Rules Mate
PlaybooksBottom-funnel persona playbook

Privacy Act 2026 playbook for Australian SMBs

A practical, citation-first walk-through of the Privacy Act 1988 (Cth) — covering the small business carve-out, the employee records exemption, every APP 1 through 13 obligation, the Notifiable Data Breach scheme, the new statutory tort, the 10 December 2026 ADM transparency obligation, and what to do now if your turnover is climbing toward $3M.

17 obligations2 deadlines22 cross-linked articles

Key deadlines — next 12 months

  • 10 December 2026ADM transparency obligation commences
  • 10 December 2026Children's Online Privacy Code in force
  • Within 30 daysNDB assessment after suspected breach
  • Within 30 daysRespond to APP 12 access request (private sector)

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Is your business's annual turnover approaching or above AUD $3M (the small business operator threshold)?
  • 2Do you handle credit information, sensitive information (health, biometric, racial origin), or personal information of children?
  • 3Are you a contracted service provider to an Australian Government agency, or related to an APP entity?
  • 4Do you provide health services, sell or buy a customer or marketing list, or trade in personal information?
  • 5Do you operate online services likely to be used by children (Children's Online Privacy Code from 10 December 2026)?
  • 6Do you use automated decision-making (algorithm + AI) in customer-impacting decisions (ADM transparency from 10 December 2026)?

Plain English summary

Privacy compliance is not a "when we hit $3M" problem. The carve-out for small business operators (s 6D of the Privacy Act 1988) only applies if turnover is under $3M and none of the four "carve-in" conditions in s 6D(4) are met. Health service providers, businesses that trade in personal information, contracted service providers to Australian Government agencies, and related bodies corporate of APP entities are APP entities regardless of turnover.

The proposed removal of the small business exemption was recommended in the Privacy Act Review and agreed in principle by the Government — but was not included in the first reform tranche (Privacy and Other Legislation Amendment Act 2024) and remains proposed for a future bill with no commencement date. Treat the $3M threshold as the current law; treat removal as a foreseeable but not-yet-legislated change.

What did commence in the 2024 reforms: the statutory tort for serious invasions of privacy, enhanced civil penalty maxima (up to $50M / 3× benefit / 30% of adjusted turnover), the new doxxing offences (s 474.17C of the Criminal Code), and Information Commissioner enforcement powers. The Automated Decision-Making transparency obligation and the Children's Online Privacy Code commence on 10 December 2026.

This playbook lists every operational obligation an APP entity must meet today, every reform commencing in 2026, and what an SMB approaching the $3M threshold should be doing now. For the practical pieces, use the Privacy Act 2026 readiness check and the NDB notification timer.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    Privacy Act 1988 (Cth), APP 1 (Sch 1)

    Manage personal information in an open and transparent way. Publish a clearly expressed and up-to-date Privacy Policy. APP 1.4 prescribes minimum content (collection, purposes, disclosure, complaints, access/correction). Make the policy freely available.

    Who's responsible
    Privacy Officer / Company Secretary
    Frequency
    Ongoing; review annually
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  2. 2

    Privacy Act 1988, APP 2 (Sch 1)

    Give individuals the option of not identifying themselves, or using a pseudonym, when dealing with the entity (except where the entity is required by law or it is impracticable to provide an anonymous option).

    Who's responsible
    Privacy Officer
    Frequency
    Ongoing — per interaction
    Penalty
    Civil penalty exposure for systemic refusal.
    Full obligation page →
  3. 3

    Privacy Act 1988, APP 3 (Sch 1)

    Only collect personal information by lawful and fair means, that is reasonably necessary for one or more of the entity's functions. Sensitive information generally requires consent.

    Who's responsible
    Marketing / Operations / Privacy Officer
    Frequency
    At every collection point
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  4. 4

    Privacy Act 1988, APP 5 (Sch 1)

    At or before collection (or as soon as practicable after), notify the individual of: entity identity, purposes of collection, kinds of recipients, where the Privacy Policy is, and consequences of not providing the information.

    Who's responsible
    Marketing / Customer onboarding
    Frequency
    Every collection event
    Penalty
    Same penalty regime as broader Privacy Act breaches.
    Full obligation page →
  5. 5

    Privacy Act 1988, APP 6 (Sch 1)

    Only use or disclose personal information for the primary purpose of collection, unless an exception applies (consent, related secondary purpose, required/authorised by law, lessening serious threat).

    Who's responsible
    Privacy Officer
    Frequency
    Ongoing
    Penalty
    Same penalty regime.
  6. 6

    Privacy Act 1988, APP 7 (Sch 1) — direct marketing

    Do not use personal information for direct marketing unless the individual reasonably expected use for that purpose, or has consented, or the entity provides a simple opt-out and the individual has not opted out.

    Who's responsible
    Marketing
    Frequency
    Every marketing campaign
    Penalty
    Same penalty regime; OAIC enforcement notices.
    Full obligation page →
  7. 7

    Privacy Act 1988, APP 8 (Sch 1) — cross-border disclosure

    Before disclosing personal information overseas (cloud hosting, vendors, parent company), take reasonable steps to ensure the overseas recipient does not breach the APPs. Section 16C makes the disclosing entity liable for some overseas-recipient acts.

    Who's responsible
    Privacy Officer + IT / Procurement
    Frequency
    On vendor onboarding + ongoing
    Penalty
    Same penalty regime; entity may be vicariously liable for overseas recipient.
    Full obligation page →
  8. 8

    Privacy Act 1988, APP 11 (Sch 1) — security

    Take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Destroy or de-identify when no longer needed for a permitted purpose.

    Who's responsible
    CISO / IT + Privacy Officer
    Frequency
    Ongoing
    Penalty
    Same penalty regime; NDB notification trigger if breach occurs.
  9. 9

    Privacy Act 1988, APP 12 + APP 13 (Sch 1) — access and correction

    Respond to access requests within 30 days (private sector). Correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading. If you decline to correct, give a statement of correction on request.

    Who's responsible
    Privacy Officer
    Frequency
    Event-driven; 30-day SLA
    Penalty
    Civil penalty exposure for systemic failure; OAIC complaint-handling.
    Full obligation page →
  10. 10

    Privacy Act 1988, Part IIIC (s 26WK + s 26WL) — Notifiable Data Breach

    If there are reasonable grounds to believe an eligible data breach has occurred, notify the OAIC and affected individuals as soon as practicable. Assessment must be completed within 30 days of becoming aware.

    Who's responsible
    Privacy Officer / Incident Response Lead
    Frequency
    Event-driven
    Penalty
    Up to $50M / 3× benefit / 30% turnover for serious or repeated interferences.
    Full obligation page →
  11. 11

    Privacy Act 1988, Part IIIA + CR Code (credit reporting)

    If you are a credit provider (incl. trade credit) or credit reporting body, comply with Part IIIA: s 21D notices, permitted disclosures, repayment history information handling, financial hardship information regime, dispute resolution within statutory timeframes.

    Who's responsible
    Credit Manager + Privacy Officer
    Frequency
    Ongoing
    Penalty
    Same penalty regime; CR Code breaches additionally enforceable.
    Full obligation page →
  12. 12

    Privacy Act 1988, Part XID — Automated Decision-Making transparency

    From 10 December 2026: an APP entity that uses automated systems to make decisions that significantly affect an individual must include information about the use of such systems in its APP 1 Privacy Policy.

    Who's responsible
    Privacy Officer + Product / AI lead
    Frequency
    Ongoing from 10 December 2026
    Penalty
    Same penalty regime as Privacy Act breaches.
    Full obligation page →
  13. 13

    Children's Online Privacy Code (under s 26GA, commencing 10 December 2026)

    If your service is likely to be accessed by children, comply with the Children's Online Privacy Code: age-appropriate default settings, restrictions on direct marketing to children, transparency tailored to children.

    Who's responsible
    Product + Privacy Officer
    Frequency
    Ongoing from 10 December 2026
    Penalty
    Same penalty regime; OAIC enforcement.
    Full obligation page →
  14. 14

    Privacy Act 1988, Sch 2 — Statutory tort for serious invasion of privacy

    From 10 June 2025 the statutory tort is actionable in the Federal Court. The tort covers intrusion upon seclusion and misuse of private information where serious and intentional or reckless.

    Who's responsible
    General Counsel + Privacy Officer
    Frequency
    Ongoing
    Penalty
    Damages including economic loss + non-economic loss + exemplary damages where serious.
    Full obligation page →
  15. 15

    Criminal Code Act 1995 (Cth), s 474.17C — Doxxing offences

    Do not use a carriage service to make available, publish or distribute personal data of an individual in a way that a reasonable person would regard as menacing or harassing.

    Who's responsible
    All staff (criminal exposure)
    Frequency
    Continuous
    Penalty
    Up to 6 years imprisonment (basic offence); 7 years if motivated by characteristic (race, religion, etc.).
    Full obligation page →
  16. 16

    Privacy Act 1988, s 7B(3) — Employee records exemption

    Employee records held by the employer in relation to current/former employees are exempt from the APPs in relation to acts directly related to the employment relationship. This exemption is narrow — recruitment, contractors, prospective employees and most data outside the direct employment relationship are not covered.

    Who's responsible
    HR + Privacy Officer
    Frequency
    Continuous
    Penalty
    Misapplied exemption may result in APP breach + civil penalty exposure.
  17. 17

    Spam Act 2003 (Cth), s 16

    Do not send commercial electronic messages without consent. Consent must be express or inferred; include functional unsubscribe; identify the sender.

    Who's responsible
    Marketing
    Frequency
    Every campaign
    Penalty
    Up to $2.355M per day for serious breaches (ACMA enforcement).

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • Notifiable Data Breach Notification (OAIC online form)

    Notify OAIC of an eligible data breach. Used as soon as the entity has reasonable grounds to believe a breach has occurred.

    Open portal →

  • Privacy complaint form (OAIC)

    How individuals lodge complaints — useful for SMBs to understand the OAIC's process when an individual escalates.

    Open portal →

  • Privacy Impact Assessment template (OAIC guide)

    OAIC's recommended PIA structure. Required for some Government-related projects; best practice for SMB high-risk projects.

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Privacy Act 2026 readiness

Use tool →

NDB notification timer

Use tool →

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

What changes 2025–2026

10 June 2025 — Statutory tort live

The new statutory tort for serious invasion of privacy commenced. Plaintiffs can sue directly in the Federal Court for intrusion upon seclusion and misuse of private information.

10 December 2026 — ADM transparency obligation

APP entities using automated decision-making in significant decisions about individuals must update their APP 1 Privacy Policy to disclose the use of automated systems.

10 December 2026 — Children's Online Privacy Code

A statutory code regulating services likely to be accessed by children: default settings, marketing restrictions, age-appropriate transparency.

Proposed (future tranche) — Small business exemption removal

The Government has agreed in principle to remove the s 6D small business exemption. No bill has been introduced. SMBs approaching the $3M threshold should treat this as a foreseeable change but not a fixed deadline.

Proposed (future tranche) — Fair and Reasonable test

A new overarching obligation that collection, use and disclosure must be "fair and reasonable in the circumstances" was recommended in the Privacy Act Review but not included in the 2024 reforms. Status: proposed.

Proposed (future tranche) — Direct right of action

Individuals would be able to apply directly to a court for breach of the Privacy Act. Status: proposed.

In-depth reading

22 Rules Mate articles tagged to this playbook.

Frequently asked

We're at $2.8M turnover. Should we comply with the Privacy Act now?

Yes — treat the next $3M jump as a privacy event. APP entity status switches on at the reporting period in which turnover crosses $3M. The practical compliance load (Privacy Policy, collection notice, NDB readiness, vendor mapping) is a 30-60 day project. Do it now while you have headroom rather than scrambling after the year-end signal.

Are we exempt if all our customers are businesses, not consumers?

No — the Privacy Act applies to personal information about identifiable individuals. B2B sales lists with named contacts are personal information. Business contact details collected from an organisation about its employees are partially exempt under s 7B(2) only where the information is collected, used or disclosed for the purpose of an act directly relating to the recipient's employment.

What does 'reasonable steps' mean under APP 11?

The OAIC's APP 11 guide sets the standard: governance, ICT security (access controls, encryption, patching, logging), physical security, personnel security and training, supplier management, and breach response. The bar scales with the sensitivity of the information and the size of the entity. For sensitive information the bar is high.

If our cloud provider is overseas, are we automatically liable for what they do?

Not automatically. APP 8.1 requires you to take reasonable steps to ensure the overseas recipient does not breach the APPs. If you have a robust DPA, a vendor with credible certifications, monitoring and contractual remedies, you have taken reasonable steps. Section 16C only triggers liability where you haven't taken reasonable steps and the overseas recipient does something that would have been an APP breach if done in Australia.

Do we have to notify NDB for every breach?

No — only for eligible data breaches: unauthorised access, disclosure or loss that is likely to result in serious harm to one or more individuals. Assessment must be completed within 30 days of becoming aware. If remedial action prevents serious harm before disclosure, notification is not required (s 26WF).

Are HR records exempt?

Records held by the employer about a current or former employee, in relation to the employment relationship, are exempt under s 7B(3). The exemption is narrow: it does not cover prospective employees, contractors, recruitment data outside the relationship, or use of HR data for purposes unrelated to the employment relationship.

When does the ADM transparency obligation actually apply?

From 10 December 2026, where an APP entity uses an automated decision-making system to make, or substantially assist in making, a decision that significantly affects an individual's rights or interests. The obligation is disclosure in the APP 1 Privacy Policy — not consent. The OAIC has flagged guidance for late 2026.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 6 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.