Rules Mate

Free tool

Privacy Act 2026 readiness

The Privacy Act reforms are landing in stages — the statutory tort is already live, and automated decision-making transparency plus the Children's Online Privacy Code commence on 10 December 2026. Removing the small-business exemption (which would bring ~2 million SMBs into scope) is proposed for a future tranche but not yet law. This tool scores your privacy program across 10 control areas and prioritises gaps by severity.

Last verified: 28 May 2026
Scoping
Privacy controls (rate each)

We publish a current Privacy Policy that meets APP 1.4.

We have a documented inventory of personal information held.

We capture and renew consents for personal info collection.

We have a written NDB breach response plan, tested in the last 12 months.

All staff complete privacy training annually.

We have layered security controls (MFA, encryption, role-based access).

We have written DPAs / data processing agreements with key vendors.

We have a documented process to handle APP 12/13 access & correction requests.

We maintain an ADM register for any automated decision-making affecting individuals.

We have a written privacy complaints process.

Readiness score

0/100

Band

Exposed — significant remediation required

Context

  • You are an APP entity now. The 2024 amendments (statutory tort, enhanced penalties, doxxing offence) already apply.

Gaps to close

  • highPrivacy Policy

    Build a privacy policy — covers app 1.3 — open and transparent management of personal information.

  • highData inventory / data map

    Build a data inventory / data map — covers knowing what personal info you hold (foundational).

  • highConsent management

    Build a consent management — covers app 3 / app 6 — consent capture and renewal.

  • highNDB breach response plan

    Build a ndb breach response plan — covers part iiic — notifiable data breaches.

  • highStaff privacy training

    Build a staff privacy training — covers reasonable steps under app 11.1.

  • highSecurity controls

    Build a security controls — covers app 11.1 — reasonable steps to protect.

  • highVendor data processing agreements

    Build a vendor data processing agreements — covers app 8 — overseas disclosure.

  • highAccess & correction process

    Build a access & correction process — covers app 12 / app 13.

  • highAutomated decision-making register & transparency

    Build a automated decision-making register & transparency — covers 2026 adm transparency requirements.

  • highPrivacy complaints process

    Build a privacy complaints process — covers app 1 + complaint-handling expectations.

Sources

Reference tool — not legal advice. Further privacy reforms, including removal of the small-business exemption, remain proposed and are not yet law; this tool reflects the obligations now in force plus the reforms commencing 10 December 2026.

Related tools

Frequently asked questions

What changes on 10 December 2026?
Automated decision-making transparency obligations and the Children's Online Privacy Code commence on 10 December 2026 (two years after the Privacy and Other Legislation Amendment Act 2024 received assent). Removal of the small-business exemption is often discussed alongside these reforms, but it is not part of this commencement — it remains proposed for a future tranche and is not yet law.
Does the small-business exemption still apply now?
Yes. Businesses with annual turnover under $3M are exempt unless they fall into an existing carve-out (health service providers, businesses trading in personal information, credit reporting, etc.). Removing the exemption is proposed for a future reform tranche — it is not yet law and has no commencement date, so the exemption still applies today.
What's the statutory tort for privacy?
A new cause of action for serious invasions of privacy is already in force following the Privacy and Other Legislation Amendment Act 2024 — individuals can sue directly for serious privacy invasions, separate from OAIC enforcement.
What are the maximum penalties?
Up to $50M, or 3× the benefit obtained, or 30% of adjusted turnover during the breach period — whichever is greatest — for serious or repeated interferences with privacy.

Not sure which obligations apply to you?

Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.

Build my Compliance Fingerprint →