Building on the foundations of the Privacy Act 2020, the Privacy Amendment Bill, effective from 1 June 2025, introduces significant reforms aimed at strengthening personal data protection, enhancing transparency in data handling, and empowering individuals with greater control over their information.
Prior to the introduction of the Privacy Amendment Bill, organisations were required to notify individuals when collecting personal information directly from them. However, there was no obligation to inform individuals if their data was obtained indirectly from alternate sources.
At the heart of these reforms is the introduction of Information Privacy Principle 3A (IPP 3A). While closely aligned with the existing IPP 3, which governs the direct collection of personal information, IPP 3A addresses a critical gap: the indirect collection of personal information when data is obtained from sources other than the individual concerned.
Commenting on the significance of this change, Zoe Cheng - General Counsel at Dicker Data noted "the Privacy Amendment Bill raises the bar for data transparency in New Zealand. By spotlighting indirect data collection, it sends a clear message: businesses must earn trust through accountability. We're proud to stand behind that."
Zoe's statement underscores the Bill's broader intent: to strengthen public trust by ensuring organisations are not only transparent, but also proactive in how they handle personal data.
Under IPP 3A, agencies including private companies such as IT firms, SaaS providers, and Managed Service Providers (MSPs) must take reasonable steps to notify individuals when their personal information is collected indirectly. This notification must include:
For MSPs and SaaS providers, IPP 3A introduces a new layer of compliance and operational responsibility. These service providers often collect, store, and process data on behalf of clients whether through software platforms, cloud services, or hardware solutions. As such, IPP 3A will apply to many aspects of their service delivery.
Key Implications Include:
Although IPP 3A comes into force on 1 May 2026, the lead-up period is critical. The Office of the Privacy Commissioner (OPC) has released draft guidance to help organisations prepare.
Recommended actions for MSPs and SaaS Providers:
At Dicker Data, we alongside our vendors are taking proactive steps to ensure our channel is well-prepared for the evolving compliance landscape. We spoke to Zach Dickson our Microsoft Business Manager, to share how Microsoft is supporting partners in navigating these upcoming changes.
“With the Privacy Amendment Bill 2025 introducing stricter obligations around the collection and transparency of personal information, especially when collected indirectly, tools like Microsoft Purview are becoming increasingly essential for SMEs in New Zealand.
These tools, including Microsoft’s eDiscovery and Audit capabilities, help organisations identify, classify, and manage personal data more effectively, ensuring compliance with the law and improving overall data governance.”
IPP 3A marks a pivotal shift in New Zealand’s privacy landscape, aligning local standards with international best practices. For IT service providers, early preparation and proactive engagement are essential to ensure compliance and maintain trust with clients and end-users. By embracing these changes, the industry can reinforce its commitment to responsible data governance and privacy protection.