From 1 May 2026, your organisation will need to meet new notification requirements when collecting personal information from someone other than the person to whom it relates. Here’s what you need to know about the new information privacy principle 3A and how ComplyWith can help you stay on top of the changes.
New Zealand’s privacy framework is evolving again. The Privacy Amendment Act 2025 introduces new information privacy principle 3A, expanding existing notification obligations under the Privacy Act 2020.
What’s changing?
From 1 May 2026, if your organisation collects personal information about someone from a third-party source, it must inform that person that their information has been collected.
Currently, information privacy principle 3 requires your organisation to inform individuals when their personal information is collected directly. However, there’s no similar requirement if the information was obtained indirectly from someone other than the person to whom it relates. This means that people are often unaware that this has happened.
Information privacy principle 3A is designed to fill this gap and aims to strengthen transparency and awareness about how personal information is collected and used.
What does your organisation need to do?
From 1 May 2026, if your organisation collects personal information indirectly, it must take reasonable steps to make sure that the person whose personal information is being collected is aware of all of the following:
- The fact that their personal information has been collected
- Why it’s been collected
- Who it can be shared with
- Who is collecting it and holding it
- The law that authorised or required the collection (if relevant)
- Their right to access their information and correct it if it’s wrong.
Your organisation doesn't need to take these steps if it knows the individual has already been made aware of all the details listed above, or another exception applies.
Some exceptions include if the information is publicly available, compliance would prejudice security or reveal a trade secret, or informing the person would cause a serious threat to health and safety.
For more information about the new notification requirements and any exceptions that apply, see the Privacy Commissioner’s Guidance on privacy principle 3A.
How is ComplyWith helping your organisation prepare for the change?
To help you prepare for the upcoming changes, ComplyWith has prepared the new compliance content for information privacy principle 3A early. You will be able to access it in your ComplyWith Obligations Register from 30 March (assuming your ComplyWith site has synced over the weekend - please note this will not have happened if you have an open survey).
On 27 March 2026, the Privacy Commissioner notified changes to several codes of practice to align them with the new information privacy principle 3A, including those covering health, telecommunications, and biometric information.
ComplyWith will update your compliance content for those codes when the changes take effect on 1 May 2026.
Questions to start preparing for the changes on 1 May
Although information privacy principle 3A doesn’t take effect until 1 May 2026, now is a good time to start preparing by reviewing and updating your information collection practices.
Here are some questions to help get you started:
- Where does your organisation collect personal information from? Do you collect personal information from third parties, such as suppliers, partners, public datasets, or sources other than the people the information is about?
- Are your people aware of the upcoming changes applying to the indirect collection of personal information?
- Do your agreements with other organisations clearly set out who is responsible for notifying people that their information has been collected?
