Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
New Zealand's Privacy Amendment Act 2025 has been signed into law and is now officially enacted after receiving Royal Assent 23 Sept.
The Privacy Amendment Act makes several changes to New Zealand's Privacy Act 2020, some more consequential than others. The key change is the introduction of new Information Privacy Principle 3A that requires organizations to inform individuals when their personal information is collected indirectly, meaning from a source other than the individual themselves.
Extension of withholding grounds
As well as some more technical amendments, and the more significant introduction of IPP3A, the Privacy Amendment Act extends two of the available grounds for refusing an individual's request for their personal information.
Section 49(1)(c) of the Privacy Act permits an organization to withhold personal information if the requester is under age 16 and providing the information would be contrary to their interests. The Privacy Amendment Act extends this to allow refusal if releasing the information would be contrary to the interests of another person who is under age 16.
Section 49(1)(d) of the Privacy Act allows an organization to withhold personal information if its release would prejudice the safe custody or rehabilitation of a requester who has been convicted of an offense and is, or was, in custody. The Privacy Amendment Act extends this to allow refusal if release would similarly impact another person who is convicted of an offense and is, or was, in custody.
These extensions provide alternative grounds for refusal to existing section 53(b)(i) of the Privacy Act, which permits withholding personal information if its release would involve unwarranted disclosure of another individual's affairs. However, they apply in such specific circumstances that they are unlikely to be of great consequence to most organizations.
Introduction of IPP3A
Until now, the Privacy Act has required organizations to provide privacy notice to individuals only when they are collecting personal information directly from those individuals. IPP3A expands this transparency obligation to apply also to the collection of personal information from third parties, referred to as "indirect collection."
This new obligation will come into force 1 May 2026.
IPP3A applies to the collection of personal information from third parties, such as other organizations or individuals. However, it will not apply to the collection of personal information from a third party that is acting as a service provider to an organization — that is, a data processor — such as a marketing agency that is conducting market research on behalf of an organization. In this case, the organization is deemed to be collecting personal information directly from the individual concerned, albeit via the service provider.
Further, as with many of the IPPs, IPP3A contains several exceptions intended to permit a pragmatic and flexible approach to this obligation. For example, an organization would not be required to provide privacy notice about an indirect collection if:
- The individual concerned has already been made aware of the collection — for example, because they authorized the collection and were made aware at that time, or the disclosing organization has already made the individual aware in its own privacy statement.
- Noncompliance would not prejudice the interests of the individual concerned — such as where the collection is of routine personal information that will not be used in ways likely to impact the individual.
- The information will not be used in an identifiable form, like where it is being collected for research purposes.
- The information is being collected from a publicly available source, such as the internet.
- Telling the individual is not reasonably practicable in the circumstances — for example where the collecting organization does not hold contact information about the individual concerned.
- Telling the individual would prejudice the purposes of collection, such as where the collecting organization is investigating a suspected fraud case and is collecting information from a witness.
- Telling the individual would cause a serious threat to public health or safety, or to the health and safety of the individual or another individual.
In draft guidance released earlier this year, the Office of the NZ Privacy Commissioner stated that simply adding a generic notification in an organization's online privacy statement about the collection of personal information from third parties would not be sufficient. While this might contribute to compliance, the organization is also required to proactively and specifically notify the individuals concerned as soon as practicable after the collection has occurred. For example, an organization might advise a new lead or prospect in its first communication that it has just collected personal information about them from a third party.
As noted, IPP3A allows for the privacy notice to be provided by the disclosing organization, which is likely to be the most common scenario. For example, a bank might state in its privacy notice to customers that it will disclose personal information to a credit reporter, which will use the information for purposes set out in that credit reporter's privacy notice. This would discharge the credit reporter's obligation to provide notice.
A degree of specificity also appears to be expected. The OPC has suggested generic notifications like, "we may collect health information about you from health care providers with a role in your care," would not be sufficient. Rather, an organization must be specific — instead stating, for example, "we will collect health information about you from XYZ Health." This is likely to create a significant compliance burden for many agencies that legitimately rely on information sharing to deliver services.
What does IPP3A mean for NZ and the rest of the world?
In short, the amendments mean very little for the rest of the world. Most other privacy laws already require an organization to provide privacy notice in relation to the collection of personal information from third parties — Australian Privacy Principle 5 and Article 14 of the EU General Data Protection Regulation, for example. In fact, the introduction of IPP3A was intended primarily to ensure that New Zealand retains its coveted EU adequacy status.
In doing so, however, it brings the notice obligations in NZ's privacy law up to global standards. This means overseas organizations will already be familiar with the indirect notification obligation.
For organizations operating only in NZ, however, the introduction of IPP3A — and this expanded notification obligation — requires attention. Organizations will need to assess their current collections of personal information to identify those that are indirect, and will then need to take steps to ensure these collections comply with IPP3A.
With regard to implementation, it is not clear how aligned NZ expectations are to practice in other jurisdictions, such as the EU and Australia. Do organizations in these jurisdictions proactively notify individuals after collecting personal information from third parties, or do they simply provide notice in their general online privacy statements about potential indirect collections? Initial research suggests it is the latter.
For this reason, both the OPC and organizations should look to other jurisdictions that have been managing this obligation for many years, to ensure a practicable and pragmatic approach to implementing IPP3A that meets the spirit of the obligation without tying organizations in knots or leaving consumers bewildered at the sudden influx of privacy notifications.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.