Privacy Act Amendment: New Indirect Collection Obligations from 1 May 2026

Sharon Greig • 24 March 2026

Amendments to the Privacy Act 2020 will come into force on 1 May 2026, introducing a new Information Privacy Principle – IPP 3A. This change strengthens transparency obligations where personal information is collected indirectly, that is, from someone other than the individual concerned.


The new principle is particularly relevant for employers and agencies who regularly receive personal information via recruiters, referrers, other professional advisers, or third‑party agencies.


What does IPP 3A require?

Under IPP 3A, if an agency collects personal information about an individual from a third party, it must notify the individual as soon as practicable after collection.


The notification must include:

  • confirmation that the individual’s personal information has been collected
  • the purpose for which the information was collected
  • who will receive the information
  • the agency’s contact details
  • whether the collection is required or authorised by law
  • the individual’s rights to access and request correction of their information. This is a new and explicit obligation and goes beyond the previous general transparency requirements under IPP 3.


Key exceptions

IPP 3A does not apply in limited circumstances, including where:

  • the information is publicly available
  • collection is required or authorised by law
  • notification would prejudice national security or reveal trade secrets. These exceptions should be applied carefully and, on a case-by‑case basis.


Common workplace scenarios

By way of example, IPP 3A will generally apply where personal information is received:

  • through recruitment agencies
  • from a client organisation about its employees
  • from another government agency, unless a statutory exception applies.
  • It will not apply where information is sourced solely from publicly available material, such as LinkedIn profiles.


What should employers and agencies do now?

In light of the new requirements, the practical “to do list” includes:

  • Review and update privacy policies to address indirect collection and IPP 3A notification obligations.
  • Update internal procedures to ensure individuals are notified promptly when information is received from third parties.
  • Review templates and terms, including letters of engagement and contractor documentation, to ensure IPP 3A is appropriately reflected.
  • Include IPP 3A in privacy training and compliance advice.


Agencies should ensure not only that their documentation is compliant, but that their practices in reality align with the new notification requirements.


If you would like assistance updating your privacy policies, templates, or training materials, please contact us.


Disclaimer: We remind you that while this article provides commentary on employment law, health and safety and immigration topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek legal advice from your lawyer for any questions specific to your workplace. 



< Older Post

 Newer Post >