Which NZ industries need IPP3A compliance for lookups?

Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Education: privacy compliance when accessing student records from third-party sources

Universities and polytechnics accessing student data from NZQA, StudyLink, or other institutions must comply with IPP3A. Here is how.

educationuniversitiesstudent dataNZQADEISdeis.nzNew ZealandPrivacy Act 2020

Frequently asked questions

What is the main takeaway from "Education: privacy compliance when accessing student records from third-party sources"?: Universities and polytechnics accessing student data from NZQA, StudyLink, or other institutions must comply with IPP3A. Here is how.
Which NZ industries need IPP3A compliance for lookups?: Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Education providers in New Zealand — universities, polytechnics, wānanga, and private training establishments — collect personal information about students from multiple third-party sources as part of enrolment, scholarship assessment, and academic record management.

Common third-party data sources

NZQA — qualifications, credits, and academic records
StudyLink — student loan and allowance status
Previous institutions — academic transcripts and conduct records
Immigration NZ — visa status for international students
Police — safety checks for students on placement

IPP3A obligations

When an education provider accesses student data from any of these sources, they are collecting personal information from a third party. IPP3A requires them to take reasonable steps to ensure the student is aware of the collection.

Current practice

Most institutions include a broad data collection consent in their enrolment form. However, the 2024 amendment's "proportionate" standard means the consent should be specific about which third-party sources will be accessed.

Recommendations

Update enrolment forms to specifically list the third-party data sources accessed.

Provide a separate notification when accessing sources not covered by the enrolment consent (e.g., police checks for placements).

Record the IPP3A pathway for each third-party data access.

Use DEIS to automate compliance for credit checks and identity verification during enrolment.