In September, New Zealand’s government passed The Privacy Amendment Act. A major part of the Act is the addition of Information Privacy Principle (IPP) 3A. IPP3A goes into effect May 1, 2026.
The government has created a focus page on IPP3A.
What is IPP3A?
Under IPP3, agencies (businesses or organisations) must already inform people when they collect their personal information from them. Under IPP3A, if an agency collects a person’s personal information from someone other than the person themselves (i.e. indirectly), then that agency is required to tell the person, unless an exception applies.
If an agency has collected personal information indirectly, IPP3A requires them to take reasonable steps to make sure that the person concerned is told:
- that the information has been collected
- the purpose of the collection
- the intended recipients of the information
- the name and address of the agency that is collecting the information and the agency that holds the information
- whether the collection is authorised or required by law and which particular law
- their right to access and correct their information.
Read more on the IPP3A focus page, and bookmark that page to check back for future updates.
Read the draft guidance (.pdf)