Are You Collecting Indirectly Without Realising It?

When organisations think about collecting personal information, they often picture the direct kind of collection, when someone fills out a form, subscribes to a service, or makes an online purchase. But there’s another, often less visible way that personal information comes into your organisation’s possession, known as indirect collection.

Indirect collection happens when your organisation obtains personal information from a source other than the individual themselves. It might come from another organisation, a public database, a relative of the individual or even a social media profile. Essentially, if the person didn’t give you their information themselves, you’ve collected it indirectly.

For example, a property management company might receive a prospective tenant’s employment information from a recruitment agency. A bank might obtain a customer’s credit history from a credit bureau. A marketing team might purchase a list of business contacts from a data broker. In each of these cases, the organisation didn’t gather the information from the individual themselves, yet it is still considered a collection by the organisation.

Many organisations rely on vendors who are their processors to collect or manage personal information for them, such as when a marketing agency runs a campaign. Even though the processor is the one physically gathering the information, it’s still collection by your organisation. Therefore, if they have collected it indirectly on your instruction your organisation is deemed to of collected it indirectly.

Identifying how your organisation collects personal information indirectly is timely for organisations in New Zealand, with the upcoming changes to the Privacy Act introducing a new information privacy principle which specifically addresses indirect collection. From 1 May 2026, when your agency collects personal indirectly, you will be required to take reasonable steps to ensure the individual is aware of that collection and provide them a privacy statement.

To prepare for this shift, organisations should start by mapping their data flows. Identify where you collect personal information indirectly, who you receive it from, and who it’s shared with. It’s also worth embedding an understanding of the difference between direct and indirect collection into staff training and privacy governance frameworks.