IPP 3A — planning for indirect notification requirements
Guidance purpose
The purpose of this guidance is to help your agency get prepared for the new notification requirements for indirect collections — IPP 3A.
The guidance is designed to work together with the IPP 3A decision tree and takes you through the things you need to think about and do to ensure your agency is ready for the new indirect collection notification requirements.
Why notification of indirect collections is important
Currently, there is no requirement to inform individuals when an agency collects their personal information indirectly. This means that individuals may not be aware that agencies are collecting their personal information.
The new IPP 3A requirements are intended to fill this gap. The introduction of IPP 3A will increase transparency around how agencies collect personal information and enable individuals to better exercise their rights.
Just because you may not be required to notify individuals of indirect collections does not mean that you should not notify them. Notifying individuals when you’re collecting information about them supports open and transparent collection practices and the subsequent use of their information.
The new requirements
Helpfully, IPP 3A is structured similarly to IPP 3.
IPP 3A will require agencies to take reasonable steps to ensure that an individual concerned is aware of:
- the fact that the information has been collected
- the purpose of the collection
- the intended recipients of the information
- the name and address of the agency that is collecting the information and the agency that holds the information
- whether the collection is authorised or required by law and which particular law
- their right to access and correct their information.
An agency will be required to inform an individual as soon as reasonably practicable after the information has been collected. As with IPP 3, an agency does not have to take the steps outlined above if the individual has already been made aware of the things referred to above.
The exceptions
Again, like IPP 3, IPP 3A has a number of practicable exceptions. The same exceptions that currently exist under IPP 3 still apply. However, IPP 3A introduces 4 new exceptions specifically for indirect collections:
- the personal information is publicly available
- compliance would prejudice the security or defence of New Zealand, or the international relations of the government
- compliance would reveal a trade secret
- informing the individual would cause a serious threat to public health or safety, or to the health and safety of another individual.
An agency must have reasonable grounds to believe that the exception applies in the circumstances of the indirect collection.
What you need to do to prepare
While the new requirements are not in place yet, starting to prepare for the changes now will help ensure you are not rushing to meet the requirements at the last minute. You can carefully consider your collections and whether any of the available exceptions apply.
There are a number of practical steps you can take to start preparing for the new IPP 3A requirements.
Set up a register of your agency’s collections
- Create a register — An example of a collections register is in the resources section.
- Identify which collections are direct, and which collections are indirect.
- For your agency’s indirect collections determine whether a primary exception applies:
- Individuals are already aware of the indirect collection.
- The information collected is used in a non-identifiable form.
- The information collected will be used for research and statistical purposes only.
- For the remaining indirect collections determine whether one of the other exceptions applies.
Engage with teams across your agency
To help you identify your agency’s collection you’ll need to consider engaging with teams across your agency.
- The team that manages your agency’s data — your data team will be responsible for managing the supply of data and information into your agency. They’ll be able to identify the collections that they facilitate and manage.
- Your research and evaluation teams — these teams may collect information from individuals to support research projects or evaluations of products and services.
- Your service design and delivery teams — these teams may collect information from individuals to support the design of services and products.
- Your regional teams — regional office teams may collect information from individuals to support the work that they do.
Do you need to notify?
You can use the following flowchart and steps to determine if you need to notify or you can download and use a PDF of the flowchart in the resources section.
Steps for determining if notification is required
Step 1 — Personal Information (PI) collected but not from the individual directly?
- Yes - continue to Step 2
- No - no notification required
Step 2 — Is Personal Information (PI) collected after ?
This is the date in the current Bill and may be subject to change.
- Yes - continue to Step 3
- No - no notification required
Step 3 — Do any Primary Exceptions apply?
- Individual already aware
- Information will not be used in identifiable form
- Information will be used for research and statistics and publishing will not identify an individual
Outcome
- Yes - no notification required
- No - continue to step 4
Step 4 — Other Exceptions
Do any other Exceptions apply?
- No prejudice to individual
- Information publicly available (IPP 3A specific)
- Non-compliance necessary:
- Maintenance of the law
- Enforcement of law that imposes pecuniary penalty
- Protection of public revenue
- Conduct of court/tribunal proceedings
- Prejudice purpose of collection
- Prejudice national security or international government relations (IPP 3A specific)
- Reveal a trade secret (IPP 3A specific)
- Cause serious threat to public/individual health or safety (IPP 3A specific)
Outcome
- Yes - no notification required
- No - notification required, continue to step 5
Step 5 — Notification Requirements
- Fact that information is being collected
- Purpose for which the information is being collected
- The intended recipients of the information
- Name and address of both the collecting and disclosing agency
- Legal Authority - refers to the legislation authorising or requiring the collection
- Individuals IPP 6 and 7 Rights
Resources
Information collections register template
You can use this information collections register template to help get you started with documenting your collections and identifying the collections that’ll require notification when IPP 3A comes into effect.
Information collections register template [DOCX 45.8KB]
Should I notify decision flowchart
You can download and use the PDF flowchart to help you determine whether your collection requires notification.
Do I need to notify? — IPP 3A flowchart [PDF 574KB]
Privacy Amendment Bill
You can read through the Bill and the explanatory note.
Privacy Amendment Bill 292-1 (2023), Government Bill — New Zealand Legislation
Last updated