With the Privacy Amendment Bill progressing steadily through Parliament, many agencies will be considering how they will comply with the new Information Privacy Principle (IPP) 3A notification requirements for the indirect collection of personal information.
Helpfully, the Office of the Privacy Commissioner (OPC) has now issued draft guidance on how to comply with IPP 3A. The OPC is encouraging agencies to have their say on the draft guidance, and provide feedback on whether the guidance is fit for purpose and how it can be improved. Although the guidance is not binding, it is likely that the OPC will have regard to it when considering complaints about compliance with IPP 3A.
Although not passed yet, Parliament has indicated that the new IPP 3A will apply to personal information collected from
1 May 2026, and the OPC has indicated that it is not expecting any further changes to the Bill.
With the release of this draft guidance, we think this is a great time for organisations to start thinking about how they will comply with the upcoming changes, and whether their proposed approach to compliance is consistent with the draft guidance.
Brief background on IPP 3A
As most agencies will be aware by now, IPP 3A will require agencies that collect personal information indirectly to provide the individuals concerned with certain information, including the fact of collection and other matters, similar to IPP 3 (which applies where information is collected directly).
What does the draft guidance cover?
The draft guidance clarifies, among other things, that:
- IPP 3A will not apply to service providers that receive personal information from a client as the client's "agent" without processing it for their own purposes, as this still falls within section 11 of the Privacy Act 2020. In that situation, the client (not the service provider) is responsible for compliance with the Privacy Act, and the service provider is not treated as having "collected" the personal information indirectly
- IPP 2 still applies, so agencies should still (generally speaking) collect personal information directly from the individual, unless an exception applies
- Notification must be "as soon as reasonably practicable", which will depend on the circumstances (including costs, available knowledge and effort)
- The exceptions to IPP 3 also apply to IPP 3A, but there are additional exceptions that specifically apply to indirect collection and are further explained in the guidance with helpful examples.
There are many examples throughout the guidance, so we encourage organisations to read the guidance and consider how IPP 3A will apply to their organisation.
Alongside the guidance, the OPC has also released a flowchart, to help agencies decide whether they have met their IPP 3A obligations.
Relying on another agency's notification
A key exception to IPP 3A, which many agencies may be planning to rely on, applies where the individual concerned has already been notified of the indirect collection. The draft guidance seeks to clarify this further. This exception allows a "collecting agency" (agency collecting personal information) to not comply with IPP 3A if the "disclosing agency" (agency sharing personal information with the collecting agency) has already made the individual aware of the matters in IPP 3A.
- For collecting agencies wanting to rely on this exception, the OPC suggests using contractual arrangements to ensure that notification occurs. However, the guidance clarifies that agencies will still need to have reasonable grounds to believe that the individuals have been made aware of the collection, such as through a form signed by the individual, or regular contract reporting requirements
- For disclosing agencies that are sharing personal information with a collecting agency, it's not enough to use broad statements, such as "we may share your information with a credit reporting agency". The guidance provides that agencies will need to specify the name, contact details and/or website of the collecting agency receiving personal information. This will require many organisations to update their existing privacy statements and forms to include this additional information.
What is missing?
The guidance does not elaborate on what "reasonable steps" are required to notify individuals of the matters in IPP 3A. However, in many cases, we expect that collecting agencies will need to do more than just update their privacy statement.
The guidance confirms that in some cases, an exception may apply (eg, where compliance is not practicable because an agency does not have the individual's contact details). In our view, additional examples on how an agency might satisfy the "reasonable steps" requirement in IPP 3A in the absence of an exception would be helpful for organisations that either have complex databases of both directly and indirectly collected information, or where making contact with the relevant individuals is possible but not straightforward.
Submission timeframe
Submissions on the draft guidance are open now, until 25 June 2025. You can make a submission here.
If you and your organisation would like any help reviewing your obligations under IPP 3A or submitting on the draft guidance, please contact one of our privacy team members below.
This article was prepared by Keri Johansson (partner), Amy Ryburn (partner), Allan Yeoman (partner) Catherine Miller (special counsel), Alex Chapman (special counsel), Michael Finucane (senior associate) and Katrina Dickins (solicitor).
