From today, organisations will need to be particularly mindful of how they collect and use personal information obtained from a third-party source, rather than from the individual directly. This key privacy compliance change (introduced under the Privacy Amendment Act 2025) will apply to all personal information collected from third party sources on or after 1 May 2026.
IPP 3A Requirements
Under this new Information Privacy Principle (IPP) – IPP3A, if an agency collects personal information indirectly, it must take reasonable steps (unless an exception applies) to ensure that the individual concerned is made aware of the following matters:
- the fact that the personal information has been collected;
- the purpose of the collection;
- the intended recipients of the personal information;
- the name and address of the agency that is collecting the personal information and the agency that holds the personal information;
- whether the collection is authorised or required by law, and if so, which particular law; and
- the individual’s right of access to, and correction of, their personal information.
Notification to the individual concerned must occur as soon as reasonably practicable after the information has been collected, unless the individual has already been made aware of these matters by the collecting agency or another agency.
Exceptions
The existing exceptions under IPP 3 continue to apply but IPP 3A introduces further exceptions specific to indirect collection. These include circumstances where:
- the individual is already aware of the collection;
- the information is publicly available;
- notification would not prejudice the interests of the individual concerned;
- the collection is necessary for law enforcement purposes, the imposition of financial penalties, the protection of public revenue, or the conduct of court or tribunal proceedings;
- providing notice would prejudice the purpose of the collection or is not reasonably practicable in the circumstances;
- notification would pose a serious threat to public health or safety, or to the health or safety of any individual;
- the information will not be used in a form that identifies the individual;
- the information is to be used for research or statistical purposes and will not identify the individual;
- the information is collected for archiving purposes and notification would seriously impair those purposes;
- notification would prejudice national security or international relations; or
- notification would disclose a trade secret or unreasonably prejudice the commercial position of the person who supplied the information or the individual concerned.
Compliance
In practice, agencies are likely to meet their obligations under IPP 3A in a similar manner to IPP 3, including through the use of clear and accessible privacy policies, statements, and notices. Agencies should ensure they have a clear understanding of the personal information they collect directly and indirectly, and tailor their privacy documentation accordingly.
Agencies will also need to consider how they draw attention to this documentation when they collect personal information indirectly, particular where they may not have a direct line of communication with the individual concerned. If you would like further advice regarding compliance with your privacy obligations, including IPP 3A, please contact our team.
