New Zealand’s privacy laws are being updated, with effect from 1 May 2026. These Privacy Act changes will affect how organisations collect and share personal information – something that comes up often in sport where personal information is are exchanged between clubs, NSOs, Sport NZ, DFSNZ, HPSNZ and other partners.
At present, organisations don’t have to tell people when they obtain personal information about them from someone else. As a result, individuals often have no idea their details are being gathered in this way. But letting people know when you’ve received information about them is good practice and will soon be required at law.
The new IPP 3A requires organisations to be more open about indirect collection of personal information and will help people understand, and exercise, their privacy rights in that respect.
Key Points for Sports Organisations
A few key points that we think will be important for sports organisations to be aware of:
- New notification duty: If you receive personal information indirectly (i.e. from another club, NSO or third party, not directly from the person), you’ll generally need to notify that person that their information has been collected, what it’s for, and who is holding it. This duty sits with the party that receives the information.
The organisation providing the information doesn’t have to notify the individual unless it is also using that information for a new purpose. However, that party sharing the information must still have a lawful reason or authority to disclose it, for example, the person’s consent, a contractual obligation, or another permitted purpose under the Privacy Act. - Who’s accountable for the information: If a breach occurs, the organisation that is the “principal agency” (the one ultimately responsible for the information) is liable, even if the breach was caused by another party such as a service provider or volunteer.
- Privacy policies and contracts: You may need to update your privacy notices, membership forms, and contracts with suppliers or delivery partners to reflect these changes.
- Training and systems: Staff and volunteers should know what to do if they handle data from another party or if a breach occurs, and you’ll need processes to manage notifications and responses.
Privacy Act Changes – Steps Towards Compliance
Taking a bit of time now to map where personal information flows between your club, region, NSO and other organisations will make compliance with the 2026 changes straightforward and help build member trust in how their information is handled.
Digital.govt.nz has some helpful guidance around planning for these changes – https://www.digital.govt.nz/dmsdocument/261~planning-for-indirect-notification-requirements-ipp-3a/html).
But if you’re wanting to learn more about your privacy responsibilities more generally, the Privacy Commissioner website has some great resources – https://www.privacy.org.nz/responsibilities/your-obligations/.
Please note that this doesn’t constitution legal advice, however, we are happy to discuss what this means for your organization and support you through any updates and changes you need to make ahead of next year.
