OAIC’s Privacy Policy Sweep: How to Get Audit-Ready for Australia’s New Enforcement Era

Australia’s privacy landscape has entered a more enforcement-driven phase. The Office of the Australian Information Commissioner has started 2026 with its first targeted compliance sweep, reviewing how organizations meet core transparency requirements under the Privacy Act.

As the OAIC states, “The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”

This initiative focuses on a fundamental requirement: organizations must maintain a privacy policy that meets the standards set out in Australian Privacy Principle 1.4 (APP 1).

Entities with non-compliant privacy policies may face compliance notices, infringement notices, and penalties of up to $66,000. Regulatory changes introduced in 2024 have expanded the OAIC’s enforcement toolkit, increasing both scrutiny and potential outcomes.

What the OAIC Is Reviewing in the Privacy Policy Sweep

The compliance sweep targets organizations that collect personal information in person, where individuals often have limited visibility into how their data will be used.

The OAIC highlights the risk directly: “When confronted with in-person requests for their personal information… consumers often don’t have access to all the information they might need to make an informed decision.”

This applies across sectors such as:

• Property inspections where personal details are collected at open houses
• Pharmacies offering paperless receipts or collecting identity information
• Licensed venues requesting identification for entry
• Car rental agencies and dealerships collecting data for transactions or test drives

In these scenarios, transparency depends on more than a written policy. It depends on whether individuals can understand, at the point of collection, what happens to their data.

The OAIC is assessing, among other things, whether privacy policies:

• Clearly describe what personal information is collected and why
• Explain how data is used, disclosed, and stored
• Provide accessible pathways for access, correction, and complaints
• Disclose whether data is shared overseas

At the same time, the sweep tests whether these statements align with real-world practices.

From Policy to Practice: Where Compliance Gaps Emerge

The sweep places emphasis on alignment between what organizations say and what they do. In practice, gaps often appear at collection points. A form at a property inspection may request more information than the policy describes. A point-of-sale system may capture identifiers that are not clearly disclosed. A consent flow may exist in documentation but not in the actual customer experience.

These disconnects create exposure because compliance is assessed across the full lifecycle of personal data.

The expectation under APP 1 extends beyond maintaining a document. Organizations must implement practices, procedures, and systems that ensure compliance is consistent and demonstrable.

This introduces a higher standard. Privacy policies must function as accurate representations of operational reality.

Why This Matters for Your Business

The immediate risk is regulatory action. The OAIC has the authority to issue infringement notices and financial penalties for non-compliant privacy policies.

Beyond regulatory outcomes, there is a broader impact on trust. In-person data collection often occurs in situations where individuals have limited time to assess their options. If transparency is lacking, this creates a direct gap between expectation and experience.

The timing also matters. The compliance sweep takes place ahead of new transparency obligations tied to automated decision-making, which will require organizations to disclose how personal information is used in systems that influence decisions affecting individuals.

Organizations that address privacy policy fundamentals now are better positioned to meet these upcoming requirements.

Preparing for Automated Decision-Making Transparency

From December 10, 2026, additional requirements will apply to how organizations disclose the use of automated decision-making in their privacy policies.

Organizations will need to explain:

• The types of personal information used in automated processes
• The kinds of decisions influenced or made by these systems
• How those decisions may affect individuals’ rights or interests

This introduces a new layer of transparency. A company using automated systems for eligibility decisions, service access, or profiling will need to provide clear and accessible explanations in its privacy policy.

These requirements build directly on the OAIC’s current focus. If a policy already struggles to accurately describe data collection and use, extending it to cover automated decision-making will increase complexity.

How to Get Audit-Ready

Organizations preparing for the OAIC’s enforcement approach should focus on core operational steps.

Review your privacy policy against APP 1 requirements
Ensure the policy includes all required elements, from data collection practices to complaint handling and overseas disclosures.

Align policy with real-world practices
Check that forms, notices, and consent flows reflect what the policy describes. A mismatch between documentation and execution is a common source of non-compliance.

Assess in-person data collection
Review how personal information is collected in physical environments. Identify where individuals may lack clear information and address over-collection risks.

Minimize and manage data across its lifecycle
Limit data collection to what is necessary and ensure retention and deletion practices are defined and applied.

Establish clear ownership and governance
Define responsibility for maintaining policies, reviewing updates, and ensuring alignment across teams such as legal, IT, and operations.

These steps create a baseline for compliance that can be maintained as regulatory expectations evolve.

How OneTrust Supports Audit Readiness

Operationalizing these requirements depends on connecting policy to systems and workflows.

OneTrust Privacy Automation solutions help organizations:

• Maintain up-to-date, compliant privacy policies aligned with regulatory requirements
• Map data flows to ensure policies accurately reflect how information is handled
• Manage consent and notices across digital and in-person collection points
• Automate governance workflows for policy reviews, updates, and approvals
• Prepare for upcoming requirements such as automated decision-making transparency

This creates a consistent approach to privacy management, where policies, systems, and processes operate together.

What to Do Next

The OAIC’s compliance sweep sets a clear direction. Privacy policies are being tested as part of broader enforcement, with a focus on transparency and operational alignment.

Organizations that collect personal information, especially in person, should review their current practices and ensure they align with policy statements and regulatory expectations.

For a deeper view of Australia’s privacy framework and how these requirements fit into the broader regulatory landscape, explore our guide on Australia Privacy Laws Explained.

To assess your current readiness and strengthen your privacy program, contact our team to discuss how to operationalize compliance across policies, systems, and workflows.

Key Questions on OAIC Privacy Policy Enforcement