New indirect collection notification requirements take effect 1 May 2026 – and payroll is at the centre of it

Published: February 2026  |  Reading time: 10 minutes  |  Category: Privacy & Compliance

If you run a business in New Zealand, handle employee data, or outsource your payroll processing, there is a significant privacy law change coming that you cannot afford to ignore.

The Privacy Amendment Act 2025 received Royal Assent on 23 September 2025, introducing the new Information Privacy Principle 3A (IPP 3A) into the Privacy Act 2020. This new principle takes effect on 1 May 2026 and fundamentally changes how organisations must handle personal information that is collected indirectly – that is, from sources other than the individual themselves.

For payroll outsourcing arrangements, where sensitive employee information routinely flows between employers, payroll providers, Inland Revenue, and KiwiSaver providers, the implications are substantial. Both employers and their payroll service providers need to understand their respective obligations and take action before the commencement date.

Why This Matters for Payroll

Until now, the Privacy Act 2020 has only required organisations to notify individuals when collecting personal information directly from them under IPP 3. There has been no equivalent requirement for indirect collection – meaning employees may have had no idea that their personal information was being collected and processed by third parties involved in their payroll.

IPP 3A closes this gap. It requires any agency that collects personal information from a source other than the individual to take reasonable steps to ensure that person is made aware of specified matters, including who is collecting their information, why, and what rights they have.

As Privacy Commissioner Michael Webster noted when the Act passed: the reform “helps keep our privacy law in line with other countries like Australia, the UK and Europe.” Indeed, the introduction of IPP 3A was driven in part by the need to maintain New Zealand’s EU adequacy status under the General Data Protection Regulation (GDPR), where Article 14 already imposes similar obligations.

What is Indirect Collection?

Indirect collection occurs whenever an organisation obtains personal information about an individual from someone other than that individual. In the payroll context, this happens constantly.

Consider the typical flow of information in an outsourced payroll arrangement:

• An employer provides employee details – names, addresses, bank account numbers, IRD numbers, salary information, and leave balances – to their payroll provider.
• Inland Revenue confirms or provides tax code information and KiwiSaver status directly to the payroll provider through electronic filing systems.
• KiwiSaver providers communicate contribution rates and membership details.
• Other authorised third parties may provide information required for payroll processing, such as child support deduction notices from Inland Revenue or attachment orders.

Each of these information flows involves the payroll provider collecting personal information indirectly. Under IPP 3A, each instance potentially triggers notification obligations.

The Service Provider Nuance

Here is where it gets nuanced for payroll outsourcing. Under section 11 of the Privacy Act 2020, when a third party holds or processes information solely on behalf of the collecting agency and does not use it for its own purposes, the employer – not the service provider – is generally considered to be the collecting agency.

The IAPP has noted that IPP 3A “will not apply to the collection of personal information from a third party that is acting as a service provider to an organisation – that is, a data processor.” In this scenario, the employer is deemed to be collecting the information directly from the employee, albeit via the service provider.

However, payroll providers are not always acting purely as data processors. In practice, a payroll outsourcing provider like The Paymasters may also:

• Collect information directly from Inland Revenue through electronic filing and gateway services.
• Receive KiwiSaver-related communications from scheme providers.
• Process child support notices and other statutory deductions received from government agencies.
• Retain and use information across multiple pay periods for compliance and reporting purposes.

In these situations, The Paymasters may be an indirect collector in its own right, triggering IPP 3A obligations independently of the employer’s obligations. The Office of the Privacy Commissioner’s final guidance confirms that multiple agencies in a chain can each be indirect collectors, and each has obligations under IPP 3A.

What Must Individuals Be Told?

When IPP 3A applies, the collecting agency must take reasonable steps to ensure the individual is aware of the following matters:

Requirement	Payroll Context
Fact of collection	Employee must be told their personal information has been collected by the payroll provider
Purpose of collection	Processing payroll, calculating PAYE, administering KiwiSaver, managing leave entitlements, statutory reporting
Intended recipients	Inland Revenue, KiwiSaver providers, the employer, ACC, any other parties as required by law
Name and address of collecting agency	The Paymasters Limited (or relevant payroll provider) and their business address
Legal authority for collection	Income Tax Act 2007, Tax Administration Act 1994, Holidays Act 2003, KiwiSaver Act 2006, Employment Relations Act 2000
Rights of access and correction	The individual’s rights under IPP 6 (access) and IPP 7 (correction) of the Privacy Act 2020

The OPC’s final guidance confirms that in most cases, notification can be provided through an agency’s privacy policy – whether as a paper notice, online statement, or through onboarding materials. Agencies may also adopt a layered approach, providing a full explanation initially and shorter reminders over time.

When Notification is Not Required

IPP 3A includes the same exceptions as IPP 3, plus additional exceptions specifically for indirect collection. Notification is not required where:

• The individual is already aware – for example, because the employer has already notified the employee that payroll processing is outsourced and has provided details of the payroll provider’s collection practices.
• The payroll provider is acting solely as a service provider – under section 11 of the Privacy Act, the employer is the collecting agency and the notification obligation rests with the employer.
• Notification is not reasonably practicable – though this exception should be relied on cautiously and documented.
• Non-compliance would not prejudice the individual’s interests – such as where the collection is routine and will not be used in ways likely to impact the individual.
• The information is publicly available – a new exception under IPP 3A not available under IPP 3.
• The collection relates to law enforcement, security, or public safety – unlikely to apply in routine payroll scenarios.

Critically, the OPC’s guidance makes clear that if a collecting agency relies on the “individual already aware” exception, it must have a reasonable basis – supported by evidence, not assumption – for believing the individual has been informed. In practice, this means payroll providers cannot simply assume employers have notified their employees; this expectation should be documented in the service agreement.

Practical Implications for Employers Using Outsourced Payroll

If you outsource your payroll to a provider like The Paymasters, here is what you need to understand about your obligations from 1 May 2026:

Your Notification Responsibility

Where The Paymasters acts as your service provider under section 11 of the Privacy Act – holding and processing employee information on your behalf – you as the employer are the collecting agency. The notification obligation rests with you, not The Paymasters.

This means your employment agreements, onboarding documentation, and privacy notices must clearly inform employees that:

• Payroll processing is outsourced to a third-party provider.
• The name and address of the payroll provider (The Paymasters Limited).
• The types of personal information that will be shared.
• The purposes for which the information will be used.
• The employee’s rights of access to and correction of their personal information.

Contractual Obligations

The OPC’s guidance emphasises that service agreements and outsourcing contracts must be updated to include IPP 3A obligations, including which party is responsible for notification and what evidence or reporting is required to demonstrate compliance. This is not optional – it is a direct recommendation from the Privacy Commissioner’s office.

How The Paymasters is Preparing for IPP 3A

At The Paymasters, we have been closely monitoring the development of IPP 3A since the Privacy Amendment Bill was introduced to Parliament in September 2023. We are implementing a comprehensive compliance framework ahead of the 1 May 2026 commencement date.

Our Approach Includes:

1. Updated Client Service Agreements – Our service agreements are being updated to clearly define IPP 3A responsibilities, including notification obligations, evidence requirements, and the allocation of responsibility between employer and payroll provider.
2. Standard Notification Templates – We are developing template privacy notices for our client employers to use during employee onboarding, ensuring employees are informed that payroll processing is outsourced and that their personal information will be collected and processed by The Paymasters.
3. Direct Notification Processes – Where we collect information from third parties other than the employer (for example, from Inland Revenue or KiwiSaver providers), we are developing notification processes to inform individuals directly, as required.
4. Privacy Notices on Employee-Facing Communications – We are reviewing all employee-facing communications, including payslips and correspondence, to ensure appropriate privacy notices are included.
5. Staff Training – All Paymasters staff are being trained on IPP 3A requirements and notification procedures to ensure consistent and compliant handling of personal information.
6. Data Flow Mapping – We are conducting comprehensive data flow mapping to identify every instance of indirect collection across our operations, ensuring no notification obligation is overlooked.
7. Governance and Record Keeping – We are establishing clear governance structures and maintaining records of our notification decisions, exception reliance, and compliance evidence – as recommended by the OPC.

Key Dates and Timeline

Date	Event
September 2023	Privacy Amendment Bill introduced to Parliament
23 September 2025	Privacy Amendment Act 2025 received Royal Assent
24 September 2025	Part 2 technical amendments came into force
Late 2025	OPC published final guidance on IPP 3A
1 May 2026	IPP 3A takes effect – applies to information collected from this date onwards

Important: IPP 3A applies only to personal information collected on or after 1 May 2026. Information already held before this date is not retrospectively subject to the notification requirements. However, any new collection of personal information from that date – including routine monthly payroll data flows – will be covered.

What Employers Should Do Now

With less than three months until IPP 3A takes effect, employers should take the following steps:

• Audit your data flows – Identify every instance where personal information about employees is collected from sources other than the employees themselves.
• Review your privacy notices and employment agreements – Ensure they clearly disclose any outsourced payroll arrangements and name the payroll provider.
• Update your onboarding processes – Ensure new employees are notified at the right stage about how their information will be collected and processed.
• Review your payroll service agreement – Ensure it addresses IPP 3A obligations, including who is responsible for notification and how compliance will be evidenced.
• Talk to your payroll provider – Understand what steps they are taking to comply with IPP 3A and what they need from you to support compliance.

The Bigger Picture: Why Professional Payroll Matters

IPP 3A is yet another example of the increasing regulatory complexity surrounding payroll in New Zealand. When you add this to the existing requirements of the Holidays Act 2003, the Employment Relations Act 2000, KiwiSaver legislation, and the ever-evolving tax compliance landscape, the case for professional payroll management has never been stronger.

Businesses that attempt to manage payroll in-house without dedicated expertise are increasingly exposed to compliance risks they may not even be aware of. The “she’ll be right” approach to payroll is no longer viable in a regulatory environment that demands documented processes, proactive notifications, and evidence-based compliance.

At The Paymasters, we don’t just process your payroll – we stay across the legislative landscape so you don’t have to. IPP 3A compliance is one more reason why outsourcing your payroll to a dedicated professional service makes sound business sense.

Need Help Preparing for IPP 3A? Whether you need to review your payroll service arrangements, update your privacy notices, or explore outsourcing your payroll to a provider that takes compliance seriously, we are here to help. Contact us for a confidential discussion about how we can support your IPP 3A readiness.

Sources and References

• Privacy Amendment Act 2025 (No 53) – New Zealand Legislation
• Privacy Act 2020 – New Zealand Legislation
• Office of the Privacy Commissioner – IPP 3A Guidance (privacy.org.nz)
• Office of the Privacy Commissioner – Working with Third-Party Providers Guidance
• Ministry of Justice – Enhancing the Privacy Act (justice.govt.nz)
• IAPP – NZ Privacy Amendment Act Broadens Privacy Notification Obligation (iapp.org)
• Bell Gully – Preparing for IPP 3A: New Requirements Effective 1 May 2026
• MinterEllisonRuddWatts – Final IPP 3A Guidance Released
• Anthony Harper – New Zealand’s Privacy Law is Changing: What is the New IPP 3A?

Related Reading on The Paymasters Blog:

• Payroll System Migration: Hidden Risks and How to Avoid Them
• Why “She’ll Be Right” Doesn’t Work for Payroll in 2026