Upcoming events

Menu
Log in
Forgot password



Log in

What IPP3A Means for Associations in New Zealand

20 April 2026 7:57 AM | Brett Jeffery, CAE (Administrator)

Why this matters

Many associations operate in an environment where data flows through multiple channels — partnerships, events, referrals, and shared initiatives. It’s practical, and it’s how the sector has always worked.

However, under Information Privacy Principle 3A (IPP3A), those same practices now come with a clearer expectation:
if you receive personal information from someone else, you may need to tell the individual you have it.

This is known as indirect collection, and it is more common in associations than many realise.

Typical examples include:

  • Partner referrals
  • Shared event or delegate lists
  • Employer-provided member details
  • Imported or legacy databases

For many associations, this won’t be new activity — but it will require a more deliberate approach.

What’s changed

Previously, the focus was straightforward:

  • You needed to notify individuals when they provided their information directly to you

Now, the expectation has shifted:

  • You may also need to notify individuals when their information is provided to you by a third party

This is not about restricting how associations operate — it’s about ensuring individuals are not surprised by how their information is being used.

Where this shows up in associations

You are likely affected if your association:

  • Receives attendee lists from event partners or venues
  • Imports contacts into a CRM or AMS
  • Accepts membership details supplied by an employer or colleague
  • Shares or receives data between associations or sector groups
  • Uses purchased or third-party databases

In short, if your data does not always come directly from the individual, this applies to you.

What you need to do

1. Know where your data comes from

Start with a simple question:
Did we collect this directly, or did it come from somewhere else?

You don’t need a complex audit, but you do need clarity.

2. Don’t assume others have covered it

Even if a partner, sponsor, or supplier collected the information,
you cannot assume notification has been handled.

Each organisation in the chain may have its own responsibilities.

3. Put a simple notification process in place

This does not need to be complicated.

A short, clear email is sufficient, provided it explains:

  • Who you are
  • How you obtained the information
  • Why you hold it
  • How it will be used

The key is timing — it should be done as soon as reasonably practicable.

4. Review your agreements

This is where many associations will fall short.

Your agreements with:

  • Event partners
  • Sponsors
  • Suppliers

…should clearly state:

  • Who is responsible for notifying individuals
  • How data has been collected and shared

Without this, you are relying on assumption rather than process.

5. Clean up your database

This is the uncomfortable but necessary step.

If you:

  • Don’t know where data came from
  • Can’t confirm how it was collected

…that is your first risk point.

You don’t need to panic, but you do need to:

  • notify,
  • confirm, or
  • remove

where appropriate.

What this is not

  • It does not prevent associations from collecting or using data
  • It does not require consent in every situation
  • It does not fundamentally change how associations operate

What this is

IPP3A is about:

  • Transparency
  • Accountability
  • Removing surprises for individuals

Associations already rely on trust — this simply requires that trust to be more visible and intentional.

A practical way to think about it

If someone receives an email from your association and asks:
“How did you get my details?”

You should:

  • know the answer
  • be comfortable explaining it
  • and, in many cases, have already told them

NZSAE’s view

Associations play a critical role in connecting people, organisations, and sectors. That role depends on trust.

IPP3A doesn’t change that —
it reinforces it.

How NZSAE can help

NZSAE is available to support members with:

  • Reviewing current data practices
  • Drafting notification wording
  • Updating processes and agreements

Final thought

This isn’t about doing more.

It’s about making sure what we already do is done properly —
and that the people we engage with understand how and why we are engaging with them.

ref: https://www.privacy.org.nz/resources-and-learning/a-z-topics/ipp3a/



New Zealand Society of Association Executives Inc (NZSAE)

Te Hapori o nga Kaiwhakahaere Hononga o Aotearoa
Otonga Road
ROTORUA 3015
New Zealand 



© New Zealand Society of Association Executives Inc. (NZSAE) 2026

Powered by Wild Apricot Membership Software