Many advice businesses discovered on 1 May 2026 that they were less prepared for Information Privacy Principle 3A than they expected. The new privacy rule means businesses that collect personal information about individuals from third parties may need to notify those individuals — and the practical requirements are more involved than many anticipated.
What IPP 3A actually requires
Information Privacy Principle 3A requires that where a business collects personal information about an individual from a third party, it must, in certain circumstances, take steps to make that individual aware of the collection. This is not a simple policy statement in your privacy notice. It requires specific, named disclosure at or before collection — identifying the information collected, the source, and the purpose.
The rule identifies six disclosure points: the collection and source, the intended purpose, whether disclosure is mandatory or voluntary, who the information will be disclosed to, what rights the individual has, and where they can find further information. For many businesses, the inadequacy of a generic privacy policy line is now clear.
Where most businesses are exposed
If your business runs credit checks, uses AML/CFT providers, receives information from lenders or insurers, or relies on referrals, there is a good chance IPP 3A applies to you. Common exposure points include:
- Engagement letters — do they identify all information sources and purposes?
- Onboarding documents — are staff trained to disclose before collecting third-party information?
- Referral processes — does the referrer know what information you will collect and how you will use it?
- Co-borrowers and guarantors — have they been informed of the information collection?
Practical steps for the first 30 days
The first month after 1 May 2026 is the time to act. Start by auditing your information sources: list every external source of personal information your business collects. Then review your engagement letters and onboarding documents — do they disclose the collection? If not, draft new wording.
Build a disclosure schedule that maps each information source to the required disclosure clause in your engagement letter or onboarding document. Update your onboarding workflow to ensure staff follow the new process consistently.
Strategi has developed an IPP 3A Implementation Kit ($199 plus GST) to help businesses put the required changes in place, including a plain English guide, ready-to-use wording for engagement documents, and practical templates. For businesses that need more tailored support, Strategi Compliance can help with a full review of your privacy processes and implementation strategy.
Contact us to find out how we can help.