A new Information Privacy Principle, IPP3A, came into force on 1 May 2026 as part of New Zealand’s Privacy Act 2020, placing additional obligations on every organisation that collects personal information.
What is Information Privacy Principle 3A?
IPP3A creates a duty requiring notification of indirect collection of personal information. An organisation that collects a customer’s personal information from anyone other than the customer is required to take reasonable steps to tell the customer about that collection as soon as reasonably practicable after it occurs. IPP3A sits alongside the existing duty for notification of direct collection under IPP3. As with the other information privacy principles, IPP3A has been incorporated into the Health Information Privacy Code under Rule 3A.
Healthcare providers routinely collect personal or health information from sources other than the individual concerned. These include referrals, diagnostic results, laboratory data, shared-care records and information received through the ACC or regional and national health systems. As a result, the healthcare sector sits squarely within the core risk profile IPP3A is designed to address.
As soon as reasonably practicable, IPP3A requires the organisation to make the individual aware of:









