New Zealand is tightening transparency rules for personal data collected “indirectly” (i.e., not from the individual). The new notice obligation lands May 1, 2026—giving data teams a fixed deadline to map sources, update pipelines, and operationalize access/correction workflows.
New Zealand’s Privacy Amendment Act 2025 adds notice duties for indirect collection
New Zealand’s Privacy Amendment Act 2025 received Royal Assent on September 23, 2025 and introduces a new requirement: organizations that collect personal information indirectly—through sources other than the data subject—must take “reasonable steps” to notify the individual.
The notification obligation takes effect May 1, 2026. The notice must cover key details including the purpose of collection, intended recipients, the identity of the collecting entity, and the individual’s rights to access and correct their data. The change increases the operational bar for any organization that services New Zealand or collects data about New Zealand residents via brokers, partners, public sources, enrichment vendors, or other third parties.
- Data lineage becomes a compliance control. If you can’t trace where a field came from (and why you have it), you’ll struggle to determine when notice is required and what must be disclosed. Expect renewed pressure to formalize lineage, provenance metadata, and vendor/source tagging in ingestion.
- Notice will touch pipelines, not just policy pages. “Reasonable steps” implies operational workflows: event-level triggers for indirect collection, identity resolution to match records to individuals, and auditable delivery (plus handling bounces and exceptions).
- Access/correction workflows need to be production-grade. The required notice explicitly references access and correction rights; teams should assume increased inbound requests and ensure systems can locate, export, and rectify indirectly sourced attributes across downstream stores.
- Synthetic data may reduce exposure—but won’t fix governance gaps. Where teams can replace indirectly collected personal data with synthetic alternatives for testing, analytics, or sharing, they may reduce notice burden and breach impact. But they still need clear boundaries to ensure synthetic datasets can’t be linked back to individuals and that production systems remain compliant.