Do You Know What Information You’re Collecting Indirectly?

Most organisations typically have some insight into what information they collect indirectly from large organisations but not a full picture.

A simple process like opening an account with an organisation may involve multiple points of indirect collection, for example:

  • Confirmation of identity  - Many organisations utilise the Confirmation Service as a way to confirm the applicant’s identity information. This service involves DIA disclosing to the organisation confirmation that the details provided match.

  • Credit check – Before opening a line of credit you most likely want to check the person can pay it back and therefore conduct a credit check. The credit check process involves the respective credit bureau disclosing the check back to you.

  • Other account signatories – Maybe they want to add some people to their account who are authorised to act. The information you collected about the additional people has been collected indirectly.

Upcoming changes to the New Zealand Privacy Act (commonly referred to as IPP3A changes) are bringing new requirements to how organisations handle indirect collection of personal information. Going forwards if you're collecting personal information from someone other than the individual concerned, you may need to notify them — unless an exception applies.

Some organisations are ahead of the curve. They’ve embedded questions into their Privacy Impact Assessments (PIAs) previously, using platforms like OneTrust to automate and standardise questions that ascertain how personal information is being collected.

When the right tools are in place, questions like "Where did this information come from?" and "Have we notified the individual?" are asked early — and consistently. These organisations can now quickly run reports that show which business processes are affected by the changing requirements, and exactly where indirect collection is taking place.

By automating the privacy assessment process, these organisations don’t need to start from scratch. Past PIAs become valuable assets — and when legislation changes, like it is now, they can instantly identify what needs attention.

Even better, automation means that future risks are flagged in real time. If data is being collected from a third party without the proper notice or justification, the system can highlight that for review — before it becomes a problem.

At ThreeBlackCats, we help organisations integrate tools like OneTrust to not only meet compliance but strengthen privacy maturity across the board.

Previous
Previous

Employee Browsing: Curiosity Isn’t Always Harmless

Next
Next

Privacy by Design: It’s Not Just a Legal Issue