IPP 3A is a new Information Privacy Principle introduced by the Privacy Amendment Act 2025. It requires agencies to notify individuals when their personal information is collected indirectly – from a source other than the individual. It comes into force on 1 May 2026.

Does IPP 3A apply to payroll providers?

Yes. When a payroll provider receives employee personal information from an employer (rather than from the employee directly), this constitutes indirect collection under IPP 3A. The payroll provider must take reasonable steps to ensure the individual is notified.

What does IPP 3A require organisations to tell individuals?

Organisations must inform individuals of the fact that their data has been collected, the purpose, the intended recipients, the collecting agency's name and address, the individual's rights of access and correction, and any consequences of not providing the information.

Does the Biometric Processing Privacy Code apply to payroll software?

Only if the payroll software directly collects or stores biometric data. If a payroll platform receives only derived data (such as employee numbers and clock times) from a biometric system, the Code obligations apply to the biometric data controller, not the payroll platform.

When does the Biometric Processing Privacy Code take effect?

The Code came into force on 3 November 2025 for new biometric processing. For biometric processing that was already in use before that date, the Code applies from 3 August 2026.

What should we do to prepare for IPP 3A before 1 May 2026?

Review your employee privacy notice to ensure it covers data sharing with third-party payroll and HR providers. Check that your payroll provider's privacy policy addresses indirect collection. If you use biometric time and attendance systems, confirm that the operator complies with the Biometric Processing Privacy Code. Document the steps you've taken.

Has Affinity updated its privacy policy for IPP 3A?

Yes. Affinity has updated its privacy policy to describe its role as a data processor on behalf of employer clients, address indirect collection under IPP 3A, and clarify its position in relation to third-party biometric services.

IPP 3A and NZ privacy changes May 2026: payroll guide

Q: Who is responsible for notifying employees – the employer or the payroll provider?

The notification obligation applies to whichever agency collects the information indirectly. In practice, the most efficient approach is for the employer to include payroll provider disclosure in their employee privacy notice, which supports both the employer's and the provider's obligations.

Q: What if our biometric time clocks are operated by a third-party provider?

The primary obligations under the Biometric Processing Privacy Code sit with the organisation that collects and stores the biometric data. If your time clocks are operated by a third party, that provider is responsible for meeting the Code's disclosure and transparency requirements. However, as the employer, you should confirm your provider is compliant.

Privacy compliance in New Zealand is about to change – and payroll teams sit directly in the path. The Privacy Amendment Act 2025 introduces a new Information Privacy Principle – IPP 3A – which extends notification obligations to indirect collection of personal data. Here's what you need to know.

The problem payroll teams are facing

Until now, the Privacy Act 2020's notification requirements have only applied when an organisation collects personal information directly from the individual. If your payroll provider received employee data from you as the employer, there was no explicit obligation to notify the employee about that indirect collection.

That gap is closing. For any organisation that receives personal information from a source other than the individual, IPP 3A requires reasonable steps to notify the person that their data has been collected, why, and what their rights are.

For payroll operations, this has practical consequences. Every time an employer provides employee data to a payroll platform, a time and attendance provider, a benefits administrator, or any other third-party service, the notification obligation may apply.

What is IPP 3A and when does it take effect?

IPP 3A comes into force on 1 May 2026 and applies to personal information collected on or after that date.

Under the current Privacy Act, Information Privacy Principle 3 requires agencies to notify individuals when collecting personal information directly. IPP 3A extends this to indirect collection – where the information comes from a source other than the individual themselves.

What individuals must be told under IPP 3A

The fact that their information has been collected
The purpose of the collection
The intended recipients of the information
The name and address of the agency collecting and holding the information
Their rights of access to, and correction of, their personal information
Any consequences if the information is not provided

The obligation is to take "reasonable steps" to notify – the Act recognises that direct notification may not always be practical, but organisations need to demonstrate they have taken appropriate action.

Who is responsible – the employer or the payroll provider?

This is the question most payroll teams are asking. The short answer: the notification obligation sits with whichever agency collects the information indirectly.

In a typical payroll arrangement:

The employer collects employee information directly (at onboarding, through HR processes, via employment contracts). IPP 3 applies – the employer must tell the employee what they're collecting and why.
The payroll provider receives that employee information from the employer – not from the employee directly. Under IPP 3A, the payroll provider is collecting indirectly and may have a notification obligation.

In practice, the most efficient approach is for the employer to include payroll provider disclosure in their own employee privacy notice – covering the fact that employee data will be shared with a named payroll provider, the purpose, and the employee's rights. This satisfies both IPP 3 and supports the payroll provider's obligations under IPP 3A.

Payroll providers should also ensure their own privacy policy clearly describes their role as a processor of employee data on behalf of employer clients.

Does the Biometric Processing Privacy Code affect payroll?

Separately from IPP 3A, New Zealand's Biometric Processing Privacy Code 2025 introduces specific rules for any organisation that collects or processes biometric information – such as fingerprints, facial recognition data, or voiceprints.

For payroll operations, this is most relevant where biometric time and attendance systems are in use. If employees clock in using a fingerprint scanner or facial recognition terminal, the operator of that system has obligations under the Code, including:

Clear disclosure of the purpose of biometric collection
Informing employees of available alternatives to biometric identification
Identifying the intended recipients of the biometric data
Specifying retention periods and the complaints process
Conducting a proportionality assessment where applicable

The Code came into force on 3 November 2025 for new biometric processing, and applies from 3 August 2026 for processing that was already underway before that date.

Important

The obligations under the Biometric Code sit with the organisation that collects and stores the biometric data. If your biometric time clocks are operated by a third-party provider, that provider holds the primary obligation. However, if you as the employer have directed the use of biometric collection, you should satisfy yourself that your provider is compliant – and that employees have been properly notified.

Where a payroll platform receives only derived data from biometric systems (such as employee numbers and clock-in/clock-out times), and does not receive or store the biometric data itself, the Biometric Code obligations do not apply to the payroll platform. The obligation remains with the biometric data controller.

What payroll teams should do before 1 May 2026

IPP 3A takes effect on 1 May 2026. Here are the practical steps payroll and HR teams should take to prepare:

Review your employee privacy notice

Ensure your organisation's employee privacy notice discloses that personal information is shared with third-party service providers for payroll processing. Name the provider where practical, state the purpose, and confirm the employee's rights of access and correction.

Check your payroll provider's privacy policy

Your payroll provider should have an up-to-date privacy policy that addresses their role as a processor of employee data on behalf of employer clients, and acknowledges indirect collection obligations under IPP 3A.

Review biometric time and attendance arrangements

If your organisation uses biometric clocks or terminals, confirm who operates them and whether the operator's privacy disclosures meet the requirements of the Biometric Processing Privacy Code 2025. If the service is contracted through your payroll provider, ask for confirmation of compliance.

Update employment contracts and onboarding materials

Consider adding a privacy disclosure clause to your standard employment agreement or onboarding pack, covering the third-party services that will process employee data. This creates a clear record that the employee was notified at or before the point of collection.

Document your approach

IPP 3A requires "reasonable steps" – not perfection. Document what steps your organisation has taken to notify employees about indirect collection. This provides evidence of compliance if a complaint or investigation arises.

How Affinity supports your privacy compliance

Affinity has updated its privacy policy to clearly describe its role as a data processor acting on behalf of employer clients, including how employee data is collected indirectly and how it is handled.

For customers who use third-party biometric time and attendance services in connection with the Affinity platform, our privacy policy also clarifies that Affinity receives only derived time data – not biometric information – and that the biometric data obligations sit with the third-party provider.

If you need support reviewing how your Affinity implementation handles employee data, or want to discuss how IPP 3A affects your specific payroll setup, our team can help.

This article provides general information about New Zealand privacy law changes relevant to payroll operations. It is not professional legal advice. Always verify current requirements with the Office of the Privacy Commissioner or seek independent legal counsel before making compliance decisions.

Need help preparing for IPP 3A?

Our team can walk you through how Affinity handles employee data on behalf of your organisation and help you understand what IPP 3A means for your payroll setup.

Get in touch See our NZ payroll solutions

Related resources

Privacy policy – Read Affinity's updated privacy policy, including our approach to indirect collection and biometric data.
Self service – See how Affinity's employee self-service portal puts employees in control of their own data.
Forms & workflow – Streamline employee onboarding and data collection with configurable workflows.