On September 23, 2025, New Zealand passed a targeted update to the Privacy Act 2020 that strengthens transparency around third‑party data collection and fine‑tunes several privacy processes. The headline change is a new Information Privacy Principle (known as “IPP 3A”), though the Act does make several smaller changes in Part 2. 

Under IPP 3A, when agencies collect personal information about someone from sources other than the individual, they must take reasonable steps—as soon as practicable after collection—to notify the individual. That notice must cover: 

(a) that information about the individual was collected; 
(b) the purpose for which the information has been collected; 
(c) the intended recipients of the information;
(d) the name and address of both the agency that collected the information and the agency that holds the information;
(e) if applicable, the law which authorized collection of the information; and
(f) the rights of access to, and correction of, information provided by the IPPs.

The major changes (Part 1) are set to take effect on May 1, 2026, while Part 2 takes effect immediately.

There are pragmatic exceptions to IPP 3A. Agencies need not notify if the person was already informed; the data is publicly available; notification would undermine law enforcement, court proceedings, public revenue, public health or safety; or the purpose of collection is not reasonably practicable, would harm commercial interests, or reveal trade secrets; or where data will only be used in a non‑identifiable or research/statistical form. IPP 3A does not apply to information collected before May 1, 2026. It also does not apply to personal information collected under existing approved information sharing or matching agreements that were in force at commencement. Intelligence and security agencies remain exempt from IPPs 2, 3, 3A, and 4(b) for their collections. 

Other refinements include clarity for how agencies handle access (IPP 6) and correction (IPP 7) requests without changing the 20‑working‑day deadlines. Protections are expanded where disclosure could be contrary to the interests of individuals under the age of 16 or could prejudice the safe custody or rehabilitation of people convicted or in custody. 

Finally, the Privacy Commissioner is expressly enabled to assess overseas privacy regimes, including on a bloc basis (for example, EEA/GDPR).  

In sum, the amendments sharpen transparency and accountability for third‑party data collection while preserving necessary operational and public interest exceptions.