IPP 3A Is 60 Days Away — A Plain-English Checklist for NZ Businesses

The Countdown Has Started

The short version: IPP 3A takes effect on 1 May 2026 — less than two months from today. If your business collects personal information from any source other than the individual, you will need to notify them — proactively and specifically. The OPC is already investigating, with breach notifications up 43% and complaints up 21% this year. The 8 steps below are achievable if you start now. Book an IPP 3A Compliance Sprint before the deadline passes. Read on for the full checklist.

On 1 May 2026, Information Privacy Principle 3A comes into force under the Privacy Amendment Act 2025 (Royal Assent: 23 September 2025, commencement: Section 2(1)). From that date, every New Zealand agency that collects personal information from a source other than the individual concerned must take reasonable steps to notify that individual — proactively, specifically, and as soon as reasonably practicable. The era of silently gathering data from third parties without telling people is over.

If you have read our earlier guide on what IPP 3A is and who it affects, you already understand the landscape. This article is different. This is the operational response plan — the concrete, step-by-step actions your business needs to take in the next 60 days to be ready on day one. The Office of the Privacy Commissioner (OPC) has made clear that enforcement activity is accelerating, with breach notifications rising 43% to approximately 600 and complaints rising 21% to 1,598 in the 2024/25 year (OPC Annual Report 2024/25). Now is not the time for a wait-and-see approach.

Who Needs to Act

Virtually every New Zealand business that operates digitally. If your organisation does any of the following, IPP 3A applies to you:

• Uses cloud services — Microsoft 365, Google Workspace, Xero, Slack, HubSpot, or any SaaS platform that ingests personal information from external sources
• Receives referrals — medical practices, professional services firms, recruitment agencies, financial advisers
• Purchases or receives marketing lists — lead generation services, purchased contact databases, event attendee lists from third-party organisers
• Conducts background checks — pre-employment screening, credit checks, identity verification through third-party providers
• Aggregates data from partners — loyalty programmes, multi-party service delivery, franchise networks
• Uses data brokers or analytics platforms — any service that enriches your records with personal information sourced elsewhere

The trigger is straightforward: if you collect personal information about an individual from someone or something other than that individual, IPP 3A applies. The obligation sits with Section 22 of the Privacy Amendment Act 2025, which inserts the new IPP 3A into the Privacy Act 2020.

The 8-Step Compliance Checklist

Step 1: Audit Your Data Flows

Before you can comply, you need to know where you are exposed. Map every instance in your business where personal information enters your systems from a source other than the individual.

Start with your core systems. Your CRM, HR platform, accounting software, email marketing tool, and project management suite are the most likely to receive personal data from third parties. For each system, answer three questions: What personal information does it receive? Where does that information come from? Is the source the individual, or someone else?

This audit does not need to be exhaustive on day one, but it does need to cover your primary data flows. A partial audit completed before 1 May is far more valuable than a perfect audit completed in July.

Step 2: Map Your Third-Party Collections

With your data flows identified, build a detailed register of every third-party collection. For each entry, record:

• The source — who or what provides the personal information (e.g., a recruitment agency, a referral partner, a cloud integration)
• The type of information — names, contact details, employment history, financial data, health information
• The volume and frequency — is this a one-off collection or an ongoing feed?
• The purpose — why are you collecting this information?
• The intended recipients — will this information be shared further within or outside your organisation?

This register becomes the foundation of your compliance programme. It tells you exactly where notification obligations arise and helps you identify which exemptions might apply. Under IPP 3A(1), your notification to the individual must include the purpose of collection, intended recipients, and the name and address of both the collecting and holding agency. You cannot provide this notification accurately without a current, detailed register.

Step 3: Determine Which Exemptions Apply

IPP 3A is not absolute. The Privacy Amendment Act 2025 includes a structured set of exemptions under IPP 3A(3) through IPP 3A(7). However, relying on an exemption without proper analysis and documentation is a significant compliance risk. Work through each exemption methodically.

Prior notification (IPP 3A(3)): If the individual has already been made aware of the matters listed in IPP 3A(1) by any means — whether by the source agency, through a published privacy statement they have engaged with, or through prior direct communication — the obligation is satisfied. This does not mean a generic website privacy policy covers everything. The notification must be specific enough that the individual is genuinely aware of how their information is being collected and used.

Would not prejudice the individual's interests (IPP 3A(4)(a)): If collecting the information without notification does not disadvantage the individual in any way, this exemption may apply. This is a narrow exception and requires genuine assessment, not assumption.

Publicly available information (IPP 3A(4)(b)): If the personal information is already publicly available — for example, from a public register, published directory, or the individual's own public social media profile — notification is not required. Be cautious here: "publicly available" has a specific legal meaning and does not extend to information that is merely accessible with effort.

Law enforcement necessity (IPP 3A(4)(c)): Notification is not required where it would prejudice the maintenance of the law, including the prevention, detection, investigation, prosecution, and punishment of offences.

Prejudice to purposes of collection (IPP 3A(4)(d)): Where notification would undermine the very purpose for which the information was collected — for example, a fraud investigation — this exemption applies.

Not reasonably practicable (IPP 3A(4)(e)): If the agency genuinely cannot identify or contact the individual, or if the cost and effort of notification would be grossly disproportionate to the privacy benefit, this exemption may apply. The OPC expects agencies to make genuine efforts before relying on impracticability.

Serious threat to health or safety (IPP 3A(4)(f)): Notification is not required where it would create a serious threat to the life, health, or safety of any individual or to public health or safety.

Non-identifying use, statistics, or research (IPP 3A(4)(g)): Where information is used only in a form that does not identify the individual, or solely for statistical or research purposes and will not be published in a form that could identify the individual, notification is not required.

Archival purposes (IPP 3A(5)): Information held solely for archival or historical preservation purposes is exempt.

National security (IPP 3A(6)): Where notification would prejudice the security or defence of New Zealand, the exemption applies.

Trade secrets and commercial position (IPP 3A(7)): Notification is not required where it would disclose a trade secret or unreasonably prejudice the commercial position of the agency.

For each exemption you intend to rely on, document the reasoning and the evidence supporting it. This is not optional — it is the core of demonstrable compliance.

Step 4: Build Notification Templates

For every third-party collection that does not fall under an exemption, you need a notification mechanism. IPP 3A(1) specifies what the notification must contain:

• (a) The fact that the information has been collected
• (b) The purpose for which the information was collected
• (c) The intended recipients of the information
• (d) The name and address of the collecting agency and the holding agency (if different)
• (e) If collection is authorised or required by law, the specific law and whether the supply is voluntary or mandatory
• (f) The individual's rights of access to, and correction of, personal information under the Privacy Act 2020

Build template notifications for your most common third-party collection scenarios. A recruitment agency referral, for instance, will require a different template from a credit check or a marketing list acquisition. Each template should be specific enough to satisfy the "reasonable steps" standard under IPP 3A(2), which requires notification "as soon as reasonably practicable after the information has been collected."

Do not draft vague, one-size-fits-all notices. The OPC has indicated that generic privacy statements do not constitute adequate notification under IPP 3A. The notification must be specific to the collection event.

Step 5: Update Your Privacy Statement

While a generic privacy statement is not sufficient on its own, it remains an important component of your compliance framework. Your public privacy statement should now explicitly address your practices around collecting personal information from third-party sources. It should explain in plain language:

• The types of third-party sources you collect personal information from
• The general purposes for these collections
• How individuals will be notified when their information is collected from a third party
• How individuals can exercise their rights of access and correction

This update serves two purposes. First, it demonstrates good faith and transparency to the OPC. Second, it provides a baseline of awareness that may support the "prior notification" exemption under IPP 3A(3) in some circumstances — though it should not be relied upon as the sole means of compliance.

Step 6: Train Your Staff

Compliance is not a document — it is a behaviour. The teams most likely to handle third-party personal information need to understand their obligations before 1 May 2026.

HR and recruitment teams regularly receive personal information from recruitment agencies, referees, and background check providers. They need to understand when notification is triggered and how to deliver it.

Marketing teams that purchase or receive contact lists, use lead generation tools, or import data from event platforms need to recognise that every new contact sourced externally may trigger a notification obligation.

Customer service and operations teams that receive referrals, process insurance claims, or handle multi-party transactions need clear procedures for identifying third-party collections and initiating notification.

IT and data management teams need to understand how data integrations and automated imports from external systems create IPP 3A obligations that may not be visible at the business level.

Training does not need to be exhaustive. A focused 60-minute session covering the key concepts, your organisation's specific data flows, and the notification templates you have built will equip most teams to comply from day one.

Step 7: Document Your Exemption Decisions

For every third-party collection where you have determined that an exemption applies, create a written record that includes:

• The collection scenario — what information, from what source, for what purpose
• The exemption relied upon — cite the specific subsection of IPP 3A
• The reasoning — why the exemption applies in this specific case
• The evidence — any supporting documentation, legal advice, or risk assessment
• The review date — when this decision will be reassessed

This documentation is your primary defence in the event of a complaint or investigation. The OPC applies a "reasonable steps" standard, and demonstrating that you conducted a genuine, informed analysis of each exemption is the most effective way to satisfy that standard. Undocumented exemption decisions are, in practical terms, indefensible.

Step 8: Assign Ownership

IPP 3A compliance is not a one-off project. New third-party data sources will emerge as your business evolves, new staff will join teams that handle external data, and the OPC's enforcement guidance will develop over time. Someone in your organisation needs to own this on an ongoing basis.

For small businesses, this may be the business owner, office manager, or an external privacy adviser. For medium and larger organisations, this sits naturally with a privacy officer, compliance lead, or your vCISO. Whoever owns it needs the authority to review new data flows, update notification templates, and enforce training requirements.

Without clear ownership, compliance will erode within months of the 1 May commencement date. Assign the role now, while the implementation work is fresh and the processes are being built.

What the Privacy Commissioner Says About "Good Enough"

The OPC applies a standard of "reasonable steps" — not perfection. This means your compliance programme does not need to be flawless on 1 May 2026, but it does need to demonstrate genuine, documented effort to meet the new obligations.

The OPC has signalled through its published guidance that it expects agencies to take a proactive approach to notification. Generic privacy policies that mention third-party data collection in passing do not meet the standard. The Commissioner expects specific, timely notification that gives individuals real awareness of how their information has been collected and used.

The "as soon as reasonably practicable" timing requirement under IPP 3A(2) also matters. Notification months after collection, or buried in an annual privacy update, is unlikely to satisfy the standard. The expectation is that notification occurs close to the time of collection — ideally within days, not weeks.

Importantly, the Privacy Amendment Act 2025 includes a transitional provision under Section 25A: IPP 3A does not apply to personal information collected before 1 May 2026. This means you do not need to retroactively notify individuals about historical third-party collections. Your obligation begins with information collected on or after the commencement date.

The Cost of Not Preparing

The enforcement environment is tightening. The OPC Annual Report 2024/25 records breach notifications increasing 43% to approximately 600 and complaints increasing 21% to 1,598. These are not abstract numbers — they represent real investigations, compliance notices, and reputational consequences for New Zealand businesses.

The Privacy Commissioner has the power to issue compliance notices requiring agencies to take specific steps to remedy a breach. Matters can be referred to the Human Rights Review Tribunal, which can award damages including compensation for humiliation, loss of dignity, and injury to feelings. The maximum award under the Human Rights Act 1993 is currently $350,000 per individual claim.

Beyond formal enforcement, the reputational damage from a privacy complaint — particularly one that becomes public — can be far more costly than the compliance effort required to prevent it. Australia's experience is instructive: the Medibank breach in October 2022 compromised 9.7 million customer records — including sensitive health claims data covering mental health treatment, HIV status, and drug and alcohol treatment. Medibank's breach costs have exceeded AUD $126 million to date (iTnews, 2024), and the Australian Parliament responded by increasing maximum privacy penalties from AUD $2.2 million to AUD $50 million (Privacy Legislation Amendment Act 2022). New Zealand's Privacy Commissioner has publicly cited Australia's enforcement trajectory as a model. The gap between NZ's current enforcement regime and where it is heading is measured in political will, not principle.

Clients, partners, and regulators increasingly view privacy compliance as a baseline expectation, not a differentiator.

Perhaps most significantly, the new IPP 3A creates a concrete, testable obligation. Unlike some privacy requirements that involve subjective assessments, the question of whether you notified an individual about a third-party collection is binary. You either did or you did not. This makes non-compliance straightforward for the OPC to identify and act upon.

Get Compliant Before May

You have 60 days. That is enough time — but only if you start now. The eight steps above are practical and achievable. Businesses that start this week will be ready. Businesses that wait until April will be scrambling.

An IPP 3A Compliance Sprint is designed for exactly this scenario. Over four to six weeks, the work focuses on auditing your data flows, mapping third-party collections, building notification templates, documenting exemption decisions, and training staff. The outcome is a compliance-ready framework with clear ongoing ownership.

IPP 3A Compliance Sprint: $4,500 to $7,500 depending on the size and complexity of your organisation.

Book your IPP 3A Compliance Sprint — start with a readiness assessment and a clear first-week action plan.