If you collect customer information from other sources – like a partner, a database, or even Google – there’s a change in the Privacy Act you need to be across. It’s called IPP 3A, and it kicked in on 1 May 2026.
What’s the change?
Previously, if you got someone’s details from someone else (rather than straight from them), you didn’t have to tell them. Now you do.
IPP 3A says that when you collect personal information indirectly – meaning from a third party rather than directly from the person – you need to notify them about it. Unless an exception applies, you must tell them:
- That you’ve collected their information
- Why you collected it
- Who you’re planning to share it with
- Your business name and address
- How they can access or correct their information
How do I know if this applies to my business?
Ask yourself: Are we getting personal information about someone from a source that isn’t them?
If the answer is yes, IPP 3A probably applies to you.
Examples of when IPP 3A applies
1. You buy a marketing list
You purchase a database of potential leads from another company. IPP 3A means you need to tell those people you’ve got their details, where you got them from, and what you’re planning to do with them.
2. A customer refers a friend
Your existing customer gives you their mate’s contact details for a quote. Before you add that person to your system and contact them, you need to let them know where you got their details and why.
3. You use a third-party provider
You’re using software (like a CRM or invoicing tool) that holds customer data on your behalf. If that software pulls in information from other sources, you still need to notify the individuals.
4. Insurance claims
Someone makes a claim, and you contact their mechanic or another third party for details. You need to tell the claimant that you collected information about them from somewhere else.
5. Recruitment through agencies
You ask a recruitment agency for candidate details. The candidates need to know you’ve got their info from the agency, not directly from them.
When don’t I have to tell them?
There are exceptions. You might not need to notify if:
- The person already knows (for example, they were told by the first company you got their details from)
- The information is already publicly available (like on a public register)
- You can reasonably show they wouldn’t be disadvantaged by not knowing
- It’s not actually possible to contact them
- It’s required by law (like for a police investigation)
But here’s the thing – these exceptions have limits. Don’t assume you can skip notification just because it’s easier.
What do I need to do?
- Audit where your data comes from. Map out everywhere you collect personal information from sources other than the individual.
- Update your privacy policy. Make sure it covers indirect collection, not just direct collection.
- Think about how you’ll notify people. Email, letter, website notice – it needs to be clear and accessible.
- Keep records. If you rely on an exception, document why.
Take a look at our updated Privacy Policy here – feel free to copy or use as inspiration: https://www.lucidity.co.nz/privacy-policy/
The bottom line
If you’re collecting anyone’s personal information from another source, you now need to tell them. It’s about being upfront and building trust. The penalties for getting this wrong can be significant, but more importantly, it’s just good business practice.
Not sure if you’re covered? It’s worth a chat with your IT support or getting some privacy advice tailored to your setup.
For more information see the Privacy Commissioner website: https://www.privacy.org.nz/privacy-principles/3a/
