Privacy Act Reform 2026 — What Australian Mid-Market Businesses Need to Do Now

What's already in effect

OAIC compliance sweeps

The OAIC launched its first proactive compliance sweep in 2026, targeting businesses that collect personal information in person — retail, hospitality, healthcare, professional services. Penalties for non-compliance are up to $66,000 per breach. The sweep checks:

• Does the business have a privacy policy?
• Is it accessible (linked from the homepage and in-store)?
• Does it disclose what's collected, why, and who it's shared with?
• Does it cover the new mandatory data breach notification scheme?

Penalty thresholds

Maximum penalties for serious or repeated interference with privacy went up to $50 million for body corporates (or 30% of adjusted turnover, whichever is greater) in late 2024. The era of "we're too small to matter" is over for mid-market.

What's coming December 2026 — Automated Decision-Making (ADM)

This one will catch a lot of businesses by surprise. APP entities that use computer programs to make decisions affecting individuals' rights or interests must disclose:

• The kinds of personal information used
• The types of decisions being made
• The role automation plays in those decisions

"Significantly affect" is broad. It includes: credit scoring, employment decisions, insurance pricing, eligibility for services, content moderation. Most mid-market businesses use ADM somewhere — even if it's a CRM's lead-scoring algorithm or an AI-generated email. If you can't describe what the algorithm does in plain English, you're not ready.

What mid-market businesses actually need to do

1. Audit and update your privacy policy this quarter

The OAIC sweep is checking now. A 2018-vintage privacy policy that doesn't mention the NDB scheme or APP-13 access rights is non-compliant. Common gaps:

• No mention of the Notifiable Data Breaches scheme (mandatory since Feb 2018)
• No clear opt-in mechanism for marketing
• No "right to access" or "right to correction" workflow
• No data retention periods specified

2. Map your automated decision-making

List every system in your stack that uses an algorithm to make a decision about a person. CRM lead scoring. Job application screening. Insurance underwriting. AI chatbots. Anything that touches a customer or employee. Document what each one does and what data feeds it.

3. Train staff on data breach response

The NDB scheme requires notification within 72 hours of becoming aware of a breach likely to cause serious harm. Most SMBs don't have a documented response process. Build one this quarter.

4. Review third-party data sharing

If you use overseas SaaS (most AU businesses do), APP 8 makes you responsible for what happens to that data. The reform tightens those obligations. Know where each customer record ends up.

The mid-market sweet spot for getting hit

The OAIC has been clear that the sweeps focus on:

• Healthcare providers (massive privacy obligation)
• Real estate agents (hold huge volumes of personal info)
• Education providers (incl. childcare)
• Financial services (already heavily regulated, more so now)
• Anyone collecting biometric or health data

How BBN Co-Pilot helps with privacy compliance

Built-in features:

• Right to access workflow — customer self-service request flow with audit trail
• Data retention rules — automatic anonymisation/deletion based on retention periods you set
• NDB-ready breach detection — anomaly alerts on data exports and bulk reads
• Australian data residency — sovereign tier deploys on AU infrastructure with no overseas processing
• Consent ledger — every marketing opt-in tracked with timestamp and source

Bottom line

The reforms aren't hypothetical anymore — the OAIC is sweeping, the penalties are paid, and the ADM rules land in 8 months. Treat your privacy posture like Essential Eight maturity: it's now a board-level concern.

---

Authored by Trent & Peter at BBN Digital. Last updated 26 April 2026.