top of page
Search

New Zealand privacy law change

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • May 12
  • 2 min read

New Zealand has introduced an important change to its privacy framework. A new IPP3A came into force on 1 May 2026, changing the obligations of agencies when they collect personal information indirectly.

 

 

This is a meaningful update because many modern data flows are not based on direct collection from the individual. Personal data is often obtained from partners, platforms, public sources, brokers, vendors, analytics providers, employers, institutions, or other third parties.

 


If an organization obtains information about a person indirectly, that person should generally be informed. This applies regardless of whether the data came from another person, another agency, or another source, unless a specific exception applies.

 

You cannot notify people properly if you do not know:

  • what personal data you collect,

  • where it comes from,

  • why you collect it,

  • which systems receive it,

  • which third parties provide it,

  • whether the individual has already been informed,

  • and whether any exception actually applies.

 

One important reason behind this change is New Zealand’s EU adequacy status. The Ministry of Justice notes that collection from sources other than the individual was identified by the European Union as a gap in New Zealand’s privacy system during its adequacy assessment.  The amendment is designed to support New Zealand in retaining that adequacy status.

 

This shows again how privacy is becoming globally interconnected. A local privacy law change can have direct consequences for international data transfers, trade, technology services, outsourcing, and cross-border business operations.

 

Organizations subject to New Zealand privacy law should review their indirect data collection practices and ask:

  • Do we collect personal information from third parties?

  • Do we collect data from public sources, partners, vendors, brokers, or platforms?

  • Do our privacy notices explain indirect collection clearly?

  • Do we have processes to notify individuals where required?

  • Do we document exceptions and the reasoning behind them?

  • Do our vendor and data-sharing arrangements support compliance?

  • Do we understand indirect collection in AI, analytics, profiling, and automated decision-making use cases?

 

This is especially important in environments where data is reused, enriched, matched, profiled, or aggregated, because transparency obligations can easily be missed when data is not collected directly from the person.


 
 
 

Comments

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page