Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Back in May, I wrote about draft guidance released by the Office of the Privacy Commissioner of New Zealand on the new Information Privacy Principle 3A. IPP3A, an amendment to the New Zealand Privacy Act 2020 that comes into force 1 May 2026, expands the notice obligation to include indirect collections of personal information.
At the time, I was concerned the draft guidance might not align with overseas practice. For example, the guidance anticipated it would not be sufficient to cover indirect collections in an organization's online privacy statement — proactive notifications to individuals would be required.
I prompted readers to make submissions on the draft guidance to help us implement a practicable and pragmatic approach that meets the spirit of the obligation without tying organizations up in knots or leaving consumers bewildered at the sudden influx of privacy notifications.
I'm pleased to report submissions were made and, more importantly, the OPC listened. On 4 Nov., the OPC released its final guidance on IPP3A and it certainly supports the implementation of a more practicable and pragmatic approach. Most importantly, where the draft guidance placed a significant focus on after-the-fact notifications to individuals, the final guidance anticipates it is "likely an organization could meet its IPP3A requirements in the same way it meets it IPP3 requirements, by using accessible privacy policies, statements and notices."
This is a significant improvement and will make compliance much easier and simpler.
The OPC notes, quite rightly, that organizations will also need to think about how they draw attention to these statements when they collect information indirectly, as they may not have a direct line of communication with the person concerned. However, there is a helpful reference to the reasonableness standard that pervades the Privacy Act.
Organizations must take reasonable steps to ensure people are made aware, and what is reasonable will depend on many factors, including the sensitivity of the information collected, any potential negative impacts on the individual as a result, and practicality considerations. Certainly, there will be many scenarios in which including a privacy statement about indirect collections in an organization's general privacy notice will be reasonable for IPP3A compliance.
The guidance retains helpful discussion on the application and parameters of the various exceptions contained in IPP3A. These parameters are reasonable and, while the OPC would not state this in so many words, it is likely that one of the exceptions will apply to most indirect collections. The most commonly applicable exception is likely to be that the individual concerned has already been made aware of the indirect collection.
The OPC has also added some sensible clarity related to the collection of personal information from someone who has been appointed to act legally on an individual's behalf under the Protection of Personal and Property Rights Act 1988 — such as a welfare guardian or an attorney under an enduring power of attorney. In these cases, IPP3A does not apply, as the guardian or attorney is standing in the shoes of the individual.
Overall, the final guidance is an excellent example of the OPC's willingness to listen to and collaborate with the privacy ecosystem, help organizations comply with the law, and promote a pragmatic and workable approach to privacy compliance. With this new guidance in place, privacy professionals can get started on the work of ensuring their organizations or clients are prepared to comply with IPP3A.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
