What should NZ businesses do to stay compliant?

Document the IPP3A pathway for every third-party lookup, retain evidence with timestamps, and respond to access requests within statutory deadlines. DEIS automates pathway capture, notifications, and audit exports.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Privacy Week 2026: five IPP3A mistakes NZ businesses still make

Privacy Week is a good time to audit third-party lookups. These five IPP3A mistakes show up in OPC complaints and customer support tickets alike.

Privacy WeekIPP3Amistakes2026DEISdeis.nzNew ZealandPrivacy Act 2020

Frequently asked questions

What is the main takeaway from "Privacy Week 2026: five IPP3A mistakes NZ businesses still make"?: Privacy Week is a good time to audit third-party lookups. These five IPP3A mistakes show up in OPC complaints and customer support tickets alike.
What should NZ businesses do to stay compliant?: Document the IPP3A pathway for every third-party lookup, retain evidence with timestamps, and respond to access requests within statutory deadlines. DEIS automates pathway capture, notifications, and audit exports.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Privacy Week 2026 is an annual reminder that privacy compliance is operational — not a policy PDF in a drawer. For businesses using third-party data, IPP3A remains the most misunderstood principle.

Mistake 1: One consent covers every bureau

A signed application form is not automatic proof that IPP3A was satisfied for a Centrix pull six months later on a different purpose. Pathways must connect to the specific collection.

Mistake 2: Notification without delivery proof

Sending an email is not the same as the individual receiving it. Bounces, spam folders, and outdated addresses fail the "reasonable steps" test.

Mistake 3: Over-relying on the publicly available exception

Director names on the Companies Register may be public, but bulk aggregation, new purposes, and sensitive combinations still warrant documentation — and sometimes notification.

Mistake 4: No user attribution

When the OPC asks who ran a lookup, "someone in the office" is not an answer. Evidence needs a user, timestamp, and purpose.

Mistake 5: Retention without purpose

Keeping credit reports "just in case" violates retention principles and amplifies harm if there is a breach. Align retention to purpose and delete on schedule.

Fix all five in one system

DEIS records pathway, user, delivery, and purpose at lookup time — and supports retention settings aligned to your policy. Privacy Week is the right week to run your first evidence export and see where gaps remain.