ExpertiseCorporate & Commercial

The Office of the Australian Information Commissioner (OAIC) announced on 9 December 2025 it’s “first-ever compliance sweep” which it designates as a:

Privacy compliance sweep to put privacy policies under the spotlight.

The OAIC says that it will be “conducting a targeted review of selected businesses’ privacy policies to ensure they meet strict rules”. The announcement is available at:

https://www.oaic.gov.au/news/media-centre/privacy-compliance-sweep-to-put-privacy-policies-under-the-spotlight 

In conducting the sweep the OAIC says that it will “scrutinise the privacy policies of businesses that collect information in person”. It intends to review the privacy policies of approximately 60 entities from six sectors such as, “For example, real estate agents asking for phone numbers at open houses, or car rental agencies presenting customers with lengthy forms”. The six sectors identified by the OAIC, as described in the announcement, are:

  • Rental and property – collection of individuals’ personal information during property inspections.
  • Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
  • Licenced venues – collection of identity information to enable individuals to access a venue.
  • Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
  • Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
  • Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

What is the OAIC looking for?

What the OAIC says that it is looking for are “infringements of certain foundational requirements of the [Privacy Act]”, including “the failure to have a privacy policy containing certain information”. Privacy policies will be assessed to ensure that they meet the requirements of Australian Privacy Principle (APP) 1.4 which sets out what a privacy policy must include. APP1 reads in full:

1 Australian Privacy Principle 1—open and transparent management of personal information

1.1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.

Compliance with the Australian Privacy Principles etc.

1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:

(a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and

(b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.

APP Privacy policy

1.3 An APP entity must have a clearly expressed and up-to-date policy (the APP privacy policy) about the management of personal

information by the entity.

1.4 Without limiting subclause 1.3, the APP privacy policy of the APP entity must contain the following information:

(a) the kinds of personal information that the entity collects and holds;

(b) how the entity collects and holds personal information;

(c) the purposes for which the entity collects, holds, uses and discloses personal information;

(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

(e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(f) whether the entity is likely to disclose personal information to overseas recipients;

(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Availability of APP privacy policy etc.

1.5 An APP entity must take such steps as are reasonable in the circumstances to make its APP privacy policy available:

(a) free of charge; and

(b) in such form as is appropriate.

Note: An APP entity will usually make its APP privacy policy available on the entity’s website.

1.6 If a person or body requests a copy of the APP privacy policy of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.

Compliance with the Privacy Act writ large

Although the OAIC says that the sweep is specifically concerned with the requirements of APP1.4, it is clear that it will be reviewing the compliance of privacy policies within the context of the general requirements of APP1 and the Privacy Act, particularly “obligations to be open and transparent with consumers and customers about how they’re using the personal information they collect in-person”. They say that “We hope that this will also catalyse some reflection about how robust the entity’s privacy policies are, and whether more can be done to improve compliance with the Privacy Act writ large”.

Potential penalties

The announcement refers to changes to the Privacy Act in 2024 which expanded “the possible regulatory consequences for infringements of certain foundational requirements of the Act” and notes that “Entities found to have non-compliant privacy policies may face compliance and infringements notices and penalties of up to $66,000”.

Other organisations may be targets

As mentioned above, the OAIC is currently only looking at certain sectors for its sweep and says:

“The target sectors have been selected noting the particular privacy risks associated with collection of personal information, particularly personal identification documents, and the privacy breaches that have occurred within these sectors. Target entities will be identified having regard to their size and location, as well as by reference to high profile and high-risk entities within each sector (including entities which may previously have been subject to a data breach”).

Obviously, the announcement of the sweep by the OAIC is intended to prompt organisations within the target sectors to review privacy policies. However, organisations in other sectors would be well advised also to review and, if necessary, to revise their privacy policies as the announcement of the sweep seems to signify a renewed interest and intent by the OAIC to enforce the provisions of the Privacy Act and the APPs. In particular, if a complaint is made by an individual about improper collection or use of personal information by an organisation, or if this otherwise comes to the attention of the OAIC, it may be expected that the OAIC will apply the same kind of rigorous review of privacy policies of the organisation concerned as it will in the course of the sweep.

Review of privacy policies

The OAIC will be looking into more than just the terms of privacy policies of target entities and will be considering their practices and the way that policies are implemented, but the privacy policy of an organisation is the starting point. The OAIC says that “The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed”.

This means that organisations should review their privacy policies to ensure that they comply with the requirements of APP1.4 (set out above).

Automated decision making

After a transition period which is anticipated to end in December 2026, new APPs 1.7, 1.8 and 1.9 will be inserted relating to the use of automated decision-making affecting individuals. Organisations will be required to disclose in their privacy policies how information is used in automated decision systems that might significantly affect individuals. These new requirements will require careful consideration of the use of AI or other automated systems by an organisation and the extent of disclosure in the privacy policy of the organisation.

 

DW Fox Tucker can provide assistance in reviewing, or in drafting or amending, privacy policies to ensure compliance with the Privacy Act and the APPs.

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.

For more information, please contact...

Sandy Donaldson

View Profile →

Amy Bishop

View Profile →

Related Articles

View All News
January 15, 2026 The OAIC Sweeps Up Privacy Policies
Corporate & Commercial
June 16, 2025 NDIS and Aged Care sectors on notice from ACCC: NDIS sector online platform gives court enforceable undertaking to ACCC to amend unfair contract terms
Health & Aged Care Corporate & Commercial Dispute Resolution & Insolvency
November 04, 2024 DW Fox Tucker Lawyers welcomes Dr Mark Giancaspro to boost the firm’s commercial team and add a new sports law offering
Firm News Corporate & Commercial Sports Law
October 29, 2024 Disqualifications and Jail Time: ASIC Increasing Pressure on Directors for Mismanagement
Corporate & Commercial Dispute Resolution & Insolvency
June 19, 2024 When Are Goods or Services Acquired by a “Consumer”? When Do Guarantees Under the Australian Consumer Law Apply? Can Suppliers and Manufacturers Liability Be Limited?
Corporate & Commercial
April 18, 2024 2025 Edition of Best Lawyers: Celebrating Our Leaders and a Rising Star
Firm News Corporate & Commercial Employment, Workplace Relations & Safety + 6
December 20, 2023 New Reasons to Keep Your Contract Terms Fair
Corporate & Commercial
December 20, 2023 Deeds vs Agreements
Corporate & Commercial
December 20, 2023 When Can You Send Unsolicited Electronic Messages?
Corporate & Commercial
September 11, 2023 Advertising Health Services
Corporate & Commercial Health & Aged Care
October 14, 2022 Lessons From Theranos
Corporate & Commercial
October 12, 2022 Vendor Safety Nets
Corporate & Commercial
October 06, 2022 Bind Games
Corporate & Commercial
May 02, 2022 Privacy Week - Top Tips
Corporate & Commercial Intellectual Property (IP)
March 30, 2022 Domain Names and Cyber Security
Corporate & Commercial Intellectual Property (IP)
March 29, 2022 Are You a Director Who Still Needs to Get Your Director ID?
Corporate & Commercial
September 20, 2021 Termination of the Naval Group’s Australian Contract: What It Means for Local Subcontractors
Corporate & Commercial Defence
June 30, 2021 When are Directors Liable for Misleading or Deceptive Conduct, Passing off, Trade Mark Infringement or Unconscionable Conduct?
Corporate & Commercial Dispute Resolution & Insolvency Intellectual Property (IP)
January 20, 2021 Terms and Conditions for Sale of Goods/Incoterms® 2020 and Vienna Convention
Corporate & Commercial
December 16, 2020 King Reigns All: High Court Decides Holding Companies May Be Held Accountable for Subsidiary Company Actions
Corporate & Commercial Dispute Resolution & Insolvency