From 1 May 2026, a new Information Privacy Principle, IPP 3A, comes into force under the Privacy Amendment Act 2025. IPP 3A introduces new notification obligations where an organisation collects personal information indirectly, that is, from someone other than the individual concerned.

This article builds on our earlier article, and reflects the Office of the Privacy Commissioner’s final guidance (OPC Guidance) on how IPP 3A will operate in practice.

Why this matters for employers

In an employment context, indirect collection is common, and includes information obtained from:

• referees and previous employers;
• recruitment agencies;
• medical practitioners or insurers; and
• payroll, benefits or time‑and‑attendance providers.

While many employers already collect this information with employee knowledge or consent, IPP 3A introduces more explicit notification requirements. 

What IPP 3A requires

Where an employer collects personal information indirectly, they must take reasonable steps (unless an exception applies) to ensure the individual is aware of:

• the fact that their personal information has been collected;
• the purpose of the collection;
• the intended recipients of the information;
• the name and address (or equivalent contact details) of the agency collecting and holding the information;
• any law that authorises or requires the collection; and
• their rights to access and correct the information.

Notification

The responsibility to notify employees or candidates always sits with the employer that collects the information. Notification must occur as soon as reasonably practicable after collection, unless the individual has already been informed.

What is reasonable will depend on the circumstances, including:

• the sensitivity of the information;
• the risk of negative impact on the individual if they are not notified;
• any specific needs of the individual (for example, language or accessibility); and
• the practicality of notification (time and cost alone are not sufficient reasons to avoid notifying).

Employers must not assume that another organisation has already provided the required notice. Even where personal information is collected from another employer, recruiter, or service provider, the employer must be able to show how and when the individual was notified.

In terms of notification of the purpose of collecting personal information, the OPC Guidance emphasises that broad statements, such as “for business reasons”, are unlikely to be sufficient. Privacy notices should clearly explain the practical reasons for collecting personal information indirectly. In many cases, this can be achieved through clear, accessible privacy notices, provided employees and candidates are properly informed about what information is collected and why.

Overall, IPP 3A is about transparency. Employers must be able to clearly explain how personal information is collected by their organisation, and ensure individuals understand when their information is collected from third parties and the reasons for doing so.

Practical steps to take now

Employers should:

1. identify where personal information is collected from third parties or other indirect sources;
2. assess whether existing privacy statements adequately address indirect collection;
3. update recruitment materials, onboarding documents and employment agreements where needed;
4. ensure third‑party arrangements clearly allocate responsibility for notification; and
5. keep records of how IPP 3A obligations are met or how an exception applies (clear documentation will be important if questions or complaints arise).

Please feel free to reach out to any of our experts if you have any questions about how your organisation will be affected by these changes.

Special thanks to Julia Wynands and Enna Pesic for their assistance in writing this article.