The Office of the Privacy Commissioner (OPC) has published its final guidance on Information Privacy Principle (IPP) 3A, which introduces new notification requirements when agencies collect personal information from indirect sources. 

IPP3A, introduced by the Privacy Amendment Act 2025, requires agencies to take reasonable steps to ensure individuals are informed of certain information when their personal information is collected from a source other than the individual, unless an exception applies. This new requirement comes into force on 1 May 2026.

Earlier this year the OPC published draft guidance on IPP3A and how the new requirements would be interpreted and applied by the OPC. You can read our previous alert on the draft guidance here.

What’s new in the final guidance?

The final guidance provides more detail than the draft released for consultation earlier this year and helpfully clarifies certain points that could have raised operational complexity. Key updates include:

• Intended recipients: Previously, the guidance indicated that an agency must inform individuals of the specific names of each entity who their information may be shared with. This presented a potentially significant compliance burden for some organisations that share information with a large range of third parties. The guidance has now helpfully clarified that if an agency regularly shares information with a particular entity, group or person, they should be named unless it would be impractical to do so, in which case a description of the type, class or category can be used instead. However, the guidance emphasises that information should still be as specific as possible by listing the type of agency, industry, sector, sub-sector, and the location of the agency.

• Format of notification: The guidance also outlines how an agency can meet their notification obligations under IPP3A. An agency can notify individuals of the IPP3A matters using a range of formats, as long as the information is communicated clearly and is easy to understand. In most cases the information will likely be presented through an agency’s privacy policy, similar to how IPP3 notification requirements are generally met - noting that a privacy policy can be provided through a paper notice, an online statement, or a phone script. Agencies may also adopt a layered approach, where a full explanation is given initially and then shorter reminders over time.

• Clarification of exception: The guidance provides clarity on the exception to the notification requirement where the individual has already been made aware of the collection. The guidance is now clear that the exception will apply where:

  • the collecting agency knows (based on evidence) that the agency that originally collected the information directly has already informed the individual about the indirect collection of their information by the collecting agency; or 

  • the collecting agency has already collected information indirectly about the person, and the person has been made aware of the agency’s identity in a recent notice relating to a similar collection, and the purpose for collection has not changed. 
    
    We anticipate this exception will be frequently relied upon, so it is helpful that the guidance provides more detail on when it applies. From a practical compliance perspective, if your agency relies on this exception, it must hold evidence supporting its belief that the source agency has made the individual aware of the IPP3A matters. This may include reviewing a copy of the source agency’s privacy policy and confirming that it specifically identifies the name and address of the agency collecting the information indirectly.
     

• Expanded detail of what constitutes “reasonable steps”: Under IPP3A, agencies must take ‘reasonable steps’ to ensure individuals are aware of the IPP3A matters. The guidance explains that what will be considered “reasonable” in the context of notification depends on the circumstances. Agencies must consider factors such as:

  • The sensitivity of the personal information collected.

  • The potential harm or negative impact to the individual if they are not notified.

  • Any specific needs of the individual (e.g., language or accessibility requirements).

  • Practicality, including time and cost (but the OPC makes it clear that inconvenience or cost alone does not exempt agencies from compliance).
    
    Agencies are encouraged to build notification processes into their systems and document their decision-making.
     

• Clearer timing requirements: Agencies must notify individuals as soon as reasonably practicable after the information has been collected, unless prior notice has been given. The guidance stresses that agencies should be able to justify any delay and recommends documenting the rationale. It also advises integrating notification steps into standard forms, online processes, and workflows to avoid compliance gaps.

• New section on “acting on behalf”: The final guidance introduces a dedicated section on situations where someone acts on behalf of an individual, such as parents, guardians, lawyers, or authorised representatives. It clarifies that:

  • If an agency is collecting personal information about a person from someone appointed to legally act on their behalf under the Protection of Personal and Property Rights Act 1988, the collection of personal information from that person is considered a direct collection and IPP3 applies.

  • If someone acts on behalf of an individual outside of these arrangements, the collection is indirect and IPP3A applies.
    
    In the latter scenario, the guidance notes that agencies should ensure the representative acting on behalf of the individual is made aware of the IPP3A matters so they can communicate them to the individual they are representing. Practical examples include schools collecting health information from parents for school camps and service providers working with authorised representatives.

How should agencies prepare now?

With IPP3A taking effect on 1 May 2026, agencies should now start reviewing and updating their privacy policies, processes, and contractual arrangements to ensure compliance. This includes:

• Undertaking data mapping exercises to identify what personal information is collected indirectly;

• Updating privacy notices and statements to address the IPP3A requirements;

• Reviewing existing contracts with third parties that you collect personal information from; 

• Building updated notification steps into existing systems and workflows;

• Assessing reliance on exceptions and documenting decision-making.

While compliance for some agencies may be relatively straightforward, those agencies who collect a wide range of personal information from various indirect sources may require a more comprehensive analysis of their existing collection practices, detailed assessments of existing policies, and careful evaluations of third party engagement. 

Early preparation will help agencies avoid compliance risks and maintain trust through transparent information handling. If you would like assistance with preparing for IPP3A, please get in touch with one of our privacy experts below. 

This article was co-authored by Thomas Anderson, a Solicitor in our Corporate team.