Lipstick on a Pig: Why Your IPP3A Fixation Won’t Fix Property Management’s Bigger Privacy Problem
A new privacy principle kicks in on 1 May: IPP3A. If you collect personal information about someone from a source other than that person, say a SaaS platform or a maintenance chatbot, you have to tell them. If you run your property management business on any kind of tech stack, this change will hit you.
But IPP3A is not your biggest problem. It’s the one that’s about to expose all the others.
Here’s a number for you: The number of property management agencies in New Zealand with a comprehensive privacy policy is alarmingly close to zero.
These agencies hold bank account numbers, property details, tenancy histories and personal information of thousands of people - tenants AND owners. They share that information, daily, with maintenance platforms, trust account systems, CRMs, listing portals and contractors. Most of them have never told their clients any of this is happening.
All in all, your IPP3A efforts are likely nothing by lipstick on a pig.
*Oink*
The OPC's rental guidance has been this industry's privacy playbook. It was a response to the sustained media coverage of tenant blacklists and over-collection. Necessary intervention. It worked. Property managers now know there are limits on what you can ask on an application form.
Good. One down.
But here's what the Commissioner's guidance actually covers: what you can collect from tenants, and when. Viewings. Applications. Shortlisting. Managing the tenancy. It's structured almost entirely around collection of tenant information at the application stage.
Here's what it doesn't cover: what happens to that data once it leaves your office and enters a third-party platform. It doesn't address your disclosure obligations. It doesn't address your owners' information at all. It doesn't help you figure out whether your SaaS provider is your agent under section 11 or an independent collector with its own full suite of obligations.
The industry treated the guidance as the full picture when it was merely a little glimpse into the pigsty. Agencies updated their application forms and think they've "done privacy."
You haven't. The application form is a fraction of the obligation.
Your tech stack has obligations. So do you.
Three principles collide the moment you plug into a SaaS platform.
IPP3. You collect information directly from a tenant or an owner. You have to tell them why, who gets it, how they can access it and correct it. Most agencies aren't doing this. Almost none are doing it for owners.
IPP11. You disclose that information to a platform. That's governed by IPP11. You need a lawful basis. Did you tell the person their data would go to that platform? If yes, you're probably fine. If no, you're probably not.
IPP3A. The platform receives information about someone and transmits it to you such as when a tenant talks to a maintenance chatbot and the data comes back into your system. You are the indirect collector. From 1 May, you have the duty to notify.
Section 11. Critical distinction. If the platform is handling data purely on your behalf and not using it for its own purposes then it is your “agent”. The obligations stay with you. Its compliance is your compliance. You need to know it's meeting the standard the Act requires of your agency. The moment the platform uses the information for their own purpose (such as benchmarking, AI training etc), it stops being your agent and becomes an independent agency with its own full suite of privacy obligations. That's more a them problem than a you problem. But you still need to know which one you're dealing with.
Have you asked your provider which one they are?
If you haven’t met IPP3 and IPP11 then IPP3A doesn’t create one gap. It exposes three. And if you don’t know whether your SaaS providers are section 11 agents, you don’t know who is carrying the can.
The blind spot nobody talks about
Every privacy conversation in this industry is about tenant data.
Property managers also hold a huge amount of the owners’ personal information (such as property, bank account and tax details) . IPP3 applies. IPP11 applies. From 1 May, IPP3A applies to every recipient who gets owner information from you indirectly.
The Privacy Act doesn't care whose information it is. It covers all personal information held by an agency.
Owner privacy is invisible in this industry's compliance thinking. That’s literally a whole side of the pig you’ve not been looking at.
What a fix actually looks like
Don’t bolt privacy clauses into every PMA, tenancy agreement and application form. You’ll end up with bloated transactional documents no one is going to read. And each time the law changes, you’ve got to update three.
Here are the three things I’m doing with clients to lift their privacy standards:
Create one comprehensive privacy policy covering tenants, owners and every person whose information they handle and have all the transactional documents carrying concise clauses that point back to the policy.
A tech stack audit that maps which platforms are s11 agents and which are independent collectors with their own obligations. If you can’t answer that question for every platform in your stack, you don’t know where your exposure sits.
Draft plain English notification clauses that meet the full suite of clients’ privacy obligations including IPP3A without turning their PMAs and tenancy agreements into privacy treatise no one will read.
Many agencies are starting from zero. That’s not a criticism; in a way, they were led down the wrong path. The way I see it is that the gap is real and it is closable; the sooner you do it, the easier it is.
The pig can’t outrun the farmer
The OPC has shown itself to be susceptible to public sentiment. When the media started reporting extensively on tenant blacklists back in 2021, the Commissioner acted almost immediately.
Look at what's building now. SaaS platforms moving personal information in opaque two-way flows. Brand-badging that makes tenants think they're dealing with their property manager when they're actually talking to a separate company. Owners whose financial details are sitting in systems they've never heard of.
The OPC doesn't need to be actively policing. It needs one media story. One tenant who finds out. One owner who asks the wrong question.
The tinder box is right there.
1 May is the starting gun for a conversation that should have started years ago.
