From 1 May 2026, every trade credit check you run on a customer sits inside a tighter privacy framework. The new Information Privacy Principle 3A (IPP3A) in the Privacy Act 2020 doesn’t change *whether* you can use credit reporting, but it does change *how clearly* individuals must be told that their information is being collected and shared behind the scenes. For credit managers and accounts teams, this is no longer just a matter for the legal or privacy officer, it directly affects your onboarding forms, your credit application wording, and the workflows you use when you pull a report or list a default.
1. What is IPP3A?
IPP3A is a new notification rule that sits alongside the existing IPP3. Under IPP3, you already have to tell people certain things when you collect their personal informationdirectly,for example, on a credit application form or online account setup. IPP3A extends that idea to situations where their information is collected indirectly, that is, from someone else or another source. The key idea: if your organisation, or a credit reporting body you use, is getting a person’s information from a third party, the individual is usually entitled to be told about that indirect collection, unless a specific exception applies.
For trade credit, this shows up in very practical ways. When you send a customer’s details to a credit reporter to obtain a report, or when a default listing is made about them, that is part of an indirect collection ecosystem. IPP3A doesn’t ban those practices; it simply raises the bar on transparency. People should not be surprised to learn their information is sitting with one or more named credit reporting bodies.
2. The core change trade credit teams need to absorb
The most immediate impact of IPP3A is around how specific your customer notifications and consents need to be. Generic wording like ‘we may share your information with credit reporting agencies’ is now risky on its own. Regulators expect that, where a credit reporting body will be a key recipient of the data, customers are told who that recipient is and how they can contact them, for example, by naming them and giving a website or postal address. That way, the customer can find out more about how their information will be handled, corrected, or disputed. For trade credit professionals, this means your credit application forms, terms of trade and privacy statements need to be reviewed and likely tightened up before 1 May 2026. Wherever you rely on customers having been ‘told’ that their information might be sent to a particular credit reporting body, the notification should: (a) clearly name the entity, and (b) provide a meaningful contact point such as a website, email address or physical address.
3. When you run a credit check: what should already be in place?
In brief, each time you run a new or repeat trade credit check, you should be confident that three things are true.
- You have a clear, documented authority from the customer that allows you to obtain a credit report for a defined purpose (for example, assessing a new credit application, reviewing an existing limit, or assisting with debt recovery).
- That authority expressly records that their personal (and where relevant, director or guarantor) information will be supplied to one or more named credit reporting bodies, together with contact details such as a website or address.
- Your internal workflow is aligned: staff know where to find the current wording, when a fresh consent is needed, and how to record that a credit report was obtained for a legitimate business purpose.
If those three pillars are in place, IPP3A largely reinforces what you are already doing rather than adding an entirely new process. Where credit teams can get caught is when legacy forms are still in circulation or when there is inconsistent practice across branches. From a regulator’s perspective, ‘we thought head office had updated the forms’ is not a strong defence.
4. Defaults, monitoring, and ongoing use of information
Many trade suppliers don’t just pull a one-off report. They may obtain updated reports when limits are reviewed, or they may rely on monitoring services that flag significant changes in a customer’s credit profile. They may also list payment defaults when an account becomes seriously overdue. All of these rely on a continuing flow of personal information between your organisation and one or more credit reporting bodies.
Under IPP3A and the existing Credit Reporting Privacy Code, the safest position is to treat that ongoing relationship as something the customer has been clearly told about up front. That usually means using ‘enduring’ or ‘ongoing’ consent wording that covers: (a) initial assessment, (b) later account management, and (c) the possibility of defaults being listed if the account is not paid. If your current forms are silent or vague on those points, now is the time to tidy them up.
One practical tip: keep your consent wording in a central, controlled template and avoid staff creating their own ad-hoc versions for special deals or urgent applications. IPP3A is about reasonable steps, having a consistent, auditable trail of what customers were told will make that much easier to show if questions are ever asked.
5. A simple action plan for trade credit teams
A few practical steps that make sense for most trade credit operations:
- Map where and how you collect customer information for credit purposes, paper forms, online portals, emailed PDFs, account-opening packs, and so on.
- Identify every place where you refer to credit reporting bodies. Check whether they are named and whether there is a clear contact point for each.
- Work with your legal or privacy adviser to refresh the wording so it aligns with IPP3A and the latest guidance from the Office of the Privacy Commissioner.
- Update internal procedures and training so frontline staff know what the new wording means, when to rely on existing consents, and when to obtain a fresh one.
- Clean up old templates, remove outdated application forms from shared drives, branches and websites so you don’t accidentally keep using non-compliant versions.
- Document your approach. A short internal note that explains your rationale, the changes you’ve made, and the date they took effect can be very helpful if you’re ever audited or questioned.
6. Balancing privacy risk with commercial reality
In my view, the real tension for trade credit teams is not whether privacy matters (everyone accepts that it does) but how to balance it with the need to move quickly. Sales teams want accounts opened yesterday. Credit wants assurance that they’re not extending tens of thousands of dollars of unsecured exposure to a shaky customer. IPP3A doesn’t remove that tension; it just nudges everyone toward cleaner, more explicit communication with the customer about who is in the loop.
The upside is that good privacy hygiene often lines up with good credit practice. If your forms are clear about credit reporting, defaults, and monitoring, you also tend to have stronger conversations with customers at the front end about terms, expectations, and consequences. That can reduce disputes later when a default is listed or a credit limit is scaled back after a negative change in their profile.
7. Final thought for trade credit professionals
IPP3A is a privacy amendment, but for trade credit professionals it is essentially a documentation and process exercise. If you can answer ‘yes’ to questions like: ‘Have we clearly named the credit reporting bodies we use?’, ‘Have we given customers a way to find out more about how their data is handled?’, and ‘Can we show when and how we obtained authority to run checks and list defaults?’, then you are well on the way. It would make sense to use the lead-up to 1 May 2026 as an excuse to clean up not just your wording, but your whole credit application flow. The customers you actually want as long-term partners won’t be put off by that clarity, they’ll usually appreciate it.