Your Data, Someone Else’s Source
Most organisations think about personal information in fairly straightforward terms. Someone fills in a form, signs up for a service, or makes a purchase. The organisation collects the information, stores it, and uses it for the purpose it was provided.
But personal information rarely stays where it was first collected. Instead, it moves through the organisation. It flows through service providers, analytics tools, marketing platforms, partner organisations, and sometimes through entities that exist primarily to collect and redistribute data. By the time that information reaches its next destination, the organisation using it may never have interacted with the individual at all.
Somewhere along that journey, personal information has quietly become part of an ecosystem most people never see.
The term data broker often conjures images of shadowy data trading, but the reality is usually much less dramatic and much more ordinary. A data broker is simply an organisation that gathers personal information from multiple sources, combines those datasets, and provides the resulting insights to others. Those sources can include public records, loyalty programmes, surveys, online transactions, mobile applications, social media activity, and third-party marketing lists. On their own, each dataset might reveal very little about an individual.
But aggregation changes the picture. When different pieces of information are linked together, they can start to reveal patterns about household composition, purchasing behaviour, life stage, or likely interests. Individually the fragments are small, collectively they can paint a surprisingly detailed picture. What began as information collected for one purpose can end up supporting decisions in a completely different context.
From a privacy perspective, the real challenge is not simply that information is shared. The difference with data brokers is distance. When personal information is collected directly from someone, transparency is relatively easy. The organisation can explain what it is collecting, why it needs the information, and how it intends to use it. Privacy statements, onboarding processes, and customer conversations all help create that understanding. But when personal information is obtained indirectly, that clarity can quickly disappear.
The organisation using the data may not have been the one that collected it. The individual may never have heard of the organisation now holding and analysing their information. And the path the data took to arrive there may involve several steps in between. By the time the information is used in a way visible to the individual, they may have no visibility of how it travelled, or even that it travelled at all. Surprise is often the first sign that something in the information lifecycle has become misaligned with expectations.
For organisations receiving or purchasing third-party datasets, this creates an important shift in thinking. It is easy to assume that if a dataset came from somewhere else, the privacy obligations somehow remain with the original collector. But in practice, organisations still need to consider the circumstances in which they are using the information. Questions like:
Where did it originate?
Would the individual reasonably expect their information to be used in this way?
Would they even know it was happening?
Those questions become harder to answer once information has passed through several parties.
Another subtle feature of the data broker ecosystem is that the most valuable insights are often not the information that was directly collected. They are the conclusions drawn from it. Patterns across datasets can allow organisations to infer things about individuals that were never explicitly stated. Life stage, household characteristics, financial capacity, or interests can often be estimated from behaviour patterns. From a technical perspective this is simply analytics. From a privacy perspective it can feel quite different.
Most people assume organisations know what they have told them. They do not necessarily expect organisations to build detailed assumptions about them based on patterns they cannot see. The gap between those expectations is where many privacy concerns begin.
For organisations relying on externally sourced data, the risks are not just theoretical. Datasets may contain outdated information, inaccurate assumptions, or insights that no longer reflect reality. More importantly, organisations may be using personal information without fully understanding the circumstances in which it was originally collected.
If an individual would be surprised to learn how their information ended up in your organisation’s systems, that surprise will eventually surface somewhere. Sometimes it appears as a privacy complaint. Sometimes it emerges during a request for access or correction. Sometimes it simply appears as a quiet erosion of trust.
In each case, the underlying issue is the same, the journey that data took was invisible to the person it relates to.
From 1 May 2026, changes to the Privacy Act introduce Information Privacy Principle 3A (IPP3A). The amendment strengthens transparency obligations when organisations collect personal information from a source other than the individual concerned. In practical terms, this means organisations will need to take reasonable steps to inform individuals when their personal information has been obtained indirectly. The intention is simple, people should not discover by accident that their information is being used by organisations they have never interacted with.
For organisations that rely on third-party data sources, IPP3A is a useful prompt to look carefully at the data supply chains that sit behind every day analytics and business decisions.
As organisations become increasingly data-driven, datasets often arrive through channels far removed from the original point of collection. When that happens, there is one question that becomes particularly valuable “Where did this information actually come from?” It may have travelled through several organisations along the way. Somewhere in that journey, someone’s personal information quietly became someone else’s source.