Privacy Act Amendment: New Indirect Collection Obligations from 1 May 2026
Amendments to the Privacy Act 2020 will come into force on 1 May 2026, introducing a new Information Privacy Principle – IPP 3A. This change strengthens transparency obligations where personal information is collected indirectly, that is, from someone other than the individual concerned.
The new principle is particularly relevant for employers and agencies who regularly receive personal information via recruiters, referrers, other professional advisers, or third‑party agencies.
What does IPP 3A require?
Under IPP 3A, if an agency collects personal information about an individual from a third party, it must notify the individual as soon as practicable after collection.
The notification must include:
- confirmation that the individual’s personal information has been collected
- the purpose for which the information was collected
- who will receive the information
- the agency’s contact details
- whether the collection is required or authorised by law
- the individual’s rights to access and request correction of their information. This is a new and explicit obligation and goes beyond the previous general transparency requirements under IPP 3.
Key exceptions
IPP 3A does not apply in limited circumstances, including where:
- the information is publicly available
- collection is required or authorised by law
- notification would prejudice national security or reveal trade secrets. These exceptions should be applied carefully and, on a case-by‑case basis.
Common workplace scenarios
By way of example, IPP 3A will generally apply where personal information is received:
- through recruitment agencies
- from a client organisation about its employees
- from another government agency, unless a statutory exception applies.
- It will not apply where information is sourced solely from publicly available material, such as LinkedIn profiles.
What should employers and agencies do now?
In light of the new requirements, the practical “to do list” includes:
- Review and update privacy policies to address indirect collection and IPP 3A notification obligations.
- Update internal procedures to ensure individuals are notified promptly when information is received from third parties.
- Review templates and terms, including letters of engagement and contractor documentation, to ensure IPP 3A is appropriately reflected.
- Include IPP 3A in privacy training and compliance advice.
Agencies should ensure not only that their documentation is compliant, but that their practices in reality align with the new notification requirements.
Fixed Price Offers
To support your business in meeting your privacy obligations, we are offering a range of fixed price solutions:
New Best Practice Handbook: $3,500 plus GST. This includes the recent changes above, best practice policies and forms:
The Handbook covers the following policies:
- Standard of dress;
- Benefits;
- Privacy, including high level information on what should occur in a data breach situation;
- Filming and photography at work;
- Leave;
- Expenses;
- Performance review process;
- Electronic communications;
- Mobile phone;
- Criminal record checks for airfreight roles;
- Travel;
- Driving and vehicle use;
- Bullying, Harassment and Discrimination;
- Drug and Alcohol Testing; and
- Disciplinary Process
Privacy Training: $2,500 + GST. This one hour session is designed to be practical and engaging, helping leaders and teams understand their obligations, recognise privacy risks, and respond appropriately to privacy issues in day‑to‑day operations.
Privacy Policy: $1,000.00 + GST. For businesses requiring a standalone policy.
If you would like us to take advantage of any of these offers, please contact our team.
Disclaimer: We remind you that while this article provides commentary on employment law, health and safety and immigration topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek legal advice from your lawyer for any questions specific to your workplace.
