10 June 2025

Indirect Data Collection – What do you need to know about the Privacy Amendment Bill?

Information privacy principles (or “IPPs”) under the Privacy Act 2020 apply to any public or private agency collecting personal information in New Zealand, including companies and individuals. These principles currently include that information must be collected for a lawful purpose, and protected by reasonable security safeguards. However a new principle, referred to as IPP3A, will create an additional obligation on companies collecting information indirectly i.e. from sources other than the individual concerned.

Direct vs Indirect Collection

Current principles IPP2 and IPP3 require that information must be collected directly from the individual concerned, except in certain specific scenarios. As part of this direct collection, the agency must take steps to ensure that the individual is aware that their information is being collected, its purpose, and its intended recipients.

One of the exceptions to direct collection is where the individual has authorised the collection of the information from another source, for example through external agencies providing credit or background checks, or third-party data brokers selling customer data.  Currently, the Act does not require the individual to be notified of that indirect collection.

New IPP3A

IPP3A is set to come into force in May 2026, introducing a new requirement on agencies to ensure that individuals are aware of the fact that information has been collected, even where that collection happens indirectly.

Under IPP3A the agency must take steps that are reasonable “in the circumstances” to ensure that even when it collects information about an individual indirectly, the individual is aware of:

• The fact that information has been collected;
• The purpose for which information was collected;
• The intended recipients of that information;
• The details of the agencies that collected the information, and that hold the information;
• Any particular law authorising the collection of the information; and
• The individual’s rights of access and correction of the information.

These steps must be taken ideally before the information is collected, or as soon as practicable afterwards.

Exceptions

There are some specific exceptions to this requirement, including where:

• Compliance is not reasonably practicable in the circumstances;
• Non-compliance would not prejudice the individual’s interests;
• Compliance with the requirements would prejudice the purposes of the collection; or
• Informing the individual concerned would cause a serious threat to public health or safety, or to the health or safety of another individual.

How to prepare

It is critical that you are aware of all information collections undertaken by your business whether directly or indirectly, from sales and marketing through to IT and human resources, and have considered your obligations from a privacy perspective. The Privacy Commission publishes a template collections register, in which you can record the information collections that your business undertakes, and work through the applicable requirements for each. The Commission also publishes a handy flowchart to take you through information collection step-by-step and identify your obligations.

The new information privacy principle comes into effect on 1 May 2026, so you have time to consider what systems you need to introduce or improve to ensure compliance. The Commission intends to publish additional guidance on the new principle and how organisations can best prepare, so watch this space. In the meantime, please talk to your lawyer about whether these changes will impact your business.

Jessica is a Senior Associate in our Commercial Team and can be contacted on 07 958 7436.