IPP3A - do you get indirect personal information?

Written By Ata McGregor

With the IPP3A coming into force on the 1 May 2026, this blog reviews how it may impact 2Shakes users.

IPP3 applies if you indirectly share personal information

IPP3A stands for the Information Privacy Principle 3A. A Privacy Amendment Act was passed in September 2025, and a major part of the Act was the addition of this new privacy principal.

Under IPP3, if a business or organisation collects a person’s personal information from someone indirectly, then they are expected to tell the person and make sure they know. They need to tell them the purpose, who received it, the name and address of who collected it and who is storing it, what law is it collected under (if any) and what rights they have to access and correct it.

Does IPP3 apply to 2Shakes?

In general,* No - IPP3A isn’t for third parties! In 2Shakes normal course of business, 2Shakes is a third-party provider to our customers. While we collect and store client onboarding, AML, and client identity verification data through our cloud-based application, it isn’t our data. Its collected entirely for your use. We don’t use it for our own purposes, so therefore 2Shakes does not need to meet IPP3A requirements, (instead we need to comply with section 11 of the Privacy Act)‍ ‍This will probably apply to most other cloud software, online forms, survey apps or other systems you use.

[*NOTE: IPP3 will apply to 2Shakes if you forward on a clients email for support. In the 2Shakes terms of use & privacy policy we require you to inform someone if you share their personal information with us. IPP3A may also applies if Passport or Driver License data is verified, because NZ Credit Reporting Privacy Code requires the data to be used to maintain an access log of enquiries. We comply by explaining this in the Biometric IDV consent text, see below.].

Does IPP3 apply to me?

Maybe? IPP3A applies if you ever share private or personal information indirectly on or after 1 May 2026.

For Example: A bookkeeper who works with an accounting practice might share information about a client they have in common. The intent of IPP3A is that when someone’s information has been shared indirectly like this, they should know!

Does your client know when you give or get information about them to someone else?

Consider your practice and all the personal information you receive? Most of it you will probably get directly from your client. But is there anything else you receive or share? Take a moment now to consider:

  • Your indirect ‘Collection’ points
    Of all the personal information you hold - where did it all come from? How does it move between systems, teams and staff? Where does information leave your organisation?

  • Review any data sharing arrangements?
    Does your business have any arrangements to share data? Do you work with any other organisations to deliver services? Do you have any contracts and data sharing agreements in place?

If it applies, what do I do?

You are expected to take reasonable steps to tell individuals when you have indirectly collected their information and why. You are NOT expected to spam your clients every time a field of information is shared! There are a range of examples of what is considered reasonable on the Privacy commissioner’s website. This applies for information after 1 May 2026, so it doesn’t apply to information collected in the past.

You should consider advising new clients at the start of your relationship. If you have existing clients and you might collect indirect information for them after 1 May 2026, then you will also need to notify them by renewing your terms and/or privacy policy.

For Example: To meet IPP3A, the bookkeeper and accounting practice that often work for the same clients both update their terms and conditions and privacy policy. They send out renewed engagement letters to their clients, which include the refreshed terms and conditions that now include clauses that comply with IPP3A.

Can 2Shakes help me meet IPP3A?

Yes, we can. If IPP3A applies you need to let people know what has been indirectly collected about them. The privacy commission talks about layered notifications and reasonable steps, and there are many useful examples on the Privacy Commissioners website.

A Reasonable step is to inform your clients at the start of your relationship (or when you renew it) in your engagement letter or agreement, of any potential indirect sharing. This means you won’t necessarily need to tell them every time information is indirectly collected, as they already know.

Layered notifications are recommended by the Privacy Commissioner. When you provide information about IPP3A in different ways it increases the likelihood someone will know when their information might be indirectly shared.

Here are some different ways you might comply:

  • For all Clients - (Terms and Conditions)

    Your terms and conditions apply to all of your clients. Any indirect sharing that might apply should be described in your T&Cs. This ensures that all clients who sign up will have been notified of any potential indirect information sharing in advance. In 2Shakes go to Business Profile > Terms & Conditions, to update what is sent to clients when they sign an agreement.

  • For Specific Clients - (Agreement)

    If the indirect sharing is unique to a specific client, then you might include it in their specific agreement or engagement letter. In 2Shakes for client sign up you can alter the standard general authority text to describe any indirect information that might be shared that is specific to that particular clients engagement.

  • For everyone - (Privacy Policy)
    Your practices privacy policy can also describe what indirect information sharing situations occur in your business. This will cover any situations where you indirectly receive information about someone who is not a client. This should be available to anyone who might be impacted, so you may wish to published this on your website.

What should I say about IPP3A?

Make sure you include:

  • A clear statement that personal information may be collected indirectly.

  • Who may collect or store the information. (Naming them or using categories/types, sector and location, if naming is not practicable)

  • The purposes for which the information is collected.

  • What law it is collected under (if any).

  • What rights they have to access and correct it.

Example: The Bookkeeper and Accountant both add a clause to their terms and conditions as follows: “IPP3A - In the course of providing you with the services under our agreement we many need to collect information about you indirectly. If another professional financial services provider you work with has collected and stored your personal information, we may collect this information from them indirectly to allow us to meet the NZ Income Tax Act or the NZ Anti-Money Laundering and Countering Financing of Terrorism Act (AML/CFT Act) requirements in relation to the services we have agreed with you to provide. Our privacy policy <link> includes the names and addresses of other providers we work with and explains how you can access your information, and if required correct any personal information they hold about you.

But I only do CDD and IDV with 2Shakes

If you don’t use 2Shakes for engagement letters and agreements. You will need to update whatever system you are using instead to communicate how you comply with IPP3A.

If you use 2Shakes for AML only and collect ID and CDD information. And you do not share that AML CDD or identity information with anyone else. Then it is likely that IPP3A will not impact your use of 2Shakes.

Below you can see what your client sees as they progress through the biometric identity verification process.

  • Biometric IDV Email:

    Dear [client],

    This email has been sent to you so that you may verify your identity for services with [your agency] on behalf of [client entity/entities]. To securely verify your identity online, please have either your drivers licence or passport ready, then click on the following link to enter your details: [verification URL]

  • Biometric mobile text (and email with the same link):
    Hi [client]. Please visit [verification URL] to verify your identity for [your Agency]. Thanks very much.

  • Privacy Consent statement (first screen on the biometric flow)
    Your Privacy Consent
    2Shakes Ltd (we, us) wants to verify your identity on behalf of the business that has requested it.  To do this we need to collect your personal information, verify it against the records of a third party ID service provider, including the document issuer, and then make it available in the 2Shakes application for the business that requested the identity verification.  Your information will be securely collected and handled in line with     2Shakes Limited Privacy Policy.

    By proceeding, you consent to the following statement:
    I confirm that I am authorised to provide the personal details presented and I consent to the information being checked with third-party verification providers, which include verification by the document issuer or official record holder, for the purpose of identity verification. I understand that where applicable the NZ Credit Reporting Privacy Code requires them to maintain an access log of all enquiries and make this available to me upon request.

    [ ] I confirm that I have read and accept the Privacy Consent.

We hope this update has helped explain things. Please reach out to support if you have any questions. 

Ata McGregor
Next

Inland Revenue Authority