Businesses Individuals

Pricing News Contact Login

Businesses Individuals

Compliance4 May 2026·DEIS Compliance

The 2026 NZ privacy compliance checklist for third-party data users

An updated checklist covering all your obligations when accessing personal information from third-party data sources in 2026.

checklist2026best practice

With the Privacy Amendment Act 2024 now fully in force and the 2026 review underway, here is an updated compliance checklist for every NZ business that accesses personal information from third-party sources.

Before you access data

You have a lawful purpose for the collection (IPP1)The collection is directly connected to that purpose (IPP1)You have identified which data sources you will accessYou have determined the IPP3A pathway for each source (consent, notification, or exception)If relying on consent, the consent is specific, informed, and currentIf relying on notification, you have a mechanism to deliver and evidence the notificationIf relying on an exception, you have documented the specific exception and your reasoning

At the time of collection

The IPP3A pathway is recorded before or at the time of the lookupThe evidence includes: timestamp, data source, individual, pathway, and userIf notification is the pathway, it is sent before or at the time of the lookupNotification evidence includes delivery confirmation (not just sent confirmation)

After collection

Results are only used for the stated purpose (IPP10)Results are stored securely (IPP5)Results are retained only as long as necessary (IPP9)The individual can access their data through the transparency portal or on request (IPP6)Correction requests are handled within 20 working days (IPP7)

Ongoing

Evidence trail is maintained for 7 yearsTeam members are trained on IPP3A pathwaysCompliance processes are reviewed annuallyBreach notification procedures are in place (Part 6)

The easy way

Use DEIS. Steps 1–8 are handled automatically for every lookup. Steps 9–15 are supported by DEIS's evidence log, retention settings, and transparency portal.

MFA now available: add an extra layer of security to your DEIS account

Preview: the new DEIS analytics dashboard

Related articles

Received a compliance notice from the Privacy Commissioner? Here is what to do

Cross-border data transfers: NZ privacy obligations when data leaves the country

Government agencies: IPP3A obligations for inter-agency data sharing

DEIS

NZ data compliance platform

Forman Pacific, LLC (“Deis”)

Suite 305, 131 Continental Drive

Newark, DE 19713, United States

formanpacific.com

Product

Pricing Business portal Transparency portal News & support

Data sources

CarjamPPSRCompanies OfficeNZBNCredit bureausLandonline

Legal & support

Terms of service Privacy policy Contact us Privacy Act 2020

© 2026 Forman Pacific, LLC. All rights reserved.

Built in New Zealand·AI-powered by Anthropic