Privacy Act 2026: 8 questions every Australian SMB should answer

1. Are we exempt today?

Small business exemption (s 6D) applies under $3M turnover. But carve-outs: health information holders, list brokers, Commonwealth contractors, credit reporting, residential tenancy DBs, TFN holders for non-employees are NOT exempt. From 10 December 2026 the exemption is removed entirely.

2. Do we have a written Privacy Policy?

APP 1.3 requires every APP entity to have a clearly-expressed Privacy Policy meeting APP 1.4 minimum content.

3. Do we know what personal information we hold?

Build a data inventory across CRM, email marketing, HR/payroll, phones, forms, backups, vendor systems. Without it you can't answer APP 11 / 12 / NDB.

4. What's our breach response plan?

Under NDB: assess within 30 days, notify OAIC + individuals as soon as practicable once confirmed eligible. Pre-build incident owner, comms template, OAIC form. Tabletop test. See NDB timer tool.

5. Do our vendors handle personal information safely?

For each material vendor: DPA in contract, security control confirmation (SOC 2, ISO 27001, IRAP), geographic-residency confirmation, sub-processor disclosure.

6. Can we respond to an access or correction request?

APP 12: access requests within 30 days (private sector). APP 13: take reasonable steps to correct; attach statement if you disagree. Build the intake workflow.

7. Do we use automated decision-making?

If algorithmic credit scoring, automated moderation, AI-driven employee decisions — build ADM register: model card, inputs, purpose, oversight, human-review pathway. Include in Privacy Policy.

8. Have we trained staff?

APP 11.1 reasonable steps include training. Required: onboarding, annual refresher, phishing awareness, breach reporting workflow. OAIC checks training records during investigation.

---

Done? Validate via the Privacy Act 2026 readiness scorer. Score below 65? Work to do before 10 December 2026.