What are the IPP 3A requirements and the challenges?

IPP 3A will require an agency that collects personal information indirectly to take reasonable steps to notify the individual concerned of certain matters at the time their information is collected, or as soon as practicable after the information has been collected, unless a specified exception applies. 

The notification requirements for indirect collection closely mirror the existing notification requirements for direct collection of an individual’s information under IPP 3. As currently drafted, IPP 3A requires that individuals be made aware of:

• the fact that their information has been collected;
• the purpose of collection;
• who will receive the information;
• the identity and contact details of the collecting agency;
• whether the collection is authorised or required by law (and which law); and
• their rights to access and correct the information.

One of the key challenges in complying with IPP 3A is that an agency collecting personal information indirectly will not necessarily have direct contact with the individuals concerned. There may also be cases where the personal information has passed through several different entities. 

Recognising that compliance with IPP 3A may present practical challenges for agencies, the OPC has proactively released the draft Guidance to assist organisations in developing and implementing their compliance strategies.

What does the Guidance say?

The Guidance outlines each of the notification requirements under IPP 3A and provides practical guidance and examples for each requirement. For instance:

• When notifying someone of the fact that their personal information has been collected, the Guidance suggests an agency should specify in plain language exactly what kind of information it is collecting or has already collected. For example, “we have collected your enrolment information from x organisation.”
• When notifying the purposes of collection, the Guidance recommends that agencies include specific detail so that the individual can understand what their information is being used for. Interestingly, the Guidance suggests that it is not enough to use general terms such as “for business purposes.”
• When notifying the intended recipients of the information, the Guidance provides that agencies should inform individuals of the specific identities of the parties to whom the information will be shared. Again, the Guidance states that it is not enough to just refer to the type or class of third parties.

The Guidance also clarifies that, where an agency has not taken steps to notify the individual before collecting their information, the agency will need to tell them “as soon as reasonably practicable” after the information is collected. What is “reasonably practical” will depend on the circumstances, taking into consideration the available knowledge, cost and effort involved. The Guidance provides, by way of example: if an agency needs to hire additional staff to meet the notification requirements within two weeks, but could notify within four weeks without hiring additional staff, then four weeks would be considered “reasonably practicable” in the circumstances.

Are there any exceptions?

There are exceptions to the IPP 3A notification requirements - for example, where:

• the individual has already been made aware of the fact their information is collected elsewhere;
• notification is not reasonably practicable in the circumstances; or 
• the collected information is not to be used in an identifiable form.

The Guidance provides commentary on how the IPP 3A exceptions may be applied in practice. The Guidance makes it clear that agencies will be expected to document and justify the basis for relying on an exception, to consider whether a partial or delayed notification is possible, and regularly review the appropriateness of relying on the relevant exception.

Even when an exception is available, the OPC encourages agencies to ask: “Would the individual reasonably expect to be notified?” If the answer is yes, the OPC’s view is that proactive notification will be best practice from both a transparency and trust perspective.

Our thoughts

As the OPC has proactively released the Guidance to help agencies prepare, and has invited public submissions before the Guidance is finalised, suggests that the OPC recognises that there will be practical matters for agencies to work through in complying with the new requirements. 

We have the chance to learn from overseas experiences. Under both the EU GDPR and the Privacy Act 1988 (Cth) in Australia, organisations have struggled to balance the legislative transparency requirements with their operational realities, particularly in the context of large-scale data collections where contacting individuals is impractical or requires disproportionate effort. These overseas experiences highlight the risk of compliance burdens that may arise if the OPC does not apply IPP 3A with some flexibility.

The OPC’s early release of the draft Guidance is welcomed. We anticipate that there will be aspects of the Guidance that organisations will provide feedback on, and that the OPC may refine through the public consultation process. For example, the Guidance anticipates the notifications will specify the exact source of the information or the exact parties to whom information will be disclosed. This level of specificity is not something organisations typically include in their privacy notifications and represents a significant shift from current accepted practices. It would also seem to necessitate updating the notifications every time there is a change in a source or party, or whenever new sources or parties are introduced (even if the underlying purposes and scope of collection have not materially changed).

Next steps

Submissions on the draft are open until 25 June 2025. The OPC is particularly interested in receiving feedback on whether the guidance is practical, clear, and whether its examples are useful. 

Although the Bill has not yet passed into law, the expectation is that it will pass and take effect from 1 May 2026. What an agency will need to do to ensure compliance with IPP 3A is likely to depend on its sources of personal information, what engagement it has with the individuals that the information relates to, and the arrangements that it has in place with the third-party sources of information. Given the wide variances there can be in these matters, we recommend that agencies start to take stock of their current privacy practices and what they might need to do to ensure they are ready to comply with IPP 3A and other privacy obligations. 

Alongside reviewing the Guidance and providing feedback to the OPC, agencies should consider taking the following preparatory steps:

• reviewing how the agency currently collects personal information, particularly from third parties and other indirect sources;
• mapping out indirect collection scenarios across its operations;
• identifying where notifications may be required and assessing whether current notification practices are sufficient; 
• identifying where exceptions may apply; and
• preparing updates to privacy statements, forms, and contractual arrangements.

Get in touch

Please contact our team if you would like assistance in reviewing your IPP 3A compliance strategy or preparing a submission on the draft guidance.

Special thanks to James Burnett for his assistance in writing this article.