Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Tūhono│Connect

Print | Email this page

Have your say

Proposed amendments to implement IPP3A in codes of practice

The Privacy Commissioner is considering amending some codes of practice to implement IPP3A, the new information privacy principle added to the Privacy Act from 1 May 2026. IPP3A changes agencies’ obligations when collecting information indirectly, meaning not from the individual it is about.

We are asking for submissions on specific codes and our general approach

Codes of practice issued under the Privacy Act modify the application of the information privacy principles (IPPs) for a particular sector, industry, or type of personal information. There are seven codes of practice in force, but only four of them replace all of the IPPs. Please note that the Civil Defence National Emergencies (Information Sharing) Code 2020 is also included below because we need to update a formatting error.

We are proposing amendments to these four codes of practice to add specific rules to implement IPP3A. If we don’t add specific rules, IPP3A would still apply, but without any of the specific rules or exceptions that exist under each code. We propose to add a new rule 3A to each code which implements IPP3A and aligns with the existing rules in each code, including relevant exceptions. We think this will be clearer, more consistent, and easier for agencies, while improving transparency about indirect collection under IPP3A.

We are also proposing changes to address errors and update the language of codes, including minor changes proposed for the Civil Defence National Emergencies (Information Sharing) Code 2020, and changes to align with the Statutes Amendment Act 2025.

At a later date we also plan to develop specific guidance for indirect notification requirements under the Health Information Privacy Code, and we will contact stakeholders about that too. 

We are sharing a set of information papers to make consultation easier

We’re proposing changes to different codes. Some submitters may wish to engage only with the codes most relevant to them. To make this easier, we are sharing a set of information papers, amendments, and marked up changes to codes as below:

How to make a submission

Submissions are due by 4:00pm on Monday 16 February 2026

To make a submission, click the links to read our background documents and then email your comments to IPP3A@privacy.org.nz in the body of an email, or as a pdf or Word document.

General information paper on IPP3A amendments

Changes to the Biometric Processing Privacy Code 2025 (BPPC)

Changes to the Civil Defence National Emergencies (Information Sharing) Code 2020 - fixing formatting errors

Changes to the Credit Reporting Privacy Code 2020 (CRPC)

Changes to the Health Information Privacy Code 2020 (HIPC)

Changes to the Telecommunications Information Privacy Code 2020 (TIPC)

Back to top