The Privacy Amendment Act 2025 (Act) has now received royal assent. The Act introduces a new Information Privacy Principle (IPP) 3A which expands the notification obligations for organisations handling personal information from third party sources (rather than directly from individuals themselves). IPP 3A comes into force on 1 May 2026.
You can read more about the origins of the Act here.
IPP 3A
The key change in the Act (among other technical changes to the Privacy Act 2020) is the extension of the current notification requirements to cover situations where organisations are collecting individuals' personal information from a third party source.
IPP 3A requires that, as soon as reasonably practicable after personal information has been collected from a third party source, the organisation collecting the personal information must take reasonable steps to make sure that the relevant individual is aware of, among other things:
- the fact of collection;
- the purpose of collection;
- the intended recipients;
- the name and address of the organisation that has collected the information and the organisation that is holding the information;
- if the collection is authorised or required by or under the law, the particular law authorising or requiring the collection; and
- the individual's right of access to, and correction of, the information.
Exceptions
The primary exception to IPP 3A applies where the individual concerned has previously been made aware of the third party collection and all the other details listed in the bullet points above. There are also several other exceptions including:
- if an organisation reasonably believes that the information is publicly available, non-compliance will not prejudice the interests of the individual concerned, compliance will prejudice the purposes of collection, or compliance is not reasonably practicable in the circumstances;
- if an organisation reasonably believes that non-compliance is necessary for law enforcement or compliance would cause a serious threat to public health and safety or the health and safety of another individual;
- if non-compliance is necessary in the interests of national security or international relations;
- if the information is of public value and should be archived for public reference, study or exhibition, and compliance with IPP 3A would seriously impair achieving that objective;
- if compliance would disclose a trade secret or be likely to unreasonably prejudice the commercial position of the organisation supplying the information or the individual concerned; or
- the information will be used in an anonymised manner for statistical or research purposes only.
What organisations need to do:
Organisations will have until 1 May 2026 to become compliant with IPP 3A. To prepare, we recommend the following steps:
- Update your privacy policy: Privacy policies should be reviewed and updated as necessary to ensure they are broad enough to cover the indirect collection of personal information. Policies should clearly outline how personal information obtained from third parties is handled in accordance with IPP 3A.
- Review your contracts: For personal information received from third parties, review and update all relevant agreements with such third party suppliers and partners to reflect the new IPP 3A obligations.
- Alert your staff: Staff should be made aware of the new IPP 3A obligations, including updating training and internal policies as required. This is particularly important for those staff members in roles involving data collection and compliance.
- Know your data sources: Identify where the personal information handled by your organisation comes from. Where personal information is collected indirectly, implement processes to notify affected individuals promptly.
If you would like any advice regarding your organisation's compliance with the new requirements of the Act including IPP 3A, please do not hesitate to contact us. You can join our mailing list to receive all our updates as they are released.