The New Zealand Law Society Te Kahui Ture o Aotearoa consulted with the Office of the Privacy Commissioner Te Mana Mātāpono Matatapu on this practice briefing.
This practice briefing is issued under the Lawyers and Conveyancers Act 2006 (LCA).1
It provides guidance for lawyers on the application of Information Privacy Principle (IPP) 3A, a new IPP introduced into the Privacy Act 2020 (Privacy Act) which took effect from 1 May 2026.
It discusses the interaction between IPP3A, legal professional privilege, and the lawyer’s duty of confidentiality and provides practical guidance for lawyers on when IPP3A might apply to lawyers’ practices.
Lawyers are encouraged to familiarise themselves with the requirements of IPP3A and to consider how it applies to the personal information they collect during their work.
Lawyers may also be asked to provide advice to their clients on the application of IPP3A to the client’s collection of information. This is not addressed by this practice briefing and will need to be assessed by lawyers on a case-by-case basis when advising clients. More general guidance about the application of IPP3A and an IPP3A decision flow chat have been published by the Office of the Privacy Commissioner.
The table below summarises how IPP3A may apply to different categories of personal information collected by a lawyer and is intended as a guide only:
| Type of personal information | Example | What notification is required? |
| Personal information received from the client (an individual) about themselves. | Name, address, basic contact information. | The lawyer should meet the requirements of IPP3, for instance via the lawyer’s terms of engagement. |
| Personal information received from a representative of a corporate client or a client which is not a natural person about other representatives of the client. | Name, address, basic contact information. | The lawyer should meet the requirements of IPP3A, for instance via the lawyer’s terms of engagement or other notification to the client. |
| Personal information received from a client about a third-party individual for the purpose of seeking legal advice. | A copy of an email sent by a client to a third-party individual after a lawyer-client relationship has commenced. | No notification is likely required by the lawyer. After considering the particular facts and circumstances, the lawyer may reach the conclusion that the IPP3A obligation is superseded by legal advice privilege and the lawyer’s duty of confidentiality to their client. |
| Personal information contained in communications with a client for the purpose of preparing a brief of evidence. | Information about a defendant’s actions or statements. | No notification is likely required by the lawyer. After considering the particular facts and circumstances, the lawyer may reach the conclusion that the IPP3A obligation is superseded by litigation privilege and the lawyer’s duty of confidentiality to their client. |
| A document containing personal information about a third party that is received from a client for the purpose of seeking legal advice but which was not created for that purpose. | Employee information contained in a performance review completed before a lawyer-client relationship existed. | No notification is likely required by the lawyer. After considering the particular facts and circumstances, the lawyer may reach the conclusion that, although legal advice privilege may not apply, the IPP3A obligation is superseded by the lawyer’s duty of confidentiality to their client. |
| Personal information received by an in-house lawyer about individuals because the individual is the subject of an interaction with the lawyer’s employer. | A report about a dangerous dog received by a territorial authority. | The lawyer does not themselves need to comply with IPP3A. Unless one of the exceptions in IPP3A applies, the employer (as an agency) should meet the notification requirements. |
| Personal information received by a lawyer in their capacity as a trustee because the individual is the subject of an interaction with the trust. | A Board paper about a child at a school where the lawyer is on the Board of Trustees. | The lawyer does not themselves need to comply with IPP3A. Unless one of the exceptions in IPP3A applies, the Board of Trustees for the school (as an agency) should meet the notification requirements. |
| Personal information received from a third party about a lawyer’s employee or prospective employee. | An employee reference check. | Unless one of the exceptions in IPP3A applies, the lawyer should meet the notification requirements. They may do this on the application form for the role they are advertising. |
The collection principles in the Privacy Act require agencies to:
Since the inception of the Privacy Act, IPP3 has required agencies to take reasonable steps to ensure that an individual is aware of certain matters when they collect personal information about the individual directly from that individual. These matters include information about the agency that is collecting the individual’s personal information, the purpose for which it is being collected, who the collecting agency will give the personal information to, if the collection is authorised or required under law, and the individual’s rights to access and seek correction of their information.
Until recently, agencies did not need to provide this information to the individual if they were collecting the personal information from someone other than the individual concerned (sometimes referred to as indirect collection of information).
From 1 May 2026, this has changed and new IPP3A also requires agencies to ensure that an individual is made aware of these matters where personal information is collected about the individual indirectly.
As the Explanatory Note to the Bill that introduced this change to the Privacy Act states, the purpose of the amendment is to improve transparency for individuals about the collection of their personal information. New IPP3A is intended to ensure that individuals have the same information about the collection of their personal information by an agency regardless of who provided the information to the agency. It “addresses a current gap…” under which “an individual may not know that an agency holds their personal information”.
There are some exceptions to the new requirement, which are discussed below.
IPP3A requires agencies to take “reasonable steps” to ensure an individual is aware of certain matters if the agency collects personal information about the individual from someone other than the individual concerned.5
If IPP3A applies, the agency must ensure the individual is aware of:6
Depending on the circumstances, given the information has been collected indirectly, this notification may be the first the individual becomes aware that the agency has collected their personal information.
What will be a “reasonable” step to ensure an individual is aware of the information set out in IPP3A will depend on the circumstances and the nature of the personal information. Some steps may not be required in some scenarios but may be “reasonable” if the personal information is particularly sensitive or if the collection of the personal information could have an impact on the individual.
The appropriate format to provide the notification may also depend on the nature of the personal information and the circumstances.
The reasonable steps must be taken “as soon as is reasonably practicable after the [personal] information has been collected” unless the steps were taken prior to collection.7
It is not necessary to provide the information required by IPP3A if:8
It is also not necessary to provide the information required by IPP3A if an exception set out in IPP3A applies. The exceptions are if:9
More general information about the interpretation of these exceptions can be found in Guidance issued by the Office of the Privacy Commissioner.
Agencies are also not required to comply with the requirements of IPP3A if other New Zealand law requires that the notification is not made.13 For this to apply, there would need to be a clear override of the requirement to make the notification under IPP3A in another statute, enactment or at common law.
Yes. IPP3A will apply to a lawyer if the lawyer,15 law practice or other body that the lawyer works for is an agency16 subject to the IPPs.
Exceptions exist for lawyers working for:17
For many lawyers, most personal information they receive about third party individuals will likely be provided to the lawyer by the lawyer’s client(s) for the purpose of seeking or obtaining legal advice.
In seeking legal advice, a client may provide personal information to their lawyer about their spouse, family members, friends, business partners, employer, employees, neighbours, and a range of other individuals. Examples of circumstances where a third party’s personal information may be disclosed by a client to their lawyer during a retainer include in relationship property disputes, employment matters, contractual disputes, claims for negligence, and conveyancing.
Lawyers are bound by legal professional privilege and by strict confidentiality requirements arising at common law. The requirements are also captured, in the case of privilege by the Evidence Act 2006 (Evidence Act), and in the case of the duty of confidentiality by the Chapter 8 of the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 (Rules).18
Privilege generally applies more narrowly than the duty of confidence.19 Legal advice privilege applies to confidential communications made between client and lawyer for the purpose of obtaining legal advice.20 The document for which privilege is claimed must have come into being in the course of and for the purpose of obtaining legal services. By contrast, the obligation of confidentiality requires lawyers to protect and hold in strict confidence all information concerning a client, the retainer, and the client’s business and affairs that is acquired by the lawyer during the professional relationship.21
Both privilege and the lawyer’s duty of confidence are paramount aspects of the relationship between lawyer and client. They enable clients to instruct their lawyer and speak candidly with their lawyer with the confidence that what they divulge will remain confidential. Consequentially, the duty of confidence applies broadly to all information acquired, and not only information that is specifically confidential.22 It applies from the time a person makes a disclosure to a lawyer in relation to a proposed retainer and applies regardless of whether the retainer eventuates.23
Lawyers may also be bound by litigation privilege, which applies to communications made or information compiled for the dominant purpose of advancing or defending litigation.24
Section 24 of the Privacy Act provides that “an action taken by an agency does not breach IPPs 1 to 5 … if the action is authorised or required by or under New Zealand law”. New Zealand law includes common law, the Evidence Act and the Rules. Because the dual obligations of privilege and confidentiality exist in law, where they apply, they will supersede the requirements of IPP3A (under s 24 of the Privacy Act). This is because the lawyer’s duty of privilege and confidentiality are paramount and a lawyer must not disclose any information to a third party that would involve undermining these duties.
In any case, where privilege or the duty of confidentiality applies, the IPP3A notification would not be required because of the exception to IPP3A which says that compliance is not necessary because it would prejudice the purpose of collection.25 This is because disclosing information to a third party about the lawyer’s collection of personal information about that third party from their client would undermine the client’s privilege and/or the lawyer’s paramount duty of confidentiality and therefore prejudice the purposes of collection of the information. The prejudice would arise not only because the client had an expectation of confidentiality over the specific information they provided to their lawyer, but because clients in general terms have an expectation of confidentiality over all information they provide to their lawyer that concerns them or the retainer.
IPP3A does not affect the application of the other IPPs including IPP3. IPP3 requires agencies to provide specific information to individuals when they collect personal information directly from that individual.
Many lawyers will primarily collect personal information directly from their clients. In these circumstances, the lawyer should address the matters required by IPP3 in the lawyer’s terms of engagement.
Some lawyers wear a range of hats, and some work done by lawyers may not engage the lawyer’s duty of confidence to a client and/or legal professional privilege. For instance, lawyers who act as mediators do not engage with client information when conducting a mediation (other exceptions to IPP3A may apply however, given that mediations are generally confidential to the parties). Similarly, lawyers who are trustees or professional directors are not necessarily engaging with personal information that is subject to privilege or their duty of confidentiality to a client. In such a situation, although the IPP3A requirements may not apply specifically to the lawyer, they will likely apply to an associated “agency”, and lawyers will need to be alert to that. There may be other scenarios where lawyers collect personal information for their work where the duty of confidentiality and/or privilege will not apply.
As set out above, in most cases, privilege and the duty of confidence to their clients will mean that a lawyer is not required to meet the IPP3A requirements in respect of personal information collected by a lawyer about third party individuals for the purpose of their client’s retainer.
However, lawyers are encouraged to turn their minds to their IPP3A obligations when information is received about individuals even in the context of a client retainer. This is because, sometimes, privilege and/or the lawyer’s confidentiality obligations will not prevent IPP3A applying. For instance:
Specific considerations may arise for in-house lawyers, who should already be familiar with the privacy policy and processes of their employer organisation. While an in-house lawyer has obligations of privilege and confidence to their client (their employer), not all personal information the lawyer will see as part of their job will be captured by those duties. Some in-house lawyers may undertake executive (rather than legal) duties. Even if the lawyer is acting as a legal adviser, there may be personal information that the lawyer handles that has been indirectly collected by their employer which may simply be information held by their employer as part of their employer’s functions. In this case, the employer (as an agency) will be required to comply with IPP3A (unless an exception applies).
There may be other scenarios where the duty of confidentiality and/or privilege do not prevent the lawyer from making the IPP3A notification.
Lawyers may hold personal information about other individuals as part of their practice that does not relate to their clients or instructions.
This is particularly the case for lawyers who employ staff. Careful consideration should be given to when a lawyer collects personal information about staff indirectly (an example is reference-checking) to ensure the lawyer understands when the IPP3A obligations may arise.