From 1 May 2026, an agency (e.g. an individual, company, or other organisation) that collects personal information from a source other than the individual concerned will have a new notification duty under Information Privacy Principle 3A (IPP 3A).
Currently, an agency is only required to notify an individual of the collection of their personal information where the agency collects the information directly from the individual. Indirect collection does not trigger the same requirement. However, IPP 3A will require an agency to notify an individual when the agency obtains their personal information from another agency or organisation, even where the agency has not interacted with the individual directly, unless an exception applies.
Many businesses already collect personal information indirectly, through referral systems or outsourcing, for verification purposes or from partners. These scenarios will soon require clear notification and documented decision making. Businesses should review their processes now to ensure they understand and can comply with this new duty.
Failure to comply with IPP 3A can expose agencies to complaints to the Privacy Commissioner, regulatory investigation, compliance notices, and reputational harm.
WHAT MUST BE NOTIFIED?
Unless an exception applies, when an agency collects an individual’s personal information from someone other than the individual concerned, the agency must take steps to make the individual aware of:
- the fact that their information has been collected;
- why it was collected – this description must be specific enough for the individual to understand how their information will be used. Generic statements are unlikely to meet this requirement;
- who it will be shared with;
- who is collecting and holding it;
- the legal basis for the collection;
- where the information will be stored; and
- the individual’s rights to access and correct their information.
EXCEPTIONS AND RISK AREAS
An agency is not required to notify an individual where:
- the individual has already been made aware of the required matters;
- notifying would prejudice the purpose of collection;
- notifying would not benefit the individual;
- notification is not reasonably practicable;
- there is a serious threat to health or safety; or
- certain archival contexts may be treated differently under other legal frameworks, but these are limited and should not be assumed to apply.
Any exception must be supported with a clear justification. “Not reasonably practicable” is a narrow ground and does not cover administrative inconvenience, lack of preparation, system limitations or resourcing issues. Cost, delay, operational inconvenience or system constraints will not, without more, justify a failure to notify.
WHEN MUST NOTIFICATION OCCUR?
An agency must notify as soon as reasonably practicable after collection unless an exception applies. Where it is realistic to notify before collection, agencies should do so.
Before giving notification, the agency must confirm that the indirect collection is lawful due to one of the grounds in IPP 2(2), such as where the individual authorised the indirect collection. Notification does not fix an unlawful collection.
WHEN WILL THIS DUTY COME INTO FORCE?
IPP 3A applies only to personal information an agency collects on or after 1 May 2026.
WHAT ARE THE KEY ISSUES AND RISKS TO BE AWARE OF?
As with other IPPs under the Privacy Act 2020, non-compliance with IPP 3A can lead to legal and reputational consequences. Individuals are increasingly privacy-aware and non-compliance with IPP 3A is likely to result in complaints to, and action by, the Privacy Commissioner.
Key risk areas for an agency subject to IPP 3A include:
- lack of clarity around who is responsible for notification where multiple agencies are involved;
- not knowing when indirect collection occurs (and when notification must be given);
- delaying notification without recording why;
- not being able to prove when notification was given;
- assuming a privacy policy is sufficient;
- using vague or generic purpose statements; and
- assuming notification is impractical without evidence.
CAN AN AGENCY’S DUTY TO NOTIFY BE PASSED TO THE THIRD PARTY?
An agency cannot contract out of its duty to notify an individual of indirect collection under IPP 3A. Even where a supplier offers to notify individuals, the collecting agency remains responsible if notification is incomplete, late or incorrect. If challenged, agencies must be able to demonstrate when and how notification was given, or why an exception applied.
PRACTICAL STEPS TO PREPARE AND MITIGATE RISKS
The key issues and risks outlined above can be addressed with early preparation. Early preparation will also reduce disruption once the new requirements take effect.
To prepare for IPP 3A and reduce the risks outlined above, before 1 May 2026 agencies should consider:
- mapping out where personal information is received or collected from third parties;
- confirming that each indirect collection is lawful under IPP 2(2) and recording the reason for any exception relied on;
- updating their privacy policies to cover indirect collection;
- reviewing contracts with suppliers and partners to ensure responsibilities are clear;
- establishing a compliant process that successfully notifies affected individuals and keeps sufficient records;
- training staff to recognise instances of the indirect collection of personal information;
- maintaining a register of indirect collection and documenting the reasons for relying on any exception; and
- reviewing guidance from the Office of the Privacy Commissioner and updating processes as needed.
FOR MORE INFORMATION
For more information on IPP 3A and assistance with preparing for its implementation, please contact our Jackson Russell Business Law Team. You can also find guidance from the Office of the Privacy Commissioner here.
