Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 1 May 2026, an amendment to the New Zealand Privacy Act 2020 will come into force that expands the notice obligation to include indirect collections of personal information.
Readers from many other jurisdictions might be surprised this was not already required. Most other privacy laws already require an organization to provide privacy notice in relation to the collection of personal information from third parties — for example, Australian Privacy Principle 5 and Article 14 of the EU General Data Protection Regulation.
However, New Zealand's Information Privacy Principle 3 only applies to the collection of personal information directly from the individual concerned. The amendment is intended primarily to ensure New Zealand retains its coveted EU adequacy status. However, in doing so it brings the notice obligations in our privacy law up to global standards.
The Office of the Privacy Commissioner has released draft guidance on the new IPP 3A, and is now seeking submissions on it. The guidance is interesting, as it gives insight into the OPC's interpretation of the obligation and expectations on how it will be met.
The guidance clarifies, quite rightly, that IPP 3A will not apply to a data processor that is collecting personal information from a data controller and processing it solely on behalf of that data controller. However, it should be noted that it would equally not apply where a data controller is using a data processor to collect personal information directly from an individual on its behalf — such as a market research platform. In this case, the data controller would still be collecting personal information directly, albeit via the data processor.
It also anticipates that simply adding notification in an organization's privacy notice about the collection of personal information from third parties will not be sufficient. While this might contribute to compliance, the organization is also required to proactively and specifically notify the individuals concerned as soon as practicable after the collection has occurred. Provided case studies suggest an organization might, for example, advise a customer via email that it has just collected personal information about them from a third party.
The guidance does allow for the notification to be provided by the disclosing party, which is likely to be the most common scenario. For example, a bank might state in its privacy notice to customers that it will disclose personal information to a credit reporter, which will use the information for purposes set out in that credit reporter's privacy notice. This would discharge the credit reporter's obligation to provide notice.
Finally, it suggests that generic notifications — like, "we may collect health information about you from health care providers with a role in your care" — would not be sufficient. Instead, an agency will need to be specific — for example, "we will collect health information about you from XYZ Health." This is likely to create a significant compliance burden for many agencies that legitimately rely on information sharing to deliver services.
The OPC should be applauded for taking proactive steps to assist organizations with compliance, and for seeking feedback from the community on its interpretations. However, I wonder how aligned its expectations are to practice in other jurisdictions. Do organizations elsewhere, such as the EU and Australia, go as far as the OPC is suggesting?
Do these organizations proactively notify individuals after collecting personal information from third parties, or do they just provide notice in their general online privacy notices about potential indirect collections? I suspect it's the latter.
For this reason, I think we have a lot to learn from other jurisdictions that have been managing this obligation for many years. I urge privacy professionals in these other jurisdictions to help us out. Make submissions on the draft guidance and help us implement a practicable and pragmatic approach that meets the spirit of the obligation without tying organizations up in knots or leaving consumers bewildered at the sudden influx of privacy notifications.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
