IPP3A: notification requirements for indirect collection of personal information

Source: Privacy Commissioner

This new rule will come into force on 1 May 2026. The IPP3A requirements only apply to personal information collected from 1 May 2026.

On this page:

Download the PDF version of this guidance (PDF, 594KB).

Use our IPP3A decision flowchart (PDF, 1MB) to help you figure out if you need to tell individuals that you have collected their information indirectly.

One of the important changes in the Privacy Amendment Act 2025 is the addition of Information Privacy Principle (IPP) 3A. IPP3A changes an agency’s obligations when it collects personal information indirectly. Collecting personal information indirectly means that the agency collects the personal information from someone other than the person themself.

Under IPP3A, if an agency collects an someone’s personal information indirectly, that agency is required to notify the them, unless one of the listed exceptions applies.

IPP3A applies to all personal information agencies collect indirectly, from any source. This means that whether the agency collecting the information gets it indirectly from a person or another agency, it will still need to tell the person concerned unless an exception applies.

Being open about how personal information is collected, used, and shared is not only the law, but it’s a critical part of building trust in the way an agency will handle personal information. 

The obligation to inform the individual sits with the agency that collects the information indirectly, which we refer to throughout this guidance as the indirect collector. It is possible that multiple agencies are indirect collectors (for example, when there is a chain of disclosure and collection) and each of these agencies have obligations under IPP3A. However, as you’ll see throughout the guidance, there are situations where it might be appropriate for one of the agencies to notify people on behalf of other agencies in the chain. We discuss how this might work further in the “individual has already been made aware” section. 

Note: throughout the guidance we have used fictional examples to demonstrate how IPP3A and the exceptions may be used in practice. These examples are focused on the notification requirements of IPP3A after an agency has determined it has a lawful purpose under IPP2 to collect the personal information from someone other than the individual.

Return to top of page.

What does collecting personal information indirectly mean?

Collecting personal information indirectly means that an agency collects the personal information from someone other than the person themself. Previously, an agency was not required to tell them that they had collected their information from someone else.

Example

Sally makes a claim to her insurance company, Trusted Insurance Co, about damage to her car. She tells them she has taken it to Mater’s Motors for repairs. Trusted Insurance Co asks Mater’s Motors for information about the damage to the car, including whether they thought Sally was responsible for the damage. Mater’s Motors view on whether Sally was responsible for the damage is personal information about Sally. Trusted Insurance Co has indirectly collected Sally’s personal information.

It’s important to note that Mater’s Motors still needs to make sure they have a lawful basis to disclose the information to Trusted Insurance Co under IPP11 of the Privacy Act, or that the collection is allowed or required by another New Zealand law. 

Return to top of page.

What if my agency is using a third-party provider?

If your agency is using a third-party provider to hold or process information for or on your behalf, then section 11 of the Privacy Act will apply. 

Read our detailed guidance on using third-party providers.

Example

Clear Consulting uses a third-party provider, Swiftstart NZ, to manage its client database.

Swiftstart NZ is responsible for a wide range of personal information that it holds on behalf of its clients through its cloud-based application. This includes contact information, sales records, customer correspondence, marketing preferences, invoices, and billing information.

Swiftstart NZ does not collect and use the information for its own purposes, which means Clear Consulting is responsible for meeting any IPP3A requirements.

Return to top of page.

Can my agency collect personal information indirectly?

Before your agency collects personal information indirectly, you still need to assess whether you have a proper basis to do so under IPP2. Agencies should be collecting personal information from an individual directly, unless an exception under IPP2(2) applies.

Once you have decided that you have a proper basis and can collect the personal information indirectly, then you will need to assess how to comply with the IPP3A requirements.

You can use the decision flowchart to help you.

Return to top of page.

What are the requirements of IPP3A?

If an agency collects personal information indirectly, IPP3A requires it to take reasonable steps (unless an exception applies) to make sure that the individual concerned is aware of the following matters:

• the fact that the information has been collected,
• the purpose of the collection,
• the intended recipients of the information,
• the name and address of the agency that is collecting the information and the agency that holds the information,
• if the collection is authorised or required by law, which particular law, and
• their rights of access to, and correction of, their information.

A collecting agency is required to inform an individual as soon as reasonably practicable after the information has been collected, unless the notification steps have already been taken by that agency or by another agency.

Return to top of page.

What are the differences between the IPP3 and IPP3A requirements?

IPP3 requires an agency to explain the reason for collection (amongst other things) when they collect information directly from someone. IPP3A requires these things when an agency collects information indirectly.

It’s likely that an agency could meet its IPP3A requirements in the same way it meets it IPP3 requirements, by using accessible privacy policies, statements, and notices.

It’s important that agencies know what personal information they collect directly from someone, and what personal information they collect indirectly from someone else, and tailor their privacy policies, statements, and notices accordingly. Agencies will also need to think about how they draw attention to these statements when they collect information indirectly as they may not have a direct line of communication with the person.

As with IPP3, there are a number of exceptions to the notification requirement in IPP3A. These are explained in the ‘what are the exceptions?’ section of this guidance.

Return to top of page.

What are reasonable steps?

The reasonable steps for an agency to take to ensure that an individual is aware of the IPP3A matters, will depend on its own particular circumstances. Some of the factors that may impact what is reasonable include:

• The sensitivity of the personal information collected.
• The possible negative impacts to the person because of the collection. If the risk of negative impacts is high, more rigorous steps may be required.
• Any specific needs of the person. For example, if the personal information is collected from someone who is from a non-English speaking background, or anyone who may not easily understand the information in the notification 
• The practicality, including time and cost involved. However, an agency isn’t exempt from taking the notification steps just because it may be inconvenient, time-consuming or incur some cost to do so.

Format of notification

An agency can notify or make someone aware of the IPP3A matters using a variety of formats, provided the information is communicated clearly. Types of notification could include:

• A notice made in advance, for example by paper, online, or phone script.
• A layered notice process, for example a full explanation initially and then brief refreshers as individuals become more familiar with how that agency handles personal information. Another example would be brief privacy notices on forms or signs, supplemented by longer notices made available online or in brochures.

Read our guidance on developing privacy notices and statements.

Example

Franks Firm offers margin lending, and it collects client information from credit reporters to assess their suitability for credit. The client application form requires the client to give authorisation for the credit check, which is a requirement under the Credit Reporting Privacy Code. The application form also has a privacy notice on it which names the credit reporters that Franks Firm collects from, as well as the purpose for collection. Franks Firm clients are required to acknowledge this during onboarding. As the client has already been made aware, Franks Firm doesn’t need to notify each time it collects information from those credit reporters, but it makes sure it keeps evidence of prior notices given to clients. If prior notice wasn’t given, Franks Firm notifies as soon as reasonably practicable after the collection. Even though the client authorises the credit check as part of the application process, they still need to be informed about who has collected their information and why.

Return to top of page.

Timing of notification

What does ‘as soon as reasonably practicable after the information has been collected’ mean?

If you haven’t taken steps to ensure people are appropriately notified about the collection of their information before receiving it, you will need to notify them as soon as reasonably practicable once you’ve collected it.

What is a reasonably practicable timeframe for notification will depend on the circumstances of the collection. If you decide it’s not practicable to notify or ensure an individual is aware of the collection shortly after, it is your agency’s responsibility to be able to justify this.

Agencies should be building options for providing notification or ensuring awareness into their processes and systems for information collection. For example, by including relevant information in standard forms and online collection mechanisms. 

Agencies may take into account any technical and resource considerations when deciding on a reasonable timeframe for notification. However, it’s an agency’s responsibility to be able to justify any delay in notification.

Documenting your rationale and decision-making will be important.

Example

Sterling Draper has received a marketing list which contains peoples’ contact information and demographic data from a partner agency for an advertising campaign it intends to run in several weeks’ time. Sterling Draper’s plan is to include all the relevant notification information when it sends out the advertising material to these people, so it decides to delay notification until the campaign begins. This allows Sterling Draper to provide context for the notification and ensures that individuals aren’t getting multiple emails from them. Sterling Draper considers this to be a reasonable timeframe to delay the notification.

Return to top of page.

Notification requirements

What you need to tell people	Guidance or example
The fact that the information has been collected.	Tell people you are collecting their personal information and specify exactly what kind of information you are collecting or have already collected.
The purpose of the collection.	Tell people why you are collecting their information. Your purpose should be specific enough that individual can understand what their information is being used for e.g. “to confirm that you are a member of x organisation to check that you are eligible for this discount”.  It is not enough to say, “for business purposes.” A useful test is to consider whether there is a chance the person may be surprised at how you’re using their information. The more likely it is that they could be surprised, the more detailed your explanation about the purpose should be.
The intended recipients of the information.	Tell people who you will be sharing their information with. If you know you will be sharing the information, you should tell the individual who you’re sending it to. If you routinely share information with a particular agency, group or person, they should be named, unless it would be impractical to do so. In that case, you may decide to describe the type, class or categories of agencies you share information with instead. If you decide to provide the categories of agencies, the information should be as specific as possible by indicating the type of agency (e.g. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the agency.
The name and address of the agency that is collecting information and the agency that holds the information.	Tell people who has collected their information.  If your agency is collecting the information indirectly and making the notification, then it will need to include your agency’s name and address (or equivalent e.g. email or website) in the notification. If the agency you collected the information from has already made the notification on your agency’s behalf, it will need to have included your agency’s name and address (or equivalent e.g. email or website) in its notification. For the avoidance of doubt, for the purposes of IPP3A, the ‘agency that holds the information’ is considered to be the agency collecting the information indirectly.
If the collection is authorised or required by law, which particular law.	For example, “the collection of this information is authorised under section 8 of the Citizenship Act 1977.”
Their right to access and correct their information.	Tell people about their right to access the information your agency holds about them, and their right to ask to correct it if they think it’s wrong. You should include a clear process for individuals to follow, such as contact details to send their request to, or an online form that they can complete and submit. Read our guidance on access and correction requests.

Return to top of page.

What are the exceptions?

The same exceptions that exist under IPP3 still apply, but IPP3A introduces additional exceptions specifically for when collecting information indirectly.

Exception to IPP3A You don’t need to take the notification steps if:	Guidance or example
The individual has already been made aware of them.	Exception may apply: You know that the agency you collected the information from has already told the person about all the matters. You have previously collected this information about the person from the same agency, and you let them know all the information already, and the purpose of collection has not changed. Exception would not apply: You assume that the person would probably already know, but you don’t have any good evidence to confirm that.
The personal information is already publicly available.	Exception may apply: You are collecting personal information from a publication such as a book, newspaper, or public register. You are collecting personal information from a website or public social media page. Exception would not apply: You are collecting personal information from social media that requires you to have additional permission to view (such as being a friend or follower of a private social media account).
It would not prejudice the interests of the individual concerned.	Exception may apply: You’re collecting emergency contact information from an employee and can reasonably presume that the employee has an existing relationship with their emergency contact and has made them aware that they are their emergency contact. Exception would not apply: You’re collecting loyalty card information to create shopping profiles of individuals and generate targeted ads, for marketing purposes.
It’s necessary for: Maintenance of the law by a public sector agency. Enforcement of the law that imposes a financial penalty. Protection of public revenue. Conduct of court/tribunal proceedings.	Exception may apply: A public sector agency is investigating an offence and needs to collect information about a person from someone else to adequately investigate the offence, and the agency has followed all other relevant laws that apply to gathering evidence. It’s important to note that collection must still be allowed under IPP2, even when relying on this exception. Exception would not apply: If you are not a public sector agency. Note: Private sector agencies wanting to collect information about a person from someone else to do their own investigation of suspected fraud may be able to rely on other exceptions under IPP3A. For example, if telling the individual would prejudice the purpose of the collection.
Telling the individual would prejudice the purposes of the collection.	Exception may apply: You are collecting personal information for a fraud investigation and notifying the person concerned would undermine your investigation. Exception would not apply: It is less practical for you to notify the person concerned, so you don’t want to. You’re worried about losing or upsetting the customer, so you don’t want to notify them.
Telling the individual is not reasonably practicable in the circumstances.	Exception may apply: You don’t hold contact details for the relevant person.  Exception would not apply: You have accurate contact details for the relevant people, but notifying each one individually would be time consuming. There will be some cost associated with notifying all relevant people, but it is not excessive.
It would cause a serious threat to public health or safety, or to the health and safety of another individual.	Exception may apply: Your agency has collected personal information from another agency about someone who has a contagious disease. Your agency needs to take immediate action to contain the spread of the disease, and determine that any delay caused by notifying the individual would cause a serious threat to public health or safety. Exception would not apply: You have collected personal information from another agency about a person who has a contagious disease, but no immediate action is required. You have assessed the three factors (likelihood, severity, and time) and determined that any delay caused by notifying the individual concerned would not cause a serious threat to public health or safety. Note: These examples are based on the example from the Amendment Act itself, however it may be more appropriate to rely on a delay to notification rather than using this exception to not notify at all. Read more guidance on assessing a serious threat.
The information won’t be used in a way that identifies the individual.	Exception may apply: You have removed any personal information that may identify the individual(s) before using it Exception would not apply: You have removed someone’s name from their personal information, but they can still be identified in other ways. Read more guidance on what makes a person identifiable.
The information will be used for research and statistics, and publishing this will not identify the individual concerned.	Exception may apply: You’re using the personal information as part of a research study and only aggregated information that doesn’t identify anyone will be published. Exception would not apply: The audience of the publication may have additional knowledge to help them identify an individual in the research.
Your agency collects personal information for archiving purposes, and notification is likely to seriously impair your achievement of this.	Exception may apply: You are taking an oral history from someone as part of research into a historic event, and they disclose the names and personal information of other people as part of this. Notifying all the people mentioned would seriously impair your ability to record and preserve the oral history. Exception would not apply: Your agency is not part of the Gallery, Library, Archives, and Museum (GLAM) sector, and you are not collecting the information to determine whether it is of enduring value for general public interest and should be archived for public reference, study, or exhibition.
It would prejudice the security or defence of New Zealand (or the Cook Islands, Niue, Tokelau, or Ross Dependency); or the international relations of the Government of New Zealand, the Cook Islands, or Niue; or the relations between any of the Governments of New Zealand, the Cook Islands, or Niue; or the entrusting of information to the Government of New Zealand on a basis of confidence by the Government of any other country or any agency of the Government of any other country; or any international organisation.	Exception may apply: You have collected personal information from an overseas government agency about someone. Telling them you have collected their information would risk deterring foreign Governments from giving New Zealand information in the future. You have collected personal information about people to be able to detect and track a terrorist cell, and notifying the individuals concerned would prejudice the security or defence of New Zealand. Exception would not apply: When there is no risk to the security or defence of New Zealand, or the international relations of the government.
It would disclose a trade secret, or be likely to unreasonably prejudice the commercial position of the person who supplied the information, or the individual concerned.

Return to top of page.

IPP3A(3): Individual has already been made aware

An agency collecting information indirectly doesn’t have to take the notification steps if the person has already been made aware of all of the following matters:

• The fact that the information has been collected.
• The purpose of the collection.
• The intended recipients of the information.
• The name and address of the agency that is collecting the information, and the agency that holds the information.
• If the collection is authorised or required by law, which particular law.
• Their right to access and correct their information.

For example, the agency dealing with the person directly must notify them of the IPP3 matters, so at the same time could inform them of the IPP3A matters on behalf of the agency collecting the information indirectly. If the agency collecting the information indirectly is relying on this exception, it should be able to justify its belief that the agency it’s collecting the information from has made the individual aware of the IPP3A matters. This should be based on evidence rather than an assumption. One way to do this is to make notification requirements part of your agencies’ contractual arrangements. However, the responsibility for these requirements being met still lies with the agency collecting personal information indirectly.

If an agency is going to make someone aware of the IPP3A matters on behalf of the agency collecting the information indirectly, it will need to be as specific as possible about who is collecting the personal information. This includes providing people with the name and address (or equivalent e.g. email or website) of the agency that is collecting the information indirectly.

If an agency knows that in certain situations it will routinely collect personal information indirectly from specific agencies, those specific agencies could tell individuals the circumstances in which that indirect collector agency would always collect from them, as part of its relevant privacy notices, policies and statements. 

For example, Service Co routinely collects customer name and contact information from internet providers around the country, in order to install internet connections to customers’ homes. Each internet provider has an agreement with Service Co, so they include in the agreement that the respective internet provider will include Service Co’s name, contact information, and the other IPP3A matters in their privacy statement. This is because the internet providers have a direct relationship with those concerned. Service Co doesn’t need to notify customers again when it collects their personal information, because they have already been made aware. 

Similarly, if personal information is routinely collected indirectly and the person has been made aware of the agency’s identity in a recent notice relating to a similar collection, it may not be necessary to notify again.

The important thing is that people know where their information is. Agencies should be providing information on the collection of personal information that is most meaningful for the people concerned. 

Example one

Green Gardens is a small local gardening business. Occasionally it gets a request for services it can’t fulfil and passes on the client details to one of its partner providers. For example, Green Gardens doesn’t employ any qualified arborists, so if a customer requests this service, they refer that customer to a local arborist Green Gardens recommends. Green Gardens passes the customer’s details to the arborist so they can make contact with the customer directly. 

Green Gardens has an online client form which lets customers know which services they don’t provide themselves, and which local businesses they will refer customers to instead. The client form includes the local arborist’s business name, as well as a link to the arborist’s privacy policy on their website, which includes the IPP3A matters. The arborist’s website also includes their business address. This process satisfies the arborist that the client has been made aware of the collection, and the IPP3A matters which are outlined in the arborist’s privacy policy. The arborist doesn’t need to notify the client of the collection because they have already been made aware. Whenever Green Gardens enters a new partnership with a local business to outsource requests for services that Green Gardens doesn’t provide, it comes to an agreement with that business on how they will ensure each person is made aware of the IPP3A matters. 

Example two

ABC Investment Management collects personal information about its clients indirectly from other agencies. The collection is for the purpose of complying with the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. ABC Investment Management’s standard terms and conditions provide that clients authorise ABC Investment Management to collect this information indirectly. ABC Investment Management has a direct relationship with its clients, and it also collects personal information from them directly. It decides to inform clients of all the IPP3A matters at the same time it informs them of the IPP3 matters. In the terms and conditions, ABC Management tells clients what information it collects indirectly and why.

Return to top of page.

IPP3A(4)(a): Non-compliance would not prejudice the interests of the individual

What does ‘would not prejudice’ mean?

Generally, this means that the person concerned wouldn’t suffer any detriment or lose control of important information because of not being notified. What may be considered detrimental will often depend on the person concerned. However, the intention of IPP3A is to give people more information and control over who has their personal information, so this exception should only be used for common, low risk cases. Collecting the personal information indirectly may be for the benefit of the person, but this doesn’t mean you shouldn’t tell them about it.

Example One

The People’s Bank collects emergency contact information from its employees. Under IPP10, the bank can only use these details for the purpose they were collected. Under IPP3A, it’s likely there would be no detriment to the person listed as the emergency contact if the company didn’t tell them they had collected their personal information for this purpose. Generally, emergency contacts have an existing relationship with the employee and are aware that they are the employee’s emergency contact. 

Example Two

Cosy Co runs a local café, Brewt. Brewt Café keeps a small database of its regular customers who have opted into its loyalty programme, so that customers don’t have to carry around paper stamp cards. The owners of Cosy Co and Brewt Café are ready to retire so they sell the café to one of their staff members, who sets up a new company Haus Ltd to run the café. Brewt Café’s name remains the same, and the new owner wants to honour the existing loyalty programme. As part of the sale process, Cosy Co shares the names of the loyalty programme members and the number of coffees they have left to buy before they get their 10th free. It’s unlikely there would be any prejudice caused to the members of the loyalty programme if Haus Ltd didn’t notify them of the collection of their information.

Return to top of page.

IPP3A(4)(d): Telling the individual would prejudice the purposes of the collection

In some cases, the purpose for collecting personal information indirectly may be undermined if the agency collecting it were to tell the person concerned.

For example, an agency is conducting an internal fraud investigation and has a legitimate purpose for collecting personal information about someone from their neighbour, to verify personal information collected from the person themselves. If the agency’s purpose is to find out objectively what happened, as part of an investigation, then letting the person know of the indirect collection may undermine the investigation. For example, notifying the person concerned may give them an opportunity to destroy evidence, or try and influence what information their neighbour gives to the investigator. 

It’s important to note that the agency must still have a proper basis under IPP2 for collecting this information from someone other than the person themselves, and only collect information that is relevant to the investigation of the incident. 

Take great care if your agency plans to rely on this exception and be sure to seek professional advice before doing so. OPC has previously undertaken an inquiry into (amongst other things) an agency collecting information about an individual indirectly without proper reason.

Return to top of page.

IPP3A(4)(e) Telling the individual is not reasonably practicable in the circumstances

In some cases, notifying the individual of an indirect collection will not be practicable. However, it’s important to note that inconvenience, cost, or administrative burden doesn’t automatically mean notification is ‘not reasonably practicable’.

Cost may be a factor if notification would be so expensive that the cost would be disproportionate to the value provided to the person.

Generally, the threshold to assess whether it’s not reasonably practicable to notify will depend on the nature of the personal information that’s being collected indirectly. For example, if the information is sensitive, then the threshold of ‘not reasonably practicable’ will be higher. 

Agencies need to consider how IPP3A notification requirements will be met as part of any new or existing processes that involve routinely and repeatedly collecting personal information indirectly. Having incompatible systems or processes is not a valid reason to rely on this exception.

For example, it may not be practicable for an agency to notify the person if they don’t hold any contact details for them. In this situation, the collecting agency isn’t expected to collect contact details for them solely for the purpose of notifying them.

Example one

Cha-Cha Entertainment holds several photos of people from events it has held over the years. Rydell University is hosting an alumni event and wants to collect the photos from Cha-Cha Entertainment to create a visual timeline to display at the event. The photos don’t have names on them, and there were no contact details collected at the time the photos were taken. Rydell University doesn’t have a purpose for collecting the names and contact details of the people in the photos, other than to notify them of the indirect collection, so they assess that it would not be reasonably practical to try and notify them. Instead, Rydell University creates a public notice which they post on their alumni Facebook page, saying that they have collected photos from Cha-Cha Entertainment which will be displayed at their upcoming event. 

Example two

Zap Networks is an Electricity Distribution Business. It doesn’t interact directly with electricity customers, but it has its own regulatory requirements which means it needs to retain personal information. Zap Networks provides its service through an intermediate relationship with electricity retailers. Zap Networks receives more than 29,000 sets of customer information from 20 electricity retailers, which are automatically processed into its connections database. Zap Networks considers its obligations under IPP3A, and decides to rely on the IPP3A(4)(e) exception for the following reasons:

• In a particular month, Zap Networks could receive hundreds of changes to property records ranging from who the electricity retailer is, or a new customer name registered, through to minor changes such as corrections to the spelling of a name or an updated phone number.
• In order to notify each person, Zap Networks would need to interrogate large amounts of data and manually review each set to determine if notification is warranted.
• If Zap Networks were to notify customers, this may be the only contact it ever has with them, as it doesn’t have a direct relationship with the customers it delivers electricity to.

Although Zap Networks relies on this exception, it also ensures that the privacy policy on its website informs customers that it collects their information from electricity retailers, and for what purpose. Zap Networks also ensures that the electricity retailers it receives customer information from include Zap Networks in their intended recipients as part of their IPP3 obligations.

Return to top of page.

Acting on behalf arrangements

Individuals may have someone else who has been appointed to legally act on their behalf under the Protection of Personal and Property Rights Act 1988 (PPPR Act) because that person has limited capacity to act for themselves. These arrangements are typically:

• Attorneys acting under an enduring power of attorney for someone who no longer has capacity to act for themselves.
• Welfare guardians or property managers/representatives appointed by the Family Court.

If an agency is collecting personal information about an a person from someone acting in one of these roles on behalf of that person, that representative is treated as if they are standing in the shoes of the person. The collection of personal information is therefore a direct collection and IPP3 applies.

A person may have someone acting on their behalf when interacting with agencies and service providers. Some examples of these arrangements are:

• Parents/guardians acting on behalf of their children.
• Lawyers or advocates acting on behalf of their client.
• Representatives authorised by the person to support them engaging with a particular agency.

If an agency is collecting personal information about an individual, from someone acting on behalf of that individual outside of the PPPR Act, this is considered an indirect collection and IPP3A would apply.

In these circumstances, what would generally be considered ‘reasonable steps’ to make sure that the individual concerned is aware of the IPP3A matters, would be to ensure the person acting on behalf of that individual is made aware of the matters so that they can communicate them to the individual they are representing.

We’ve included some examples of how this could apply.

Example – children and young people

Sunnydale Primary School is organising a school camp for years 5 and 6. They need to collect information about any medication requirements students may have, to ensure these can be appropriately managed during the school camp. The school sends out a form to the parents of the students to complete. Since they are collecting students’ personal information from their parents, rather than from the students’ themselves, they need to consider how they will meet the notification requirements of IPP3A. The school includes the following privacy notices on the form, to make sure the parents are aware of all the matters and can communicate these to their children appropriately.

Purpose of collection

We are collecting information about medication requirements your child may have to ensure they receive their medications appropriately and to help us effectively manage your child’s health and wellbeing while they are attending our school camp.

Intended recipients

Your child’s medication information will be shared with our Camp Managers so that they are aware and informed and can assist your child appropriately if required. In the case of a medical event, we may need to share your child’s health information with healthcare providers to ensure appropriate medical assistance is provided.

If the collection of information is required by law, which law

We collect this information to ensure we meet our obligations under the Education and Training Act 2020, the Health and Safety at Work Act 2015, the Children’s Act 2014 and other relevant legislation.

Access and correction rights

Your child has the right to request access to, and correction of, their personal information.

Access and correction requests can be made by emailing [insert email address] or contacting us by phone [insert phone number].

Read further guidance for agencies on responding to requests for personal information about children and young people.

Example – authorised representative 

Wellbeing Services deals with a variety of people seeking specific benefits or access to support services. Often their clients will have an authorised representative that they appoint to help them do different things, such as completing forms, receiving mail or correspondence, and dealing directly with support services on their behalf. To appoint an authorised representative, Wellbeing Services asks the person and their representative to complete a form to provide the following information:

• What their authorised representative can do for them, in the context of dealing with Wellbeing Services.
• What they need to provide.
• Client and authorised representative declaration.

As part of the form, Wellbeing Services have included a privacy statement called ‘How we protect your privacy’ that covers the IPP3A matters to make sure the authorised representative is aware of all the matters and can communicate these to the individual appropriately. The form also includes the following statement which the authorised representative agrees to by signing their declaration: “I/we have read, and I/we understand what you do with personal information and how you protect a person’s privacy”

Do you need to notify?

Our IPP3A decision flowchart (PDF, 1MB) can help you figure out if you need to tell someone that you have collected their information indirectly.

Read more guidance on being transparent about your agency’s privacy practices.

MIL OSI