Good Security

Compliance

What NZ Businesses Need to Know About IPP 3A Indirect Collection Notification Before May 2026

IPP 3A takes effect 1 May 2026. Here is what indirect collection notification means for NZ businesses and how to prepare.

7 March 2026 7 min read By Good Security
7 March 2026 7 min read

IPP 3A takes effect on 1 May 2026. It introduces a new notification obligation: when your organisation collects personal information about someone from a source other than the person themselves, you will generally need to take reasonable steps to make sure that person knows.

This is not about where your data is stored. It is not about cloud services. It is about indirect collection — getting personal information from third parties rather than directly from the individual.

The Office of the Privacy Commissioner's March 2026 guidance is the best starting point for the official position: Privacy Amendment Act 2025 guidance and the OPC's Royal Assent announcement.

Current as at 7 March 2026. This article is practical guidance, not legal advice.

What IPP 3A actually requires

The short version: IPP 3A takes effect on 1 May 2026 — weeks away. If your business receives referrals, conducts background checks, or gets data from partners, you will need to notify every individual whose data you collect indirectly. The Privacy Commissioner is already investigating non-compliance. Most businesses can build a compliant process in four to six weeks with the right guidance. Book an IPP 3A Compliance Sprint before the deadline. Read on for the full guide.

Under the Privacy Act 2020, IPP 3 already requires organisations to tell people certain things when collecting their personal information directly. IPP 3A extends that principle to indirect collection — situations where you collect personal information about someone from a third party rather than from the person themselves.

When IPP 3A applies, you must take reasonable steps to make sure the individual is aware of:

  • the fact that their information has been collected
  • the source of the information
  • the purpose for which it was collected
  • who will hold it
  • the individual's right to access and correct it

The key phrase is "reasonable steps." This is not an absolute obligation to notify every person in every case. But you do need a considered, documented process.

Who this affects

IPP 3A is not limited to large organisations or specific sectors. It applies to any business that collects personal information indirectly. Here are the most common scenarios:

Healthcare

Medical practices receive referral letters containing patient information from other providers. Specialists get patient histories from GPs. Aged care facilities receive health information from hospital discharge teams. Each of these is an indirect collection that needs an IPP 3A process.

Recruitment and HR

When you conduct reference checks, you are collecting personal information about a candidate from someone other than the candidate. Background screening services, skills verification through third parties, and even informal references from professional contacts all involve indirect collection.

Financial services

Credit checks through credit bureaus, KYC (Know Your Customer) information from intermediaries, financial data received from accountants or brokers acting for clients — these are everyday workflows that involve collecting personal information from third-party sources.

Professional services

Law firms receiving information about opposing parties. Accounting firms getting employee records from client companies. Consultancies receiving staff details from partner organisations. The indirect collection is built into how these businesses operate.

Any business with referral partners or lead sources

If a referral partner sends you a prospect's contact details, or a lead-generation platform passes enquiry information to your sales team, that is indirect collection. The same applies if a parent company passes customer lists to subsidiaries.

The May 2026 deadline and what to do now

The Privacy Amendment Act 2025 received Royal Assent in 2025 and IPP 3A takes effect on 1 May 2026. That means your obligation begins on that date — not some future compliance window.

Recommended timeline

Now through April 2026:

  1. Audit your indirect collection sources. List every workflow where personal information comes to your business from someone other than the individual. Include HR, sales, operations, and finance processes.
  2. Classify each source. For each indirect collection path, note what information arrives, from whom, into which system, and whether an exception might apply.
  3. Design your notification process. Decide how the individual will be told — email, letter, phone call, or as part of an existing workflow. The method needs to be practical and documented.
  4. Update procedures and train staff. The people who actually handle indirect collection need to know what to do. A policy document that no one reads is not a reasonable step.
  5. Document your decisions. If you believe an exception applies to a particular workflow, write down why. If you have chosen a specific notification method, record the reasoning.

Key exceptions

IPP 3A does not apply in every situation. The main exceptions include:

  • The Section 11 agent relationship. If a third party collects personal information on your behalf as your agent (for example, a contractor collecting information under your instructions), that collection is treated as your direct collection, not indirect. IPP 3A notification is not triggered.
  • Non-compliance would prejudice the purposes of collection. If notifying the individual would undermine the reason you are collecting the information (for example, a fraud investigation), the obligation may not apply.
  • The information is publicly available. If the information is already publicly available and notification would not be practicable, this may be an exception — but tread carefully and document your reasoning.
  • Direct collection is not reasonably practicable. In some cases, the volume or nature of the collection makes individual notification impractical. Again, document why.

The exceptions are not blanket permissions. Each one requires a genuine, documented assessment of the circumstances.

How to prepare

The most effective preparation is practical, not theoretical:

  1. Start with a personal data inventory. You cannot assess your indirect collection exposure without knowing where personal information enters your business and from what sources.
  2. Run a privacy impact assessment on your highest-risk indirect collection workflows — the ones involving sensitive information, high volumes, or complex third-party relationships.
  3. Draft notification templates. Standard language for common scenarios saves time and ensures consistency. Different workflows may need different notification approaches.
  4. Build an exception register. Where you believe an exception applies, document the workflow, the exception relied on, and the reasoning. Review annually.

FAQ

Does IPP 3A apply to employee information?

Yes. If your business receives personal information about employees, candidates, or contractors from third parties (reference checks, background screening, payroll data from a parent company), IPP 3A applies unless an exception is relevant.

Is IPP 3A the same as the rules about storing data overseas?

No. IPP 3A is about indirect collection notification. The rules about disclosing personal information to overseas recipients are in IPP 12. If you are looking for guidance on cloud services and cross-border data flows, see our IPP 12 cloud guide.

What if the third party already told the individual?

If the individual already knows the matters IPP 3A requires you to notify them about, and the third party has already provided adequate notice, you may not need to duplicate the notification. But verify this rather than assume it — and keep a record of your reasoning.

What counts as "reasonable steps"?

The Privacy Commissioner has indicated this is a contextual assessment. Factors include the sensitivity of the information, the practicability of notification, and the nature of the collection. A short, direct notification is usually better than an elaborate one that never happens.

What to do next

Every business that collects personal information from referrals, background checks, partners, or third-party data feeds needs a notification process in place by 1 May 2026. That deadline is not moving — but the work to get ready is practical and achievable. Most businesses can map their indirect collection sources and build a compliant notification process in four to six weeks with the right guidance.

Book an IPP 3A Compliance Sprint — start with a readiness assessment and a clear view of what needs to be in place before the deadline.

Looking for cross-border disclosure rules? See our IPP 12 cloud guide.

Continue reading

Need help applying this to your business?

We can help you work out whether this is an immediate issue, how exposed you are, and what a sensible next step looks like.

Book a Free Consultation Take the 2-Minute Security Scorecard