The Office of the Privacy Commissioner (OPC) has issued draft guidance on how organisations will be required to comply with the new information privacy principle 3A (IPP3A) set out in the Privacy Amendment Bill. The draft guidance is open for public consultation until 25 June 2025 and can be accessed here. 

Even though the Bill has not yet become law, the OPC has started consulting on the draft guidance. This is to ensure there is enough time to refine and publish the guidance for agencies to then implement before the new requirements take effect, which Parliament has indicated will be on 1 May 2026.

What are the requirements of IPP 3A

As outlined in our previous alert, the Privacy Amendment Bill addresses a gap in the Privacy Act 2020, where organisations are not required to notify individuals when collecting personal information indirectly. This means individuals may be unaware that their personal information is being collected and used by an organisation.

To rectify this gap, the Bill introduces a new IPP 3A which is closely based on the existing IPP 3 requirements which apply to the collection of information directly from an individual, and will require any agency collecting personal information from a source other than from the individual concerned to take reasonable steps to ensure that the individual is aware of: 

• the fact the information has been collected;
• the purpose for which it is has been collected;
• the recipients of the information; 
• the name and address of the agency collecting and holding the information;
• whether the collection is authorised or required by law; and
• the individual’s rights of access to and correction of the information. 

What does the draft guidance say?

The draft guidance provides useful insight into how the OPC will be interpreting and enforcing the new requirements under IPP3A. We have summarised some of the key points below. 

Timing of notification 

If an agency has not taken the required notification steps before collecting the information indirectly, it must take them as soon as reasonably practical, unless one of the listed exceptions applies. The OPC has indicated that what is reasonably practical will depend on the circumstances of the indirect collection, taking into consideration the available knowledge, cost, and effort involved.

Level of detail in notification 

When providing notifications under IPP3A the OPC has indicated in the draft guidance that:

• agencies must inform individuals about the collection of their personal information and specify exactly what kind of information has been or is being collected;
• the purpose for collecting information must be specific so individuals understand its use. Saying "for business purposes" is insufficient; and
• when outlining who the information will be shared with, it is not enough to only provide a type or class of agency (such as a credit reporting agency), agencies must include the name of the company the information will be shared with. 

It’s interesting to note that these expectations regarding the detail of notifications may require greater specificity than agencies have become accustomed to relying on to meet current IPP3 requirements.

Exceptions to the notification requirements 

The same exceptions that exist under IPP3 still apply, but IPP3A introduces additional exceptions specifically for indirect collections. The draft guidance reiterates that the exceptions apply to the act of notification, not to the act of the indirect collection itself.

1. Individual has already been made aware of the information 

Just like IPP3, an agency is not required to take the notification steps if the individual has already been made aware of the information. This may have been done at the time the disclosing agency originally collected the personal information. 

If the collecting agency is relying on this exception, the draft guidance outlines that they will need to have a reasonable basis for believing that the disclosing agency has informed the individual. This should be based on evidence rather than an assumption that the individual has already been made aware. The collecting agency will also need to have reasonable grounds for believing that the specific individual was made aware – rather than just relying on evidence that other individuals were made aware.

The draft guidance outlines that one way disclosing and collecting agencies can ensure this is to make the notification requirements part of their contractual arrangement. If the disclosing agency is going to be responsible for the notification requirements, they will need to be specific about who is indirectly collecting the personal information (as noted above), and the collecting agency should still ensure it has reasonable grounds to believe that the disclosing agency is informing individuals as required. The guidance suggests that this could be achieved by the collecting agency receiving and filing a copy of a form signed by an individual, or through regular contract reporting requirements. 

For agencies wishing to rely on this exception, we recommend reviewing and updating existing contractual arrangements to ensure they meet the expectations set out in the draft guidance. 

2. Non-compliance won’t prejudice the individual 

The draft guidance outlines that generally an individual will not be prejudiced by non-compliance if they are unlikely to suffer any detriment or lose important information because of not being notified. 

What may be considered detrimental will often depend on the individual concerned, but the OPC notes that this exception should only be used for common, low risk cases given the intention of IPP3A is to promote transparency.

3. Informing the individual is not reasonably practical

The OPC acknowledges that in some cases, notifying the individual of an indirect collection will not be practical. However, the draft guidance notes that inconvenience, cost, or administrative burden does not automatically mean notification is ‘not reasonably practical’. The guidance clarifies that cost may be a factor if notification would be so expensive that the cost would be disproportionate to the benefits.

Generally, the assessment of whether it is not practical will depend on the nature of the personal information that’s being indirectly collected. For example, the draft guidance notes that if the information is sensitive, then the threshold of ‘not reasonably practical’ will be higher. Similarly, if an agency has collected a large amount of personal information about a person indirectly, it is more likely the agency will need to go to greater lengths to notify the individual concerned.

The draft guidance also acknowledges that it may not be practical for an agency to notify the individual if they don’t hold any contact details for them, or if they have reason to believe the contact details are incorrect or out of date. In this situation, the draft guidance helpfully clarifies that the collecting agency wouldn’t be expected to collect contact details for the individual solely for the purpose of notifying them to comply with IPP3A.

Next steps 

The OPC is open to receiving submissions on the draft guidance until 25 June 2025. In particular, they are interested in understanding if the guidance is fit for purpose, whether any areas need more clarity, and whether the examples provided are meaningful. 

If you would like to discuss the draft guidance in more detail including what it may mean for your organisation from a compliance perspective, please feel free to contact one of our experts.