At the start of this year, the Office of the Australian Information Commissioner (OAIC) commenced its first-ever compliance sweep of privacy policies to ensure they comply with the Australian Privacy Principles (APPs). Whether your business will be part of this compliance sweep or not, you should review your privacy policies and ensure that they are up to date and compliant with the APPs.
What are the APPs and do they apply to my business?
The APPs outline the privacy requirements businesses must adhere to when collecting, using, managing, and protecting personal information that is collected in the course of providing goods or services.
The APPs generally apply to businesses with an annual turnover of over 3 million AUD. The APPs also apply to other entities, such as government agencies. The steps in the APPs focus on protecting personal information from misuse, interference or loss, and preventing and preparing for data breaches.
Personal information is defined in the Privacy Act 1988 (Cth) as any information or opinion about an individual who is either identified or reasonably able to be identified. It does not matter whether the information or opinion is true or not, or the format in which the information is recorded (such as words, audio, video, images, or physical items such as DNA).
What are privacy policies and what must they include?
Privacy policies are comprised of a Privacy Policy and a Privacy Collection Notice. The Privacy Policy is a detailed outline of how a business conducts the steps required by the APPs. Pursuant to APP 1.4, the Privacy Policy must include:
- a list of the kind of personal information the business collects and holds;
- how the business collects and holds personal information;
- the purposes for which the business collects, holds, uses and discloses personal information;
- if the business is likely to disclose personal information to overseas recipients, and if so (and it is practicable to do so), to state which country or countries;
- how an individual may access their personal information that the business has collected;
- how an individual may request the business to correct their personal information held; and
- how an individual may complain about a breach of the APPs to both the business and the OAIC.
The Privacy Policy must be accessible to an individual and, therefore, is generally located on a business’s website.
The Privacy Collection Notice is a shorter version of the Privacy Policy and is provided to an individual when personal information is collected from them. APP 5.2 is prescriptive as to what is required.
Whose privacy policies will the OAIC review?
The OAIC will be reviewing approximately 60 businesses/entities from six different sectors. These sectors have been chosen based on certain risk factors. These six sectors and types of collection are:
- Rental and property: where businesses collect an individual’s personal information during property inspections.
- Chemists and pharmacists: where personal information is collected for the purpose of providing a paperless receipt, and the collection of an individual’s personal information is required to provide medication.
- Licensed venues: where businesses collect an individual’s personal information that identifies them to enable their access to the venue.
- Car rental companies: where businesses collect an individual’s personal information that identifies them and other personal information to enable an individual to enter into a car rental agreement.
- Car dealerships: where businesses collect personal information to enable an individual to conduct a vehicle test drive.
- Pawnbrokers and second-hand dealers: where businesses collect an individual’s personal information to identify an individual who wishes to sell or pawn goods.
Within these six sectors, target businesses will be identified based on their size and location, business profile, and risk profile — including those that have previously experienced data breaches.
Consequences of the OAIC review
If the OAIC finds a business’s privacy policies are non-compliant, the business may face compliance and infringement notices and penalties of up to $66,000.
Contact us
If you are an Australian business or individual in one of the above targeted sectors, have already been contacted by the OAIC as part of its sweep, or need assistance in reviewing or updating your business’s privacy policies, please contact a member of our Privacy & Data Protection group.
| Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.
Liability limited by a scheme approved under Professional Standards Legislation. © 2026 Rigby Cooke Lawyers |