Following on from consultation earlier this year, on Tuesday the Office of the Privacy Commissioner issued final guidance regarding the new privacy principle 3A in the Privacy Act. The finalised guidance will be of particular interest to organisations that are considering how to implement privacy principle 3A ahead of 1 May 2026 (when IPP3A comes into force).
We are still digesting the finalised guidance, but it appears that a number of helpful changes have been made. In particular:
- The level of detail required regarding the intended recipients of the information has been clarified. The guidance now states that if you know who you will be sharing information with, you should tell the individual who you are sending it to. If you routinely share information with an agency, group or person, they should be named "unless it would be impractical to do so". Where impractical to name the specific agency, group or person, agencies may decide to describe the type, class or categories of agencies instead. That description needs to be as specific as possible by indicating the type of agency (eg the activity it undertakes), its industry (and sub-sector) and location of the agency. We think it is helpful that agencies now appear to have some flexibility in terms of the detail required in relation to the intended recipients of information. Agencies will, however, need to consider what is practical for them in their circumstances (and document the position reached)
- The guidance includes more detail about what it means to take "reasonable steps" to ensure an individual is aware of the matters in privacy principle 3A. The guidance clarifies that what is "reasonable" will involve considering the sensitivity of the information collected, the risk posed to individuals, and practicality (including time and cost). That said, an agency is not exempt from providing notice on the grounds of incurring "some cost" to do so. More detail is also provided for where disclosure might not be "reasonably practicable in the circumstances"
- Practical detail has been included about notification formats and steps, eg the use of layered notices and examples about how to address scenarios where there is a large volume of data collected but no relationship with the underlying customers.
If you have any queries, please get in touch with one of our team.
