A Privacy Law change which affects all organisations in New Zealand has was implemented in May 2026. In this article we outline what it means and why it matters.
The change – indirect information
The change boils down to “IPP3A”, which is an acronym that refers to an addition to the third privacy principle (collection of information). As a reminder, the privacy obligations in New Zealand are overseen by the Office of the Privacy Commissioner and consists of several privacy principles contained in the Privacy Act 2020.
Those 13 privacy principles cover how an organisation collects data, who it tells about that, how people can update their information and more. We outlined exactly what they are and how they work in this overview. A few years ago, when the Privacy Commissioner visited and ran a seminar at Parry Field, he summarised everything with “don’t be creepy”, which is still the best summary we’ve heard when it comes to the approach to collecting private information.
This new addition privacy principle helps to clarify and strengthen the collection and notification obligation to “indirect” information. Essentially what this means is that if your organisation collects information indirectly about someone and stores it, then you have to let them know unless an exception applies
When would this apply?
The Privacy Commissioner gives this example in their helpful guidance here – obviously adapt it for your context and business or charity, but you can see the general principle that emerges:
“Sally makes a claim to her insurance company, Trusted Insurance Co, about damage to her car. She tells them she has taken it to Mater’s Motors for repairs. Trusted Insurance Co asks Mater’s Motors for information about the damage to the car, including whether they thought Sally was responsible for the damage. Mater’s Motors view on whether Sally was responsible for the damage is personal information about Sally. Trusted Insurance Co has indirectly collected Sally’s personal information.”
In this case the insurance company will now have an obligation by taking “reasonable steps” to notify Sally about what it collects about her including (this list is the summary from the Privacy Commissioner’s site).
- the fact that the information has been collected,
- the purpose of the collection,
- the intended recipients of the information,
- the name and address of the agency that is collecting the information and the agency that holds the information,
- if the collection is authorised or required by law, which particular law, and
- their rights of access to, and correction of, their information.
It is worth taking a few minutes to pause and consider if there is any part of your organisation which might collect such information indirectly about people. If so, how do you let people know?
In limited circumstances, an organisation may not be required to notify the individual concerned – for example: if information is publicly available information.
Do you need to disclose where you collected the information from?
If you have collected information indirectly, there is no requirement to disclose where you collected the information from you will always need to be considering what information you collect and why (see IPP 1 and 2 for more information about this).
Some final reflections / challenges since you have read this far relating to privacy:
- Do you have a privacy officer in your organisation?
- When was your policy last reviewed and updated?
- Have you thought through what you would do if there was a hack of your data and it got disclosed?
We often help organisations with their privacy-related questions. If you would like to discuss your situation or would like assistance to create a bespoke privacy policy for you, feel free to reach out to our team.
