Information Privacy Principle 3A and the Privacy Amendment Act 2025

In September 2025 the Privacy Amendment Act 2025 received Royal assent , introducing a series of focused updates to the Privacy Act 2020.

The most notable update is the introduction of a new Information Privacy Principle, IPP 3A. IPP 3A widens the notification obligations for entities handling personal information from third party sources, rather than directly from the individuals to whom the information relates.

How IPP 3A works

IPP 3A requires entities collecting personal information about an individual from any person or entity other than the individual concerned to, as soon as is reasonably practicable after the information has been collected, take reasonable steps to ensure that the individual is aware of:

• the fact that information has been collected.
• the purpose of collection.
• the intended recipients of the collected information.
• the names and addresses of the agencies collecting and holding the information.
• whether the collection of the information is authorised or required by or under the law (and specifying the particular law); and
• the individual’s right to access and correct the information.

Exceptions to IPP 3A

There are a limited number of exceptions to IPP 3A. The primary exception is where the individual concerned has previously been made aware of the third-party collection and all the other details listed in the bullet points above.

Other exceptions include where the entity reasonable believes that:

• non-compliance would not prejudice the interests of the individual concerned;
• the information is publicly available information;
• compliance would prejudice the purposes of the collection;
• compliance is not reasonably practicable in the circumstances;
• non-compliance is necessary for law enforcement, protecting public revenue, and/or the conduct of proceedings;
• compliance would cause serious threats to the health and safety of the public or another individual;
• non-compliance is necessary in the interests of national security or international relations;
• the information would not be used in a form in which the individual would be identified (particularly for research or statistical purposes); or
• compliance would disclose a trade secret likely to unreasonably prejudice the commercial position of the organisation supplying the information or the individual concerned.

Organisations seeking compliance

Organisations have until 1 May 2026 to become compliant with IPP 3A.

If you or your organisation wants to understand how to become compliant with the new requirements of the Act, particularly IPP 3A, it is important to seek advice from an experienced privacy lawyer.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-price Initial Consultations to suit most people’s needs in quickly learning what their options are. At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.

Guy Goodwin and Raiyan Azmi