Compliance
IPP 3A — Indirect Collection Notification
New Privacy Act amendment (May 2026) requiring NZ organisations to notify individuals when personal information is collected from third-party sources.
Upcoming Deadline
Effective 1 May 2026
IPP 3A takes effect on 1 May 2026. Organisations that collect personal information from third-party sources need compliant notification processes in place before this date. The preparation window is closing — begin your readiness programme now.
What is really being asked of the business
What this requirement is trying to protect in the real world
A good compliance programme starts by understanding the business purpose behind the requirement rather than treating it like a checklist.
Information Privacy Principle 3A is a new amendment to the New Zealand Privacy Act 2020 that takes effect on 1 May 2026. It introduces a specific obligation: when your organisation collects personal information about an individual from a source other than the individual themselves — known as indirect collection — you must take reasonable steps to notify that individual.
Indirect collection is more common than many organisations realise. A healthcare provider receiving a patient referral from another practitioner is collecting personal information indirectly. A recruitment firm gathering references from a candidate's former employer is collecting indirectly. A financial services company obtaining credit information from a bureau is collecting indirectly. In each case, the individual whose information is being collected may not know it is happening — and IPP 3A exists to close that gap.
The principle does not prohibit indirect collection. It requires transparency. Organisations must make sure that individuals are made aware their personal information has been collected, who collected it, and for what purpose. This is a notification obligation, not a consent requirement — the distinction matters because it affects how organisations design their processes and what documentation they need to maintain.
The May 2026 effective date gives organisations a defined preparation window. Those that begin mapping their indirect collection practices now will be well-positioned when the obligation commences. Those that wait risk discovering the scope of their indirect collection is larger than expected, leaving insufficient time to build compliant notification processes.
Why It Matters
Why business owners, customers, and boards pay attention to it.
Most New Zealand businesses collect personal information indirectly in at least some part of their operations, often without recognising it as such. The May 2026 deadline is approaching, and preparation requires understanding both the scope of your indirect collection and the practical steps needed to meet the notification obligation.
The industries most affected are those where third-party information flows are routine. Healthcare providers regularly receive referrals, discharge summaries, and clinical notes from other practitioners — each containing personal information collected indirectly. Recruitment firms gather references, background checks, and qualification verifications from sources other than the candidate. Financial services companies obtain credit reports, identity verification results, and risk assessments from external providers. Professional services firms receive client information from referring partners or counterparties. Even general businesses collect personal information indirectly through employee reference checks, insurance claims, and customer referrals.
The notification obligation applies regardless of whether the indirect collection is a one-off event or an ongoing process. An organisation that routinely receives personal information from third parties will need systematic notification procedures — not just ad-hoc responses. This means reviewing existing workflows, identifying where indirect collection occurs, and designing practical notification mechanisms that work within your business operations.
Non-compliance with IPP 3A carries the same enforcement mechanisms as other Privacy Act obligations — complaints to the Privacy Commissioner, compliance notices, and potential proceedings through the Human Rights Review Tribunal. Proactive preparation is both a legal obligation and a practical business decision that protects your organisation and maintains trust with the individuals whose information you handle.
Key Requirements
The obligations most businesses need translated into operating reality.
This is where the framework turns into documented controls, ownership, evidence, and review cycles.
See key requirements
Notification When Collecting Indirectly
When your organisation collects personal information about an individual from a source other than the individual, you must take reasonable steps to make the individual aware of the collection. This includes informing them of the fact of collection, the source, the purpose, and their rights under the Privacy Act.
Reasonable Steps to Support Awareness
The obligation is to take 'reasonable steps' — what is reasonable depends on the circumstances, including the sensitivity of the information, the practicability of notification, and the nature of the relationship with the individual. Organisations must be able to demonstrate that their approach to notification is proportionate and genuine.
Exceptions to the Notification Obligation
IPP 3A includes exceptions where notification is not required. The most significant is the Section 11 agent exception — where information is collected by an agent acting on behalf of another organisation, the agent may not need to separately notify. Other exceptions include where the information is publicly available, where notification would prejudice the purpose of collection, or where it is not reasonably practicable.
Documentation of Indirect Collection Sources
Organisations should maintain records of their indirect collection practices, including the types of personal information collected indirectly, the sources, the notification methods used, and any exceptions relied upon. This documentation supports both compliance and accountability under the Privacy Act.
How Good Security Helps
Where businesses usually need practical support.
This is about building the policies, registers, evidence, and governance needed to stand up to scrutiny.
Personal Data Inventory
IPP 3A compliance starts with knowing where indirect collection occurs. Our personal data inventory service maps every data flow involving personal information across your organisation, identifying all instances where information is collected from third-party sources rather than directly from individuals — giving you a complete picture of your notification obligations.
Privacy Impact Assessment
We conduct analyst-prepared privacy impact assessments for your indirect collection practices, evaluating which information flows trigger the IPP 3A notification obligation and which fall under recognised exceptions. Our assessments are structured, documented, and designed to withstand scrutiny from the Privacy Commissioner.
Policy Suite & Lifecycle Management
We develop the policies and procedures your organisation needs to operationalise IPP 3A compliance — including indirect collection notification procedures, exception documentation templates, and staff guidance on identifying when notification is required. Your team will know exactly what to do when indirect collection occurs.
Privacy Breach Readiness Report
A privacy breach involving personal information collected indirectly — particularly where the individual was never notified of the collection — would be a serious compliance failure. We make sure your breach response plans account for IPP 3A considerations, including the additional complexity of breaches involving indirectly collected information.
Customer Requirements Register
Your customers and clients may have their own requirements around how personal information is collected and handled. Our customer requirements register tracks these obligations alongside your IPP 3A notification requirements, so you meet both regulatory and contractual expectations.
Further Reading
Related guidance for teams that need the detail.
These articles go deeper into the surrounding decisions, timelines, and implementation issues.
Insight
What NZ Businesses Need to Know About IPP 3A Indirect Collection Notification Before May 2026
IPP 3A takes effect 1 May 2026. Here is what indirect collection notification means for NZ businesses and how to prepare.
Read article
Insight
Using Cloud Services? Here is What IPP 12 Means for Your Data
IPP 12 governs cross-border disclosure of personal information. Here is what NZ businesses using cloud services need to know.
Read article
FAQ
Common commercial questions.
When does IPP 3A take effect? +
IPP 3A comes into effect on 1 May 2026. The amendment was passed as part of the Privacy Amendment Act 2025 with a delayed commencement date to give organisations time to prepare. That preparation window is now closing. Good Security recommends beginning your readiness programme at least six months before the effective date to allow time for mapping indirect collection practices, designing notification processes, and training staff.
What counts as indirect collection? +
Indirect collection occurs whenever your organisation collects personal information about an individual from a source other than the individual themselves. Common examples include receiving employee references from former employers, obtaining credit reports from credit bureaus, receiving patient referrals with clinical information from other healthcare providers, gathering background check results from screening providers, and receiving client information from referring professionals. If the individual did not provide the information directly to your organisation, it is indirect collection.
Do I need to notify for every indirect collection? +
Not necessarily. The obligation is to take 'reasonable steps' to notify, and there are exceptions. The Section 11 agent exception applies where an agent collects information on behalf of another organisation. Notification is also not required where the information is publicly available, where notification would prejudice the purpose of collection (such as fraud investigation), or where it is not reasonably practicable. However, relying on exceptions requires careful assessment and documentation — you should not assume an exception applies without proper analysis.
How is IPP 3A different from IPP 12? +
IPP 3A and IPP 12 address entirely different privacy obligations. IPP 3A concerns notification when personal information is collected indirectly — from sources other than the individual. IPP 12 concerns the disclosure of personal information to overseas recipients. An organisation may need to comply with both, but they are separate requirements with different triggers, exceptions, and compliance approaches. Good Security can help you assess and address both obligations.
Most businesses managing Information Privacy Principle 3A — Notification of Indirect Collection of Personal Information obligations start with Assurance.
If you are weighing up fit, scope, or urgency, start with the scorecard for a fast benchmark and book a consultation when you need a practical next-step plan.