OAIC ramps up privacy enforcement: Are you ready?

10 minute read 26.02.2026 Maria Rychkova, Paul Kallenbach

With tougher penalties and a new 2026 automated decision-making deadline, the OAIC’s latest sweep shows privacy transparency is non-negotiable. Here’s what organisations must do now. negotiable. Here’s what organisations must do now.

Key takeouts

A 2026 compliance review of privacy policies signals a tougher, enforcement led approach, with penalties of up to $66,000 for organisations that fail to meet Privacy Act transparency requirements.

High risk, in-person data collection is under scrutiny. The OAIC is targeting sectors such as property, health, licensed venues and automotive, where power imbalances increase privacy risks.

Automated decision-making (ADM) transparency is the next deadline. From 10 December 2026, organisations using ADM must clearly disclose how personal information is used in automated decisions.

Privacy developments at a glance

'The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed’ – Carly Kind, Privacy Commissioner

The Office of the Australian Information Commissioner (OAIC), Australia's privacy regulator, has commenced 2026 with its first compliance sweep – a targeted review of approximately 60 businesses' privacy policies. The review assesses compliance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). This enforcement action delivers on the Privacy Commissioner's previously signalled shift towards a more enforcement-led regulatory approach.

This compliance sweep occurs against the backdrop of significant privacy law reform in Australia. As detailed in our recent article on the Privacy and Other Legislation Amendment Act 2024 (Cth), organisations now face enhanced civil penalties, as well as expanded OAIC powers to issue infringement and compliance notices. The sweep also occurs ahead of the 10 December 2026 deadline to comply with the new privacy policy transparency obligations for automated decision-making (ADM).

What this means for your business

The enforcement landscape has changed

This sweep represents more than just a routine regulatory exercise. Changes to the Privacy Act passed by Parliament in late 2024 expanded the regulatory consequences for infringements. These include the failure to have a privacy policy containing the statutorily prescribed information. Entities with non-compliant privacy policies may now face compliance notices, infringement notices and penalties of up to $66,000.

'The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information’ - Carly Kind, Privacy Commissioner

Who is being targeted?

The OAIC has selected target entities based on their size, location and risk profile. This includes entities that may have previously experienced a data breach. The regulator is particularly focused on high-profile and high-risk entities within each sector.

The compliance sweep is targeting organisations that collect information in person, with Privacy Commissioner Carly Kind highlighting sectors where power and information asymmetries create particular privacy risks.

'When confronted with in-person requests for their personal information consumers often don't have access to all the information they might need to make an informed decision. This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy’ - Carly Kind, Privacy Commissioner

The OAIC plans to review privacy policies from six key sectors:

rental and property (including collection during property inspections)
chemists and pharmacists (for paperless receipts and medication provision)
licenced venues (identity verification for entry)
car rental companies (collection of identity and personal information for rental agreements)
car dealerships (personal information for test drives)
pawnbrokers and second-hand dealers (identity information for selling or pawning goods)

What this signals about the OAIC's enforcement stance

The timing and scope of this compliance sweep reveal three critical insights into the regulator's evolving approach:

Transparency is a non-negotiable baseline: The sweep aims to ensure entities meet their transparency obligations. Entities must be transparent with consumers and customers about how they use personal information collected in person. The sweep also encourages reflection on the robustness of privacy practices and whether more can be done to improve broader compliance with the Privacy Act.
The OAIC is actively deploying its expanded regulatory toolkit: The OAIC takes a risk-based and proportionate approach to regulation. If non-compliance is detected, the regulator will consider its expanded regulatory toolkit to determine the appropriate response. This is not merely guidance, but enforcement in action.
Ensuring privacy compliance: Ahead of the sweep, the OAIC updated its APP 1 guidance, including introducing preliminary guidance regarding the impending ADM obligations. This update signals the OAIC's expectation that organisations now have sufficient information – and warning – to achieve full compliance with the Privacy Act and corresponding APPs.

The importance of meeting transparency obligations through full APP 1 compliance is underscored by the Administrative Review Tribunal of Australia's recent decision regarding Bunnings' use of AI-based facial recognition technology. While the Tribunal found that Bunnings did not breach the Privacy Act in its use of the technology, it did affirm the OAIC's earlier determination that Bunnings breached APP 1.3 by failing to maintain a clearly expressed and up to date privacy policy that included all information required under APP 1.4.

We have set out a summary of the key privacy policy requirements below.

Core privacy policy requirements

Under APP 1.4, a privacy policy must include (at minimum):

the kinds of personal information collected and held
how personal information is collected and held;
the purposes for which personal information is collected, held, used and disclosed;
how individuals may access their personal information and seek its correction;
how individuals can make a privacy related complaint and how complaints will be handled; and
whether the entity is likely to disclose personal information overseas and, if practicable, the countries where recipients are located.

Key dates and status

Stage: Active compliance sweep; regulatory enforcement underway
ADM transparency deadline: 10 December 2026

New obligations from 10 December 2026 – ADM transparency

From 10 December 2026, new APP 1.7 - 1.9 requirements will come into force. These APPs are intended to address the privacy risks associated with ADM systems, which may use personal information in ways that significantly impact individuals, and with limited transparency. The new requirements focus on enhancing that transparency (as opposed to imposing restrictions on its use).

Organisations will be required to include information in their privacy policies about the kinds of personal information used in, and types of decisions made by, computer programs that could reasonably be expected to significantly affect the rights or interests of an individual. Beyond merely including the prescribed information into existing privacy policies, organisations must critically examine whether public facing statements about their ADM use align with broader APP requirements and community expectations around the handling of individuals' personal information.

APP entities must include information about ADM in their privacy policies if:

the APP entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making a decision;
that decision could reasonably be expected to significantly affect the rights or interests of an individual; and
personal information about the individual is used in the operation of the computer program to make the decision or do the thing.

What information must be included in a privacy policy?

APP-compliant privacy policies must contain information (APP 1.8) about:

the kinds of personal information used in the operation of computer programs;
the kinds of decisions made solely by the operation of computer programs; and
the kinds of decisions for which a thing, that is substantially and directly related to making the decision, is done by the operation of such computer programs.

Notably, these new provisions do not define 'computer program', nor is the term defined elsewhere in the Privacy Act.

APP 1.9 provides some further guidance for organisations by outlining that:

'making a decision' includes refusing or failing to make a decision; and
a decision may affect the rights or interests of an individual, whether the rights or interests of the individual are beneficially or adversely affected.

Examples of decisions that may affect the rights or interests of an individual

APP 1.9 provides a non-exhaustive list of decisions that may affect an individual's rights or interests. When read in conjunction with the guidance outlined in the Explanatory Memorandum, these include:

decisions under legislation to grant or refuse benefits (e.g., welfare payments or housing allocations);
decisions affecting contractual rights (e.g., decisions about insurance policy eligibility); and
decisions affecting access to significant services (e.g., healthcare).

Regular review is mandatory

To ensure compliance with the Privacy Act, an APP entity must regularly review and update its privacy policy. The policy must reflect the entity's information handling practices. At minimum, this review should be conducted annually. Organisations should also include a notation indicating when the policy was last updated to demonstrate compliance.

Beyond compliance: proactive privacy management

APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs and enable the entity to deal with inquiries or complaints from individuals. This is a constant obligation requiring proactive measures, not reactive responses.

Looking ahead: privacy enforcement and litigation risk

In our forthcoming analysis of the Administrative Review Tribunal's decision in Bunnings Group Limited and Privacy Commissioner [2026] ARTA 130, we examine the Tribunal's important findings on facial recognition technology (FRT), the framework for assessing permitted general situations under the Privacy Act, and the critical role of privacy-by-design in proportionality assessments. Significantly, whilst Bunnings successfully overturned the finding that it breached APP 3.3, the Tribunal affirmed that Bunnings interfered with privacy by failing to comply with its transparency and notification obligations under APPs 1.2, 1.3 and 5.1 – a reminder that even where data collection practices may be justified, transparency obligations remain non-negotiable.

We will also be examining the expanding landscape of privacy litigation risk Australian organisations face. With the introduction of the statutory tort for serious invasions of privacy and growing public concern about data practices, organisations face not only regulatory enforcement action, but also the prospect of direct legal challenges from individuals – including potential class actions. Understanding these dual enforcement vectors will be critical for organisations seeking to manage privacy risk effectively in 2026 and beyond.

What you should do now

Organisations should:

conduct a comprehensive audit of current privacy policies against the OAIC's updated APP 1 guidance;
ensure privacy policies clearly address all mandatory APP 1.4 requirements;
prepare to be fully compliant with incoming ADM disclosure requirements under APPs 1.7 - 1.9 including by assessing whether automated decision-making processes can be clearly explained, fairly justified, and publicly defended;
review in-person collection practices to identify power imbalances and information asymmetries;
implement clear, accessible privacy notices at all points of personal information collection;
document compliance efforts and maintain evidence of reasonable steps taken to meet APP obligations; and
establish robust procedures for handling privacy inquiries and complaints.

The message from the OAIC is unambiguous. Privacy compliance is no longer optional. Transparency is the foundation upon which all legitimate personal information handling must be built. And from 2026, that foundation will be tested.

How MinterEllison can help

Navigating these obligations is complex. Our team combines deep industry and regulatory expertise, privacy and data protection know-how, and practical experience advising high-risk sectors. If your organisation handles personal information in similar in person or high-risk settings, we can help you identify compliance gaps. We can also uplift your privacy practices in line with the OAIC’s evolving enforcement approach. Please contact us if you would like assistance with your organisation's practices. person or high risk settings, we can help you identify compliance gaps

Contact

Paul Kallenbach

Partner, Melbourne
- +61 3 8608 2622
- +61 412 277 134

Trending

Fair Work Act: reasonable redeployment and genuine redundancies

Statutory tort for serious invasions of privacy comes into force

CPS 230: Your roadmap to compliance