Compliance

A new Privacy Act requirement that could affect almost every business

When the Privacy Act changed in May 2026, one new Information Privacy Principle flew a little under the radar.

It's called Information Privacy Principle 3A, and although the name isn't particularly memorable, the practical effect is.

In simple terms, if your business collects personal information about someone from another source instead of directly from them, you may now have an obligation to tell them.

For many businesses, that's a change worth understanding.

What does "collecting information indirectly" mean?

It simply means obtaining personal information from someone other than the individual concerned.

For example:

  • speaking to a job applicant's referee

  • confirming qualifications with a training provider

  • obtaining a credit report

  • verifying information with a previous lender

  • contacting trade references before offering a business credit account

  • receiving information from a professional registration body.

None of these situations are unusual. In fact, they're part of everyday business.

The difference now is that businesses need to think not only about whether they're allowed to collect the information, but also whether they need to tell the individual that they've done so.

Recruitment is an obvious example

Imagine you're recruiting a new employee.

You contact two referees and verify the applicant's qualifications before making an offer.

Under the new principle, you don't necessarily have to send the applicant an email saying, "We've just spoken to your referee."

However, if your recruitment process already explains that you'll collect information from referees, previous employers, qualification providers and other relevant sources, you've probably already met the notification requirement.

That's one reason it's worth reviewing your employment application forms and recruitment privacy statements. If you need help with that, we recommend contacting our friends over at Epic People.

The same applies when lending money

Finance companies and lenders regularly obtain information from third parties when they’re assessing your business loan application.

That might include credit reporting agencies, identity verification providers, banks, accountants or other organisations involved in assessing an application, and for verifying your identity and complying with anti-money laundering laws.

Again, the Privacy Act doesn't necessarily require a separate notification every time information is obtained.

If you have already been told, through your business loan application process or the privacy statement you’ve signed, where information may be obtained from and why, the lender has likely addressed the new requirement.

Don't forget about trade credit

Many businesses don't think of themselves as "credit providers", but if you allow customers to buy now and pay an invoice later, you probably are.

Before approving a credit account, it's common to:

  • obtain trade references;

  • carry out a credit check on the business and it’s owners;

  • verify business ownership; or

  • confirm other information supplied by the applicant.

These activities may involve collecting personal information indirectly, particularly where sole traders, partnerships or company directors are involved.

It's another reason to make sure your credit application forms and privacy statements clearly explain what checks may be carried out and where information may be obtained from.

The good news

The purpose of the new rule isn't to create unnecessary paperwork.

In fact, the Privacy Act recognises that if you've already explained your information collection practices up front, you generally won't need to notify people every time you collect information from another source.

That's good news for businesses, because it means the focus is on being transparent, not on sending endless notifications.

A good time for a privacy health check

If your business hasn't reviewed its privacy notices in the last few years, now is a good opportunity.

Ask yourself:

  • Do our employment application forms explain what information we'll obtain during recruitment?

  • Do our finance or credit applications explain what third-party checks we'll carry out?

  • Do our privacy statements reflect how we actually collect information today?

  • Are we relying on old wording that predates the introduction of Information Privacy Principle 3A?

A few small updates now could help ensure your business stays compliant while also giving customers, applicants and employees greater confidence in how their personal information is handled.

Privacy compliance isn't just about avoiding complaints. Done well, it's another way of demonstrating that your business is transparent, professional and trustworthy.