance starts with knowing where indirect collection occurs. Our personal data inventory service maps every data flow involving personal information across your organisation, identifying all instances where information is collected from third-party sources rather than directly from individuals — giving you a complete picture of your notification obligations.

Catch privacy risk before the project launches

We conduct analyst-prepared privacy impact assessments for your indirect collection practices, evaluating which information flows trigger the IPP 3A notification obligation and which fall under recognised exceptions. Our assessments are structured, documented, and built to hold up to Privacy Commissioner scrutiny.

Stop Maintaining Policies Nobody Actually Reads

We develop the policies and procedures your organisation needs to operationalise IPP 3A compliance — including indirect collection notification procedures, exception documentation templates, and staff guidance on identifying when notification is required. Your team will know exactly what to do when indirect collection occurs.

Know Who Gets Told, When, And What, The Moment A Breach Hits

A privacy breach involving personal information collected indirectly — particularly where the individual was never notified of the collection — would be a serious compliance failure. We make sure your breach response plans account for IPP 3A considerations, including the additional complexity of breaches involving indirectly collected information.

Remember every security promise across every contract

Your customers and clients may have their own requirements around how personal information is collected and handled. Our customer requirements register tracks these obligations alongside your IPP 3A notification requirements, so you meet both regulatory and contractual expectations.

security-awareness-programme-design

IPP 3A shifts what front-line staff need to recognise — a referral form, a background-check return, a recruiter email, or a partner handoff all become notification triggers. We build awareness content so the team identifies indirect collection in their actual workflows, not just in an annual refresher.

If You Need The Detail

The questions that come up before the contract

When does IPP 3A take effect? +

IPP 3A comes into effect on 1 May 2026. The amendment was passed as part of the Privacy Amendment Act 2025 with a delayed commencement date to give organisations time to prepare. That preparation window is now closing. Good Security recommends beginning your readiness programme at least six months before the effective date to allow time for mapping indirect collection practices, designing notification processes, and training staff.

What counts as indirect collection? +

Indirect collection occurs whenever your organisation collects personal information about an individual from a source other than the individual themselves. Common examples include receiving employee references from former employers, obtaining credit reports from credit bureaus, receiving patient referrals with clinical information from other healthcare providers, gathering background check results from screening providers, and receiving client information from referring professionals. If the individual did not provide the information directly to your organisation, it is indirect collection.

Do I need to notify for every indirect collection? +

Not necessarily. The obligation is to take 'reasonable steps' to notify, and there are exceptions. The Section 11 agent exception applies where an agent collects information on behalf of another organisation. Notification is also not required where the information is publicly available, where notification would prejudice the purpose of collection (such as fraud investigation), or where it is not reasonably practicable. However, relying on exceptions requires careful assessment and documentation — you should not assume an exception applies without proper analysis.

How is IPP 3A different from IPP 12? +

IPP 3A and IPP 12 address entirely different privacy obligations. IPP 3A concerns notification when personal information is collected indirectly — from sources other than the individual. IPP 12 concerns the disclosure of personal information to overseas recipients. An organisation may need to comply with both, but they are separate requirements with different triggers, exceptions, and compliance approaches. Good Security can help you assess and address both obligations.