NZ Privacy Act IPP3A (May 2026): What IT Teams Need to Do Before the Deadline

The clock is ticking. On 1 May 2026, the Privacy Amendment Act 2025 brings a new obligation into force that every IT team in New Zealand needs to act on — Information Privacy Principle 3A (IPP3A). This is not a minor update buried in a legal footnote. It fundamentally changes how organisations must handle personal information they collect about people indirectly, through third parties.

The legal explainers are already out there. What’s missing is practical guidance for IT teams who need to know which systems to audit, what to change in their contracts, and how to update their privacy notices before the deadline arrives. This article fills that gap.

*This article provides general IT implementation guidance only. For legal advice on your specific obligations, consult a qualified privacy lawyer or the Office of the Privacy Commissioner (OPC).*

—

What Is IPP3A and When Does the Privacy Act IPP3A May 2026 Obligation Apply?

IPP3A New Zealand comes into force on 1 May 2026, following Royal Assent of the Privacy Amendment Act 2025 on 23 September 2025. Parliament extended the commencement date from the original draft to give organisations time to prepare — that window is now almost closed.

IPP3A adds a new obligation alongside the existing Information Privacy Principle 3 (IPP3), which already requires agencies to notify individuals when collecting personal information directly from them. IPP3A extends that transparency obligation to *indirect* collection: any situation where your organisation obtains personal information about someone from a source other than the individual themselves.

The obligation rests with the “indirect collector” — your organisation — not the source providing the data. It applies only to personal information collected on or after 1 May 2026, so retroactive notification of existing records is not required.

Why now? The short answer is EU adequacy. New Zealand’s valued EU adequacy status — which allows cross-border data transfers without extra safeguards — depends on the NZ framework staying aligned with the GDPR (Article 14 of which already mandates indirect collection notices) and Australia’s Privacy Principle 5. IPP3A brings Aotearoa into line with established global practice.

The breach data reinforces why this matters: the Office of the Privacy Commissioner received 864 breach notifications in 2023/24, with 414 classified as serious — a 43% year-on-year increase. Private-sector notifiable breaches jumped 133% over the same period. IPP3A is an opportunity to build the data visibility that reduces breach exposure.

—

What “Indirect Collection” Actually Means for IT Teams

This is where many legal summaries leave you hanging. Let’s be precise, because getting it wrong is costly — either in unnecessary compliance effort or, worse, a missed obligation.

Indirect collection is when your organisation receives personal information about an individual from someone other than that individual. Classic examples:

• A recruiter sends you a candidate’s CV, references, and background check results
• A marketing database provider enriches your CRM with lead contact details
• A partner organisation shares customer data under a referral arrangement
• A benefits administrator provides employee salary packaging data to your HR system
• A credit bureau sends a customer’s credit report to your lending platform

When any of these flows happen on or after 1 May 2026, you must notify the individual — as soon as reasonably practicable after collection — of: what information was collected, why, who will receive it, which agencies are holding it, any legal authorisation, and the individual’s rights to access and correct the information. Notification must be *specific*, not generic. “We may collect from third parties” is insufficient. “We have collected your employment history from XYZ Recruitment” meets the standard.

The processor/controller distinction matters here. If a vendor or SaaS provider processes personal information *on your instructions* — acting as your data processor under a contract you control — that is still treated as direct collection. IPP3A is not triggered simply because a third party handles the data on your behalf. The obligation bites when a *separate organisation* provides you with data they gathered for their own purposes. If you’re sending your own customer records to a cloud data warehouse you operate, that’s direct. If a data broker sends you a list of prospects, that’s indirect.

Key exceptions where notification may not be required: the individual was already made aware; the information will not be used in identifiable form; notification is not reasonably practicable given disproportionate cost; the collection is for law enforcement purposes; or non-compliance would not prejudice the individual. Document your rationale carefully when relying on any exception — the OPC will expect to see it.

—

The IT Implementation Checklist: 5 Things to Audit Before 1 May 2026

This is the section law firm articles don’t give you. Here are the five concrete actions IT teams need to complete before the deadline.

1. Data Mapping — Know Every Indirect Flow

You cannot comply with what you cannot see. For each key system — CRM, HR platform, marketing automation, ERP, customer support — document: where each data field originates; whether it was collected directly from the individual or received from a third party; and what notification, if any, was provided at collection.

Look specifically for: purchased lead lists, partner referral data, pre-employment screening results, enrichment services appending data to contact records, and insurance or health data from intermediaries. These are the high-risk indirect flows IPP3A targets.

2. CRM and Marketing Pipeline Audit

Your marketing and sales teams are likely running the most complex indirect collection flows. Review how contact records enter your CRM — imported lists, lead enrichment integrations, event sponsor lead-sharing, and third-party form data.

For each indirect source, ask: Is there an existing notification mechanism? Does your privacy policy disclose this source specifically? Is notification being captured before or shortly after the data enters your system?

Tag CRM records by collection method (direct vs. indirect) and log when IPP3A-compliant notification was sent. This audit trail matters if compliance is ever questioned.

3. HR and Payroll System Review

HR systems are a significant source of indirect collection obligations. Reference checks, background screening results, occupational health assessments, and salary benchmarking data all arrive from third parties.

Update your employee privacy notice to name the third parties you share data with and the purpose. Include this in onboarding documentation and employment agreements. Confirm your payroll provider’s privacy obligations are documented and your data processing agreement is current.

4. Vendor Contract Reviews

IPP3A places the notification obligation on the indirect collector — your organisation. Review contracts with:

• Data brokers and lead list providers
• Recruitment and background screening agencies
• Benefits and insurance administrators
• Marketing and research agencies who share data with you

Where the other party is providing data about individuals who haven’t directly engaged with you, add a clause confirming their collection was lawful and that they obtained necessary consents for onward sharing. Ask vendors to confirm their privacy notices disclose your organisation as a potential recipient.

5. Privacy Notice Updates and Exception Logging

Update your public-facing privacy policy and any collection-point notices before 1 May 2026. The OPC expects specific disclosures, not catch-all language. For each indirect collection category, name the source type and the purpose.

Where you rely on exceptions to avoid notification, document the exception, the rationale, and when that assessment was made. Keep a register. If you rely on “not reasonably practicable” for high-volume indirect collection (such as public records ingestion), record the cost-benefit analysis.

—

How NZ Data Sovereignty Simplifies IPP3A Compliance

Let’s be direct about what NZ data sovereignty does — and doesn’t — do for IPP3A.

It does not remove the notification obligation. IPP3A is a transparency rule, not a data residency rule. Storing data in New Zealand does not mean you can skip notifying individuals about indirect collection.

What NZ data residency *does* do is dramatically simplify the audit, reduce your vendor surface area, and make your data flows easier to document and govern. Here’s how:

When your data stays within New Zealand — in infrastructure subject to NZ law — you have fewer cross-border transfer scenarios to map, fewer international data sharing agreements to review, and a shorter vendor due diligence list. The data mapping exercise IPP3A requires is substantially less complex when you’re not chasing data across AWS regions, Azure availability zones, and SaaS sub-processors in multiple jurisdictions.

ASI Solutions operates infrastructure wholly within New Zealand, which means the data flows your team needs to document stay within a single legal jurisdiction. InfiniStor — ASI’s S3-compatible object storage with guaranteed NZ data residency — gives you a compliant data tier that simplifies the vendor review process: no sub-processor cross-border agreements to review, no EU/US data transfer concerns, and a clear chain of custody for any personal data stored in object storage.

For backup and recovery, ASI’s Backup as a Service uses NZ-resident Veeam backup targets, meaning your backup chain stays within NZ jurisdiction. This matters when you’re mapping data flows for IPP3A: a backup that replicates to a US-based cloud adds a cross-border transfer layer to your compliance map that your team then needs to document and potentially notify individuals about.

Similarly, ASI Secure Chat — ASI’s enterprise AI platform hosted in New Zealand — means AI-assisted data processing doesn’t introduce an offshore sub-processor into your privacy map. For organisations using AI tools to handle customer or employee data, this removes a category of indirect data flow risk entirely.

NZ data sovereignty is not IPP3A compliance on its own. It is the foundation that makes compliance faster, cheaper, and easier to maintain over time.

—

How to Get Started: Practical Next Steps

With less than a week until 1 May 2026, prioritise ruthlessly. If you haven’t started:

1. This week: Run a rapid data mapping session covering your top five data-intensive systems (CRM, HR, marketing automation, customer support, ERP). Identify every third-party data source feeding into each.
2. This week: Update your public privacy policy with specific indirect collection disclosures. Push this live before 1 May.
3. This week: Notify individuals in any high-volume indirect collection categories where notification is practicable — bulk email to your database works if it’s specific and timely.
4. After 1 May: Any new indirect collection from that date requires notification as soon as reasonably practicable. Build this into your data intake workflows.
5. Ongoing: Review vendor contracts as they come up for renewal. Build IPP3A-compliant disclosure clauses into your standard data-sharing agreements.

If your team needs support designing a compliant data infrastructure or reviewing your cloud vendor landscape for cross-border data flow risks, ASI Solutions can help. With 40 years of experience supporting NZ organisations across education, government, and enterprise, ASI’s certified engineers understand both the technical and compliance dimensions of data governance. Book a meeting to talk through your specific situation.

—

FAQ

When does IPP3A come into force?

IPP3A comes into force on 1 May 2026. It was introduced by the Privacy Amendment Act 2025, which received Royal Assent on 23 September 2025. Parliament extended the commencement date from earlier drafts to give organisations sufficient preparation time. The obligation applies to personal information collected indirectly on or after that date — not to existing data already held.

What is indirect collection under the Privacy Act?

Indirect collection occurs when your organisation receives personal information about an individual from a source *other than the individual themselves*. Examples include receiving a CV from a recruiter, importing a contact list from a marketing data provider, or receiving a credit report from a bureau. It is distinct from data processing: if a vendor handles your data on your instructions, that is still treated as direct collection by your organisation.

Who does IPP3A apply to?

IPP3A applies to all agencies in New Zealand that collect personal information indirectly — regardless of size or sector. “Agency” under the Privacy Act 2020 covers most private-sector businesses, non-profits, and public-sector bodies. Most organisations with data-intensive operations will be in scope; only certain individuals acting in a personal capacity are generally exempt.

What do I need to notify individuals about under IPP3A?

Notification must be specific. You must tell the individual: that their information was collected; what was collected; the purpose; who will receive it; the collecting and holding agencies; any legal authority; and the right to access and correct the information. This must happen as soon as reasonably practicable after collection. Vague statements like “we may collect from third parties” do not meet the standard.

Does IPP3A apply to data collected from a service provider?

This depends on the relationship. If a service provider (such as a cloud vendor or SaaS platform) processes personal information *on your behalf* under a contract you control, they are acting as your data processor — the collection is treated as direct by your organisation, and IPP3A is not triggered. However, if a separate organisation provides you with data they gathered for their own purposes — such as a data broker, recruitment agency, or partner sharing their own customer data — that is indirect collection and IPP3A applies.