Privacy update: Getting ready for IPP 3A

15 November 2024

Richard Massey and Kasey Fuller

The Privacy Amendment Bill (the Bill) looks set to proceed following the recent release of a Select Committee report and public consultation earlier this year. The Bill will introduce a new Information Privacy Principle 3A (IPP 3A) which, if enacted, will take effect on 1 June 2025.

What will IPP 3A require?

The proposed new IPP 3A is intended to increase transparency around the indirect collection of personal information.  Organisations will be required to ensure that, when collecting personal information from any source other than the individual concerned, they inform the relevant individual about certain specified matters, such as the collection of the information and its purpose. Limited exceptions will apply.

Background

The Bill was first introduced to Parliament in September 2023 and is outlined in our previous article here. The recent Select Committee report (here) made very few changes to the Bill (limited to an additional exception for archiving practices such as libraries and museums).    

As before, the Bill includes an anticipated implementation date of 1 June 2025 and will apply in respect of information collected after that date.  Given the short window, businesses should take early steps to ensure they are prepared.  

What action is required?

The new requirements of IPP 3A are similar to existing obligations for direct collection under IPP3. Businesses must take reasonable steps to notify individuals if their personal information is collected indirectly. Specifically, individuals must be informed of:

  • The collection of their personal information
  • The purpose of the collection
  • The intended recipients of the personal information
  • The name and contact details of the agency collecting and holding the information
  • Any law under which the collection of the personal information is authorised or required
  • Their rights to access and seek correction of their personal information

These steps must be taken either in advance of collection or as soon as is reasonably practicable after the information has been collected.

In many cases, compliance will likely involve updating existing privacy policies to explicitly address indirect data collection or preparing new policies to be shared specifically with individuals where information is collected indirectly.

Do any exceptions apply?

Importantly, the Bill includes various exceptions (which will relevantly affect how businesses prepare for IPP 3A):

  • First, there is a carve-out for situations where an individual has already been notified of the indirect collection. For example, if one agency (A) collects personal information directly from an individual and shares it with another agency (B), B does not need to comply with IPP 3A if A has already informed the individual about this sharing arrangement in advance.

    Our comment: For businesses to take advantage of this exception it will be important to ensure that their agreements with any intermediary agencies from whom they collect personal information (e.g., marketing agencies) contain robust contractual obligations requiring the intermediary to notify individuals of the intended disclosure. In many cases, it will also remain good practice for a business to update its own privacy policies to reflect indirect collection of personal information. 
  • Second, there are some specific exceptions which may apply depending on the circumstances. They include, for example, where non-compliance would not cause prejudice to the individual, where information is already publicly available, or where compliance is not reasonably practicable in the circumstances.

Our comment: The application of these exceptions can in practice be relatively technical, and businesses should assess the exceptions carefully to avoid misinterpretation.  Incorrect reliance on these exceptions could result in enforcement action.  Businesses should therefore ensure they have a robust and considered basis for assessing that, for example, no “prejudice” would arise from omitting to provide the relevant notification.

Next steps

For any New Zealand businesses handling personal data, particularly those which regularly rely on information gathered via third parties, it will be important to evaluate their current data collection practices.  

Among other things, in anticipation of IPP 3A, we recommend considering:

  • Conducting a privacy audit to identify indirect sources of personal information (e.g., collection of personal information from marketing agencies or other service providers);
  • Updating privacy policies to reflect the new IPP 3A notification requirements, including express disclosure of indirect collection of personal information; and
  • Reviewing contractual obligations with third party data sources to ensure their compliance with IPP 3A.

For many businesses this can be a surprisingly complex exercise in practice and there is relatively limited time ahead of the intended commencement date. Businesses should act now to stay ahead of the curve and ensure they are fully prepared for the evolving privacy landscape.

Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team have been monitoring these developments closely. If you require any assistance with ensuring your business will comply with new IPP 3A or if you have any questions about the Bill or how it might impact your business, please get in touch with the contacts listed or your usual Bell Gully adviser.

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

  1. Home
  2. Insights
  3. Privacy update: Getting ready for IPP 3A