Privacy Act 2020 IPP3A: what NZ businesses need to know in 2024
Information Privacy Principle 3A requires agencies to notify individuals when collecting personal information from third parties. Here is what that means in practice.
When the Privacy Act 2020 replaced the Privacy Act 1993, it introduced a new obligation that many businesses still overlook: Information Privacy Principle 3A (IPP3A).
What is IPP3A?
IPP3A says that when an agency collects personal information about an individual from a source other than the individual themselves, the agency must take reasonable steps to ensure the individual is aware of the collection. This applies regardless of the data source — credit bureaus, vehicle registries, company databases, or any other third-party provider.
Who does it affect?
Any NZ business that runs background checks, credit checks, vehicle history lookups, or company searches on individuals. That includes car dealers, finance companies, real estate agents, landlords, recruitment agencies, and insurers.
The four pathways
There are four ways to satisfy IPP3A:
- Verbal consent — the individual has given spoken permission for the lookup.
- Written consent — there is a signed form or digital agreement on file.
- Notification — the individual is proactively told about the collection.
- Exception — one of the statutory exceptions applies (e.g. law enforcement, publicly available information).
The compliance gap
Most businesses know they should get consent. Few have systems that record which pathway was used for each lookup, and fewer still can produce that evidence when the Privacy Commissioner asks. That is the gap DEIS fills.
What to do now
Audit your current lookup processes. For every data source you access, ask: do we record how we satisfied IPP3A for each individual lookup? If the answer is no, you have a compliance gap.