New Zealand Law Society - Guidance on Information Privacy Principle 3A for lawyers

Guidance on Information Privacy Principle 3A for lawyers

The New Zealand Law Society Te Kahui Ture o Aotearoa consulted with the Office of the Privacy Commissioner Te Mana Mātāpono Matatapu on this practice briefing.  

This practice briefing is issued under the Lawyers and Conveyancers Act 2006 (LCA).1  

It provides guidance for lawyers on the application of Information Privacy Principle (IPP) 3A, a new IPP introduced into the Privacy Act 2020 (Privacy Act) which took effect from 1 May 2026.  

It discusses the interaction between IPP3A, legal professional privilege, and the lawyer’s duty of confidentiality and provides practical guidance for lawyers on when IPP3A might apply to lawyers’ practices.  

Lawyers are encouraged to familiarise themselves with the requirements of IPP3A and to consider how it applies to the personal information they collect during their work.  

Lawyers may also be asked to provide advice to their clients on the application of IPP3A to the client’s collection of information. This is not addressed by this practice briefing and will need to be assessed by lawyers on a case-by-case basis when advising clients. More general guidance about the application of IPP3A and an IPP3A decision flow chat have been published by the Office of the Privacy Commissioner.  

Summary  

Key points to note:  

  • Under the IPPs, all agencies must comply with the collection principles (IPP1 – 4) whenever they collect personal information. The definition of “agency” applies to lawyers practising on their own account, law firms, and other businesses, organisations and entities which lawyers may work for.  
  • IPP2 requires all agencies to collect personal information about an individual from the individual themselves unless an exception applies. If an exception applies, the agency should assess whether notification is required under IPP3A.
  • IPP3A requires all agencies to notify an individual about any indirect collection by the agency of personal information about that individual (i.e. personal information collected from another source) unless an exception applies. Each situation is fact specific and lawyers need to consider whether the IPP3A requirements apply and/or if any exceptions are relevant.  
  • The IPP3A notification obligation is to take reasonable steps to ensure the individual concerned is aware of certain matters, including the purpose of collection of their personal information, who it will be disclosed to, and the individual’s rights of access and correction.  
  • The reasonable steps must be taken as soon as reasonably practicable after the information has been collected (if not taken beforehand).  
  • If a lawyer is an agency and subject to the IPPs, they will also be subject to new IPP3A.  
  • However, a lawyer will not be required to comply with IPP3A if notifying the individual concerned would involve breaching legal professional privilege and/or the lawyer’s confidentiality obligations to their client. This is because privilege and the lawyer’s duty of confidentiality are paramount obligations at law, and the Privacy Act2 provides that an action undertaken by an agency will not breach IPP3A if the action is authorised by or under New Zealand law. The Law Society’s view is that the non-disclosure/ holding safe of a client’s information for reasons of privilege and/or confidentiality is such an action.  
  • In any case, personal information that is confidential to a client engages the exception to IPP3A which says that compliance is not necessary when it would prejudice the purpose of collection.  
  • Legal professional privilege and the duty of confidentiality do not apply to all information collected by a lawyer. Lawyers wear different “hats” and different obligations to notify under IPP3A and different exceptions may apply depending on which “hat” they are wearing. Each situation will depend on its facts and lawyers will need to turn their minds to IPP3A and any relevant exceptions in the circumstances.  
  • IPP3A does not affect a lawyer’s obligation to meet the requirements of IPP3 when collecting personal information directly from the individual concerned (i.e. from clients).  

The table below summarises how IPP3A may apply to different categories of personal information collected by a lawyer and is intended as a guide only: 

Type of personal information Example What notification is required?
Personal information received from the client (an individual) about themselves. Name, address, basic contact information. The lawyer should meet the requirements of IPP3, for instance via the lawyer’s terms of engagement.
Personal information received from a representative of a corporate client or a client which is not a natural person about other representatives of the client. Name, address, basic contact information. The lawyer should meet the requirements of IPP3A, for instance via the lawyer’s terms of engagement or other notification to the client.
Personal information received from a client about a third-party individual for the purpose of seeking legal advice. A copy of an email sent by a client to a third-party individual after a lawyer-client relationship has commenced. No notification is likely required by the lawyer. After considering the particular facts and circumstances, the lawyer may reach the conclusion that the IPP3A obligation is superseded by legal advice privilege and the lawyer’s duty of confidentiality to their client.
Personal information contained in communications with a client for the purpose of preparing a brief of evidence. Information about a defendant’s actions or statements. No notification is likely required by the lawyer. After considering the particular facts and circumstances, the lawyer may reach the conclusion that the IPP3A obligation is superseded by litigation privilege and the lawyer’s duty of confidentiality to their client.
A document containing personal information about a third party that is received from a client for the purpose of seeking legal advice but which was not created for that purpose. Employee information contained in a performance review completed before a lawyer-client relationship existed. No notification is likely required by the lawyer. After considering the particular facts and circumstances, the lawyer may reach the conclusion that, although legal advice privilege may not apply, the IPP3A obligation is superseded by the lawyer’s duty of confidentiality to their client.
Personal information received by an in-house lawyer about individuals because the individual is the subject of an interaction with the lawyer’s employer. A report about a dangerous dog received by a territorial authority. The lawyer does not themselves need to comply with IPP3A. Unless one of the exceptions in IPP3A applies, the employer (as an agency) should meet the notification requirements.
Personal information received by a lawyer in their capacity as a trustee because the individual is the subject of an interaction with the trust. A Board paper about a child at a school where the lawyer is on the Board of Trustees. The lawyer does not themselves need to comply with IPP3A. Unless one of the exceptions in IPP3A applies, the Board of Trustees for the school (as an agency) should meet the notification requirements.
Personal information received from a third party about a lawyer’s employee or prospective employee. An employee reference check. Unless one of the exceptions in IPP3A applies, the lawyer should meet the notification requirements. They may do this on the application form for the role they are advertising.

Practical recommendations for lawyers  

  • Ensure your practice’s privacy officer is familiar with the new requirements.3  
  • Undertake a review of the personal information you collect4 and hold as part of your practice.  
  • Consider what personal information you acquire and hold as a lawyer in a professional relationship with your client and what other “hats” you wear for the purpose of the personal information you acquire and hold. 
  • Consider whether, as part of your work, you collect personal information about an individual indirectly (from other sources). If so, you will need to be satisfied that you can rely on one of the exceptions in IPP2 to collect that information. 
  • For personal information you acquire outside your client retainers, consider how the IPP3A obligations apply to those. This is particularly important for lawyers who are employers or who operate in areas where client confidentiality may not apply.  
  • Consider whether your terms of engagement and/or your practice’s privacy policy should be updated to reflect any obligations you may hold under IPP3A to your clients. Updating the terms of engagement you send to your clients may enable you to front-foot these obligations meaning you do not need to consider whether you need to meet them after the collection has occurred.  
  • Consider whether you can cooperate with your colleagues (instructing solicitors, lawyers for another party) to cover off the IPP3A obligations on your behalf.

Background to IPP3A 

The collection principles in the Privacy Act require agencies to:  

  • Only collect information that is necessary for a lawful purpose connected with the functions or activities of the agency (IPP1). 
  • Unless an exception applies, collect personal information about an individual from the individual concerned (IPP2). 
  • Collect personal information lawfully, and by means that are fair and do not unreasonably intrude on an individual’s personal affairs (IPP4). 

Since the inception of the Privacy Act, IPP3 has required agencies to take reasonable steps to ensure that an individual is aware of certain matters when they collect personal information about the individual directly from that individual. These matters include information about the agency that is collecting the individual’s personal information, the purpose for which it is being collected, who the collecting agency will give the personal information to, if the collection is authorised or required under law, and the individual’s rights to access and seek correction of their information.  

Until recently, agencies did not need to provide this information to the individual if they were collecting the personal information from someone other than the individual concerned (sometimes referred to as indirect collection of information).  

From 1 May 2026, this has changed and new IPP3A also requires agencies to ensure that an individual is made aware of these matters where personal information is collected about the individual indirectly.  

As the Explanatory Note to the Bill that introduced this change to the Privacy Act states, the purpose of the amendment is to improve transparency for individuals about the collection of their personal information. New IPP3A is intended to ensure that individuals have the same information about the collection of their personal information by an agency regardless of who provided the information to the agency. It “addresses a current gap…” under which “an individual may not know that an agency holds their personal information”.  

There are some exceptions to the new requirement, which are discussed below.  

What does IPP3A require agencies to do?  

IPP3A requires agencies to take “reasonable steps” to ensure an individual is aware of certain matters if the agency collects personal information about the individual from someone other than the individual concerned.5  

What must be notified?  

If IPP3A applies, the agency must ensure the individual is aware of:6  

  • The name and address of the agency collecting the personal information.   
  • The fact that personal information about the individual has been collected by the agency.  
  • The purpose for which the personal information has been collected by the agency.  
  • The intended recipients of the personal information.  
  • If the collection of the personal information is authorised or required by or under law, the law that authorises or requires it.  
  • The individual’s right to access the personal information or to seek correction of the information.  

Depending on the circumstances, given the information has been collected indirectly, this notification may be the first the individual becomes aware that the agency has collected their personal information.  

Reasonable steps and timeframes  

What will be a “reasonable” step to ensure an individual is aware of the information set out in IPP3A will depend on the circumstances and the nature of the personal information. Some steps may not be required in some scenarios but may be “reasonable” if the personal information is particularly sensitive or if the collection of the personal information could have an impact on the individual.  

The appropriate format to provide the notification may also depend on the nature of the personal information and the circumstances.  

The reasonable steps must be taken “as soon as is reasonably practicable after the [personal] information has been collected” unless the steps were taken prior to collection.7  

When do the requirements in IPP3A not apply?  

It is not necessary to provide the information required by IPP3A if:8  

  • The agency (A) has already informed the individual of all the matters set out above in relation to Agency A’s collection of the personal information. This could apply if, for instance, Agency A regularly collects personal information about individuals from another agency. Provided the information and the group of people are the same and the matters in IPP3A(1) have not changed, Agency A would only need to inform the people about the matters in IPP3A the first time that the collection occurs.  
  • Another agency (B) has already informed the individual of all the matters required by IPP3A in relation to Agency A’s collection of the personal information. This could apply if, when Agency B collects personal information which it subsequently discloses to Agency A, Agency B includes in its own privacy statement all the matters in IPP3A about Agency A’s collection of the information from Agency B.  

It is also not necessary to provide the information required by IPP3A if an exception set out in IPP3A applies. The exceptions are if:9  

  • The agency believes one or more of the following things on reasonable grounds:  
    • Non-compliance with IPP3A would not prejudice the interests of the individual concerned.  
    • The information is publicly available information.10  
    • Non-compliance with IPP3A is necessary— 
      • To avoid prejudice to the maintenance of the law by any public sector agency,11 including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences.  
      • For the enforcement of a law that imposes a pecuniary penalty. 
      • For the protection of public revenue.  
      • For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation). 
    • Compliance with IPP3A would prejudice the purposes of the collection.  
    • Compliance with IPP3A is not reasonably practicable in the circumstances of the particular case.  
    • Compliance with IPP3A would cause a serious threat12 to— 
      • Public health or safety.  
      • The health or safety of another individual.  
    • The information— 
      • Will not be used in a form in which the individual concerned is identified.  
      • Will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned. 
  • Compliance with IPP3A would: 
    • Disclose a trade secret.  
    • Be likely to unreasonably prejudice the commercial position of— 
      • The person who supplied the information; or 
      • The individual concerned. 

More general information about the interpretation of these exceptions can be found in Guidance issued by the Office of the Privacy Commissioner.   

Agencies are also not required to comply with the requirements of IPP3A if other New Zealand law requires that the notification is not made.13 For this to apply, there would need to be a clear override of the requirement to make the notification under IPP3A in another statute, enactment or at common law.  

Does IPP3A apply to lawyers?14  

Yes. IPP3A will apply to a lawyer if the lawyer,15 law practice or other body that the lawyer works for is an agency16 subject to the IPPs. 

Exceptions exist for lawyers working for:17  

  • The Sovereign, Governor-General, House of Representatives, members of Parliament, the Parliamentary Service Commission, the Parliamentary Service, an Ombudsman, an inquiry, or news entities.  
  • The courts and tribunals but only in respect of their judicial functions.  

What about privilege and the lawyer’s duty of confidentiality?

Privilege and the lawyer’s duty of confidentiality. 

For many lawyers, most personal information they receive about third party individuals will likely be provided to the lawyer by the lawyer’s client(s) for the purpose of seeking or obtaining legal advice. 

In seeking legal advice, a client may provide personal information to their lawyer about their spouse, family members, friends, business partners, employer, employees, neighbours, and a range of other individuals. Examples of circumstances where a third party’s personal information may be disclosed by a client to their lawyer during a retainer include in relationship property disputes, employment matters, contractual disputes, claims for negligence, and conveyancing.  

Lawyers are bound by legal professional privilege and by strict confidentiality requirements arising at common law. The requirements are also captured, in the case of privilege by the Evidence Act 2006 (Evidence Act), and in the case of the duty of confidentiality by the Chapter 8 of the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 (Rules).18  

Privilege generally applies more narrowly than the duty of confidence.19 Legal advice privilege applies to confidential communications made between client and lawyer for the purpose of obtaining legal advice.20 The document for which privilege is claimed must have come into being in the course of and for the purpose of obtaining legal services. By contrast, the obligation of confidentiality requires lawyers to protect and hold in strict confidence all information concerning a client, the retainer, and the client’s business and affairs that is acquired by the lawyer during the professional relationship.21  

Both privilege and the lawyer’s duty of confidence are paramount aspects of the relationship between lawyer and client. They enable clients to instruct their lawyer and speak candidly with their lawyer with the confidence that what they divulge will remain confidential. Consequentially, the duty of confidence applies broadly to all information acquired, and not only information that is specifically confidential.22 It applies from the time a person makes a disclosure to a lawyer in relation to a proposed retainer and applies regardless of whether the retainer eventuates.23  

Lawyers may also be bound by litigation privilege, which applies to communications made or information compiled for the dominant purpose of advancing or defending litigation.24

Relationship between privilege, the duty of confidentiality, and IPP3A 

Section 24 of the Privacy Act provides that “an action taken by an agency does not breach IPPs 1 to 5 … if the action is authorised or required by or under New Zealand law”. New Zealand law includes common law, the Evidence Act and the Rules. Because the dual obligations of privilege and confidentiality exist in law, where they apply, they will supersede the requirements of IPP3A (under s 24 of the Privacy Act). This is because the lawyer’s duty of privilege and confidentiality are paramount and a lawyer must not disclose any information to a third party that would involve undermining these duties.  

In any case, where privilege or the duty of confidentiality applies, the IPP3A notification would not be required because of the exception to IPP3A which says that compliance is not necessary because it would prejudice the purpose of collection.25 This is because disclosing information to a third party about the lawyer’s collection of personal information about that third party from their client would undermine the client’s privilege and/or the lawyer’s paramount duty of confidentiality and therefore prejudice the purposes of collection of the information. The prejudice would arise not only because the client had an expectation of confidentiality over the specific information they provided to their lawyer, but because clients in general terms have an expectation of confidentiality over all information they provide to their lawyer that concerns them or the retainer.  

What do lawyers need to do?  

IPP3 continues to apply. 

IPP3A does not affect the application of the other IPPs including IPP3. IPP3 requires agencies to provide specific information to individuals when they collect personal information directly from that individual.  

Many lawyers will primarily collect personal information directly from their clients. In these circumstances, the lawyer should address the matters required by IPP3 in the lawyer’s terms of engagement.  

Consider what “hat” you are wearing.  

Some lawyers wear a range of hats, and some work done by lawyers may not engage the lawyer’s duty of confidence to a client and/or legal professional privilege. For instance, lawyers who act as mediators do not engage with client information when conducting a mediation (other exceptions to IPP3A may apply however, given that mediations are generally confidential to the parties). Similarly, lawyers who are trustees or professional directors are not necessarily engaging with personal information that is subject to privilege or their duty of confidentiality to a client. In such a situation, although the IPP3A requirements may not apply specifically to the lawyer, they will likely apply to an associated “agency”, and lawyers will need to be alert to that. There may be other scenarios where lawyers collect personal information for their work where the duty of confidentiality and/or privilege will not apply.   

Client information.  

As set out above, in most cases, privilege and the duty of confidence to their clients will mean that a lawyer is not required to meet the IPP3A requirements in respect of personal information collected by a lawyer about third party individuals for the purpose of their client’s retainer.  

However, lawyers are encouraged to turn their minds to their IPP3A obligations when information is received about individuals even in the context of a client retainer. This is because, sometimes, privilege and/or the lawyer’s confidentiality obligations will not prevent IPP3A applying. For instance:  

  • There are many scenarios in which a lawyer might receive information about their client from a third party.26 One example is, in the case of a barrister receiving personal information about a client from an instructing solicitor, the solicitor’s and barrister’s mutual confidentiality obligations to the client would not prevent the barrister from informing the client of the matters in IPP3A.27    
  • The client may be a corporate entity, charity, partnership or other entity with multiple owners or directors. The lawyer may meet with one individual representing the entity who provides the lawyer with information about other owners or directors. In this case, the lawyer’s duty of confidentiality to the client entity may not prevent the lawyer from meeting the IPP3A requirements in respect of the other owners or partners.28 

Specific considerations may arise for in-house lawyers, who should already be familiar with the privacy policy and processes of their employer organisation. While an in-house lawyer has obligations of privilege and confidence to their client (their employer), not all personal information the lawyer will see as part of their job will be captured by those duties. Some in-house lawyers may undertake executive (rather than legal) duties. Even if the lawyer is acting as a legal adviser, there may be personal information that the lawyer handles that has been indirectly collected by their employer which may simply be information held by their employer as part of their employer’s functions. In this case, the employer (as an agency) will be required to comply with IPP3A (unless an exception applies).  

There may be other scenarios where the duty of confidentiality and/or privilege do not prevent the lawyer from making the IPP3A notification.  

Other personal information  

Lawyers may hold personal information about other individuals as part of their practice that does not relate to their clients or instructions.  

This is particularly the case for lawyers who employ staff. Careful consideration should be given to when a lawyer collects personal information about staff indirectly (an example is reference-checking) to ensure the lawyer understands when the IPP3A obligations may arise.


  • 1Section 67(3).  
  • 2Privacy Act, s24(2).
  • 3Every agency must have a privacy officer: Privacy Act, s 201.
  • 4The IPP3A requirements do not apply if personal information is not “collected” by the agency. “Collect” is defined in s 7 of the Privacy Act to mean “to take any step to seek or obtain the personal information, but does not include receipt of unsolicited information”.
  • 5The guidance that follows assumes that the requirements of IPP2(2) are met; that is, that the agency collecting the personal information has a basis to collect the personal information other than from the individual concerned.
  • 6IPP3A(1). This differs in one respect from the requirements of IPP3, which also requires the agency to tell the individual what consequences may arise for the individual if all or part of the information is not provided.  
  • 7IPP3A(2).  
  • 8IPP3A(3).  
  • 9IPP3A(4), (5), (6), and (7). Many of these exceptions are the same as the exceptions that apply to IPP3, although some exceptions listed only apply to IPP3A. Additional exceptions exist for some personal information that is unlikely to apply to the work of many lawyers (such as for material due to be archived and for material relating to security, defence and international relations of New Zealand, the Cook Islands, Niue, Tokelau and the Ross Dependency) and are therefore not referenced here.  
  • 10 “Publicly available information” is defined in s 7 of the Privacy Act.  
  • 11 “Public sector agency” is defined in s 7 of the Privacy Act.  12 “Serious threat” is defined in s 7 of the Privacy Act.  
  • 13 Privacy Act, s 24.
  • 14As noted above, although the requirements will also apply to lawyers’ clients, this practice briefing does not address how lawyers should advise their clients on these matters.
  • 15 Personal information collected by lawyers for their personal or domestic affairs is exempt: Privacy Act, s 27.  
  • 16 “Agency” is defined in s 4 of the Privacy Act. 
  • 17 Privacy Act, s 8(b).  
  • 18 Most lawyers’ retainers with their clients will also confirm the duty of confidentiality over client communications.  
  • 19 The Law Society has issued guidance on the meaning of “privileged communications” in the context of reporting suspicious activities under the AML/CFT regime. This guidance can be found here and may assist lawyers in determining whether any particular communication is subject to privilege in the context of the notification requirements under IPP3A.
  •  20 Evidence Act, s 54.  
  • 21 Rule 8.  
  • 22 Refer footnote 10 to Rule 8, which specifically states that information that is acquired in the course of the professional relationship but widely or publicly known will nevertheless be subject to the lawyer’s duty of confidentiality.  
  • 23 Rule 8.1.  
  • 24 Evidence Act 2006, s 56.
  • 25 IPP3A(4)(d).  
  • 26 Rule 7 requires a lawyer to “promptly disclose to a client all information that the lawyer has or acquires that is relevant to the matter in respect of which the lawyer is engaged by the client”.
  • 27 Quite possibly, the solicitor would cover the matters in IPP3A on behalf of the barrister, meaning that no further notification by the barrister is needed under IPP3A(3).  
  • 28 This could likely be achieved via the lawyer’s terms of engagement with that client.