On 1 May 2026, a new Information Privacy Principle (IPP 3A) comes into force in New Zealand, requiring organisations to notify individuals when their personal information is collected indirectly (from a third party). This amendment increases transparency and aligns with existing direct collection rules, requiring agencies to disclose when, why, and how they obtain information about someone from other sources.
HR examples of collecting personal information indirectly include conducting a reference check with a job applicant’s former manager to verify history or performance, or an employer receiving information from a medical provider regarding a staff member’s fitness for duty.
• Mandatory Notification: Agencies must take reasonable steps to inform individuals when their data has been collected from a third party.
• Information to Provide: Notifications must include what was collected, the purpose, who is holding it, and the individual’s right to access and correction.
• Timing: Notification should occur as soon as reasonably practicable after collection.
• Exceptions: Exceptions exist, similar to current law, including for public health, safety, and publicly available information.
• Scope: Only applies to information collected on or after 1 May 2026.
• Review Data Processes: Organisations must evaluate how they gather information and identify any indirect collection.
• Update Policies: Update privacy notices, systems, and procedures to comply with the new notification obligations.
• Review Vendor Contracts: Ensure third-party data providers meet the new standards.
For more details and to review the legislation, refer to the Office of the Privacy Commissioner’s full guide and the Privacy Amendment Act 2025 on the NZ Legislation website.