Rules Mate

Privacy Act 2026: 8 questions every Australian SMB should answer

Removing the small business exemption is proposed for a future reform tranche — not yet law — but if enacted ~2 million SMBs would become APP entities. Answer these 8 questions to know where you stand.

Rules Mate EditorialPublished 18 May 20261 min read

1. Are we exempt today?

Small business exemption (s 6D) applies under $3M turnover. But carve-outs: health information holders, list brokers, Commonwealth contractors, credit reporting, residential tenancy DBs, TFN holders for non-employees are NOT exempt. Removing the exemption entirely was recommended in the Privacy Act Review and agreed in principle by the Government, but it is deferred to a future reform tranche — not yet law, with no commencement date.

2. Do we have a written Privacy Policy?

APP 1.3 requires every APP entity to have a clearly-expressed Privacy Policy meeting APP 1.4 minimum content.

3. Do we know what personal information we hold?

Build a data inventory across CRM, email marketing, HR/payroll, phones, forms, backups, vendor systems. Without it you can't answer APP 11 / 12 / NDB.

4. What's our breach response plan?

Under NDB: assess within 30 days, notify OAIC + individuals as soon as practicable once confirmed eligible. Pre-build incident owner, comms template, OAIC form. Tabletop test. See NDB timer tool.

5. Do our vendors handle personal information safely?

For each material vendor: DPA in contract, security control confirmation (SOC 2, ISO 27001, IRAP), geographic-residency confirmation, sub-processor disclosure.

6. Can we respond to an access or correction request?

APP 12: access requests within 30 days (private sector). APP 13: take reasonable steps to correct; attach statement if you disagree. Build the intake workflow.

7. Do we use automated decision-making?

If algorithmic credit scoring, automated moderation, AI-driven employee decisions — build ADM register: model card, inputs, purpose, oversight, human-review pathway. Include in Privacy Policy.

8. Have we trained staff?

APP 11.1 reasonable steps include training. Required: onboarding, annual refresher, phishing awareness, breach reporting workflow. OAIC checks training records during investigation.

---

Done? Validate via the Privacy Act 2026 readiness scorer. Score below 65? You have work to do to get ready for the Privacy Act reforms — and the proposed exemption removal would only raise the stakes.

Frequently asked

Will OAIC enforce on day one?

OAIC has historically taken an educative approach immediately post-reform. But statutory penalties apply from day one for serious or repeated interferences.

Can my IT provider do all this?

They can help with security + breach response. Policy, training, ADM register, access/correction workflow are organisational — typically owned by HR / operations / a privacy officer (part-time OK).

What's the personal liability of directors?

Privacy Act penalties are corporate. But under Corporations Act s 180 + ASIC v RI Advice precedent, persistent IT/privacy failings can attract director-duty exposure.

Related

Obligations covered

Free tools