Which NZ industries need IPP3A compliance for lookups?

Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Telcos: privacy compliance for customer credit checks and identity verification

Telecommunications companies run millions of credit and identity checks annually. Here is how to manage the compliance at scale.

telcotelecommunicationscredit checksidentityDEISdeis.nzNew ZealandPrivacy Act 2020

Frequently asked questions

What is the main takeaway from "Telcos: privacy compliance for customer credit checks and identity verification"?: Telecommunications companies run millions of credit and identity checks annually. Here is how to manage the compliance at scale.
Which NZ industries need IPP3A compliance for lookups?: Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

New Zealand's telecommunications companies — Spark, Vodafone NZ, 2degrees, and others — run credit checks and identity verifications for nearly every new customer sign-up. At this scale, manual compliance tracking is impossible.

The scale challenge

A major NZ telco might process 100,000+ new customer applications per year, each involving at least one credit check and often an identity verification through a third-party source. That is 100,000+ individual IPP3A compliance events that need to be recorded.

Current practice

Most telcos handle IPP3A through their terms and conditions, which include a clause about credit checks. The challenge is proving that each individual customer was made aware of the clause before the check was run — not just that the clause exists in the T&Cs.

Digital consent capture

For online sign-ups, telcos can capture specific, timestamped consent at the point where the credit check is initiated. This is stronger than a general T&Cs clause because it is:

Specific to the credit check (not a general consent)
Timestamped (proving it occurred before the check)
Individually recorded (linking the consent to the specific check)

DEIS at scale

DEIS's API allows telcos to integrate compliance capture directly into their sign-up flow. When the system initiates a credit check, the DEIS API records the consent pathway automatically, creating individual compliance records at scale without manual intervention.