From 1 May 2026, significant changes to the Privacy Act 2020 (Act) will come into force, altering how agencies (any person, business, or organisation – public or private sector – that collects, holds, uses, or discloses personal information) must handle personal information.
These amendments are designed to increase transparency, strengthen individual rights, and ensure agencies are accountable for all forms of data collection, not just information collected directly from individuals.
Current obligations under IPP3
Under the existing Act, agencies have an obligation under Information Privacy Principle (IPP) 3 to notify individuals when their personal information is collected directly from them. This notification typically explains why the information is being collected, how it will be used, and the individual’s rights under the Act.
New obligations under IPP3A
The Privacy Amendment Act 2025 introduces a new principle, IPP3A, which expands the notification requirement to include indirect personal information collection. This means agencies must notify a person when their personal information has been obtained from any other source that is not the individual themselves.
Notification requirements under IPP3A
Under IPP3A, agencies will be required to take reasonable steps to inform affected individuals of:
- the specific information that has been collected
- the purpose for collecting it
- the intended recipients of the information
- the name and contact address of both the collecting and holding agency.
- whether collection is authorised or required by law, and the legal basis for doing so
- the individual’s right to access and correct their personal information.
These obligations do not extend to personal information obtained indirectly prior to the 1 May 2026.
Exceptions to IPP3A
IPP3A does not apply in certain circumstances, including where:
- The individual has already been notified of the information now held.
- The information will not be used in an identifiable form.
- The agency reasonably believes that non-compliance would not prejudice the interests of the individual (for example, where the failure to notify would cause no detriment).
- Non-compliance is necessary for maintenance of the law, enforcement of the law that impose pecuniary penalty, or the conduct of a court/ tribunal process.
- Is not reasonably practicable in the circumstances (for example, where the cost of notification is significantly disproportionate to the information).
What should agencies be doing to prepare?
In order to prepare for IPP3A, agencies need to be reviewing their information collection methods and processes to ensure compliance. This may include identifying what personal information is collected indirectly, developing notification step templates relating to indirect information collection, revising third-party contracts where personal information is collected from, and update privacy statements, internal policies, and collection processes.
For further information, or assistance preparing your organisation for these changes, please contact the Employment Law team at Lane Neave.
Author: Megan Reed
