IPP 3A Privacy Act compliance NZ: where indirect collection hits your desk first
IPP 3A Privacy Act compliance NZ is no longer a legal side note for office managers. It now sits in the middle of everyday administration where your team handles privacy, payroll, recruitment and vendor onboarding in the same cramped inbox. The rule is simple on paper: when an agency collects personal information indirectly from a third party, the individual concerned must be told who is collecting personal data, the purpose of collection, the legal authority and how to contact the agency collecting it, in line with the New Zealand Privacy Act 2020 and guidance from the Office of the Privacy Commissioner on Information Privacy Principle 3A.
In practice, the most exposed indirect collection points in New Zealand offices are reference checks, background screening, recruitment agency data feeds, vendor onboarding forms and HRIS or payroll integrations that quietly pull data from other systems. Each of these workflows involves collecting personal information indirectly about a person who has not yet seen your privacy statement or your internal privacy policy, even though the personal data collected will sit in your systems for a long period. Under IPP 3A, the agency collects this information and must take reasonable steps to notify the individual concerned unless an exception applies and notification requirements are clearly documented in your privacy compliance records.
Reference checks are the most visible example, where you are collecting personal comments about a candidate from a third party referee, and those comments are personal indirectly obtained data that can affect employment decisions. Background screening through vendors such as CVCheck or First Advantage is another form of indirect collection, where the agency collecting information on your behalf will often send you a report without the person seeing the full privacy statement used, unless you have arranged otherwise under contract or confirmed the vendor’s standard practice from their documentation. Recruitment agencies such as Hays or Madison also collect personal data and then pass that personal information into your HRIS, meaning your organisation becomes the agency that collects personal data indirectly and must notify the individual concerned about the purpose of collection, contact details and their rights under IPP privacy rules, rather than assuming the recruiter’s privacy notice alone is sufficient.
From legal text to office workflow: mapping and templating your notifications
For an office manager in Auckland, Wellington or Christchurch, IPP 3A Privacy Act compliance NZ lives inside forms, emails and system prompts, not in a binder on the shelf. Start by mapping every workflow where your organisation is collecting personal information indirectly, including IRD related processes, payroll onboarding, credit checks for company card holders and vendor due diligence for finance approvals. This same mapping discipline that helps you close IRD tasks quickly, as outlined in the office manager playbook for non finance admins, will also expose where your agency collects personal data from a third party without any clear notification or record of how the person was informed.
Once the map is clear, build a short notification template that can be reused across email, PDF and HRIS portals, so that every individual concerned receives the same core information. The template should state the identity of the agency collecting the data, the purpose of collection, the legal authority if any, the fact that personal information was collected indirectly from a third party and how the person can contact your office for access or correction. You should also reference your privacy policy and privacy statement, explain how long the personal data collected will be retained, and clarify whether any other agency collects or will be collecting personal information on your behalf for the same purpose, so the person can understand the full data flow.
Turn that wording into a copy paste checklist you can drop into any workflow:
- Confirm this is an indirect collection under IPP 3A (information came from a third party).
- Name your agency and a contact point (email, phone or postal address).
- State the purpose of collection in plain language (for example, recruitment, payroll setup, vendor due diligence).
- Identify any specific legal authority relied on, if applicable.
- Explain that the information may be shared with specified third parties for the same purpose.
- Describe how long the information will be retained or the criteria used to decide.
- Explain the person’s rights to access and request correction under the Privacy Act 2020.
- Point to your privacy statement or privacy policy and how to obtain it.
A one row notification template you can adapt might read: “We have received some of your personal information from a third party (for example, a referee or recruitment agency) so we can assess your suitability for employment with [Agency Name]. Under the Privacy Act 2020 and Information Privacy Principle 3A, we are letting you know that [Agency Name] is collecting this information for recruitment and employment purposes. You can contact us at [email or phone] to request access to or correction of your information, and our full privacy statement is available on request.” Notification requirements under IPP compliance are flexible about format, but not about content, so your template must cover each element every time you are collecting indirectly. A practical pattern is to trigger the notification when you first contact the person, for example when you email a candidate after reference checks or when you send vendor onboarding forms to a director whose details came from Companies Office. Where it is not reasonably practicable to notify immediately, such as bulk payroll imports from a recruitment agency into Datacom or Affinity Payroll, you should still take reasonable steps to notify as soon as the person engages with your system and log why any delay was considered reasonably practicable under IPP privacy guidance from the Office of the Privacy Commissioner.
Systems, vendors and exception logs: tightening the back office for IPP 3A
The hardest part of IPP 3A Privacy Act compliance NZ is not the wording of a privacy statement, but the hidden integrations where your systems quietly collect personal data from third parties. HRIS and payroll tools used widely in New Zealand, such as Employment Hero, PayHero, FlexiTime or Affinity Payroll, often include APIs that collect personal information indirectly from recruitment platforms, time and attendance tools or background check providers. These flows mean your agency collects personal data without a human ever pressing send, so you must configure automated notifications or at least ensure that the first human contact includes a clear notification that personal indirectly collected data has entered your systems, and that this step is reflected in your privacy procedures.
Vendor contracts now need a privacy lens that goes beyond generic clauses, especially where a third party collects personal information on your behalf and then passes it to you. Audit each contract for data sharing, indirect collection, sub processing and notification requirements, and check whether the vendor will notify the individual concerned or whether your agency collecting the data must do so. The hidden labour of managing these integrations, similar to the unseen costs described in analyses of the hidden labour costs of managing digital workplaces, often falls on the office manager who must align privacy policy language, contact details and operational workflows without extra budget or extra staff, while still meeting the expectations set by the Privacy Act 2020 and OPC guidance.
Exception handling is the final piece, because IPP 3A allows you not to notify where the person has already been told, where the data is in unidentifiable form, where law enforcement or regulatory purposes apply, or where notification is not reasonably practicable. Build a simple exception log in a shared spreadsheet where you record the date, the person or people affected, the purpose of collection, whether personal data collected came from a third party, the reason you decided not to notify and which manager approved it. A sample entry might include columns for “Date”, “Name or group”, “Source of information”, “Purpose”, “IPP 3A exception relied on”, “Reasonably practicable assessment”, “Manager approval” and “Follow up actions”, with a filled row such as “12/03/2024, Seasonal casual staff import, Recruitment agency bulk file, Payroll setup, Person already notified by agency, Duplicate notification not reasonably practicable for 300 staff, HR Manager approved, Include IPP 3A notice in first payslip email”. This log will be your first line of defence if the Privacy Commissioner asks how your agency collects personal information and what reasonable steps you took to notify or not notify individuals, and it keeps the focus on real office activity, not the policy PDF, but the Monday morning queue at reception.