Building on the foundations of the Privacy Act 2020, the Privacy Amendment Bill, effective from 1 June 2025, introduces significant reforms aimed at strengthening personal data protection, enhancing transparency in data handling, and empowering individuals with greater control over their information.
Prior to the introduction of the Privacy Amendment Bill, organisations were required to notify individuals when collecting personal information directly from them. However, there was no obligation to inform individuals if their data was obtained indirectly from alternate sources.
Introducing IPP 3A: A New Standard for Indirect Data Collection
At the heart of these reforms is the introduction of Information Privacy Principle 3A (IPP 3A). While closely aligned with the existing IPP 3, which governs the direct collection of personal information, IPP 3A addresses a critical gap: the indirect collection of personal information when data is obtained from sources other than the individual concerned.
Commenting on the significance of this change, Zoe Cheng - General Counsel at Dicker Data noted "the Privacy Amendment Bill raises the bar for data transparency in New Zealand. By spotlighting indirect data collection, it sends a clear message: businesses must earn trust through accountability. We're proud to stand behind that."
Zoe's statement underscores the Bill's broader intent: to strengthen public trust by ensuring organisations are not only transparent, but also proactive in how they handle personal data.
Under IPP 3A, agencies including private companies such as IT firms, SaaS providers, and Managed Service Providers (MSPs) must take reasonable steps to notify individuals when their personal information is collected indirectly. This notification must include:
- The fact that the information has been collected
- The intended recipients of the information
- The name and address of the collecting agency
- The purpose for which the information is being collected
- The individual's rights to access and correct their information
Impact on the New Zealand IT Industry
For MSPs and SaaS providers, IPP 3A introduces a new layer of compliance and operational responsibility. These service providers often collect, store, and process data on behalf of clients whether through software platforms, cloud services, or hardware solutions. As such, IPP 3A will apply to many aspects of their service delivery.
Key Implications Include:
- Privacy policies and data collection processes must be reviewed and updated to reflect the new notification requirements
- Notification systems may need to be implemented to ensure individuals are informed when their data is collected indirectly
- Service agreements should be reassessed to clarify roles and responsibilities around data collection and compliance
- Data management systems must be capable of tracking the source of personal information and supporting timely notifications
Preparing for Compliance: Next Steps
Although IPP 3A comes into force on 1 May 2026, the lead-up period is critical. The Office of the Privacy Commissioner (OPC) has released draft guidance to help organisations prepare.
Recommended actions for MSPs and SaaS Providers:
- Conduct a comprehensive audit of data flows and collection points to identify where indirect collection occurs
- Collaborate with clients to align on shared compliance responsibilities and ensure consistent notification practices
- Update internal systems and documentation to support transparency and accountability
- Review and revise service agreements to clearly define obligations under IPP 3A
At Dicker Data, we alongside our vendors are taking proactive steps to ensure our channel is well-prepared for the evolving compliance landscape. We spoke to Zach Dickson our Microsoft Business Manager, to share how Microsoft is supporting partners in navigating these upcoming changes.
“With the Privacy Amendment Bill 2025 introducing stricter obligations around the collection and transparency of personal information, especially when collected indirectly, tools like Microsoft Purview are becoming increasingly essential for SMEs in New Zealand.
These tools, including Microsoft’s eDiscovery and Audit capabilities, help organisations identify, classify, and manage personal data more effectively, ensuring compliance with the law and improving overall data governance.”
IPP 3A marks a pivotal shift in New Zealand’s privacy landscape, aligning local standards with international best practices. For IT service providers, early preparation and proactive engagement are essential to ensure compliance and maintain trust with clients and end-users. By embracing these changes, the industry can reinforce its commitment to responsible data governance and privacy protection.