Parliament has indicated that starting from 1 May 2026, a new rule will change how your organisation handles personal data. Information Privacy Principle (IPP) 3A introduces a mandatory duty to notify individuals when you collect their information indirectly. With the Office of the Privacy Commissioner already developing guidance, the time to prepare is now.
From a gap to a duty
The Old Way: Previously, if your agency collected personal information from a third party (not the individual), there was no express requirement under the Privacy Act 2020 to notify that person. This created a gap.
The New Rule (IPP 3A): On the new rule coming into force, your agency will now be legally required to take reasonable steps to inform individuals that you have collected their personal information indirectly.
Know your obligations
IPP 3A will require you, if you collect personal information from a source other than the individual concerned, to take reasonable steps to notify that individual. This notification must occur at the time of collection or as soon as reasonably practicable afterwards.
Based on the draft guidance and parallels with IPP 3, the notification must ensure the individual is aware of:
- The fact that information has been collected.
- The specific purpose of the collection.
- The source of the information (i.e., who you got it from).
- The intended recipients.
- Your agency’s name and address.
- The individual’s rights to access and request correction of their information.
Action outline
This change will have operational impacts for agencies that routinely collect personal information from third-party sources.
| Your task | What to do |
| Find your data | Identify every source where you get personal information indirectly (e.g., from data brokers, public lists, or partners). |
| Plan notifications | Design a clear process to inform people that you have collected their data as soon as practicable. |
| Update documents and train staff | Revise your privacy policy and internal procedures to reflect the new rule. Ensure your team is trained on these new duties. |
| Review contracts | Check service agreements to clarify who sends the notifications. Remember, you are ultimately responsible, even if a third party holds the data for you. |
You are strongly encouraged to review the draft guidance and consider how the proposed changes will affect your operations ahead of the proposed 1 May 2026 enforcement date.
We at Gaze Burt would be pleased to assist with your transition requirements, and any questions that you may have.
