Free tool

Privacy Act 2026 readiness

On 10 December 2026 the Privacy Act's small-business exemption is removed and ~2 million Australian SMBs become APP entities. This tool scores your existing privacy program across 10 control areas and prioritises gaps by severity.

Scoping

Annual turnover is under $3M (currently small-business-exempt).We handle health information.We use automated decision-making affecting individuals.We disclose personal info overseas (cloud, parent company, etc.).

Privacy controls (rate each)

We publish a current Privacy Policy that meets APP 1.4.

We have a documented inventory of personal information held.

We capture and renew consents for personal info collection.

We have a written NDB breach response plan, tested in the last 12 months.

All staff complete privacy training annually.

We have layered security controls (MFA, encryption, role-based access).

We have written DPAs / data processing agreements with key vendors.

We have a documented process to handle APP 12/13 access & correction requests.

We maintain an ADM register for any automated decision-making affecting individuals.

We have a written privacy complaints process.

Readiness score

0/100

Band

Exposed — significant remediation required

Context

You are an APP entity now. The 2024 amendments (statutory tort, enhanced penalties, doxxing offence) already apply.

Gaps to close

highPrivacy Policy
Build / mature privacy policy — APP 1.3 — Open and transparent management of personal information.
highData inventory / data map
Build / mature data inventory / data map — Knowing what personal info you hold (foundational).
highConsent management
Build / mature consent management — APP 3 / APP 6 — consent capture and renewal.
highNDB breach response plan
Build / mature ndb breach response plan — Part IIIC — Notifiable Data Breaches.
highStaff privacy training
Build / mature staff privacy training — Reasonable steps under APP 11.1.
highSecurity controls
Build / mature security controls — APP 11.1 — reasonable steps to protect.
highVendor data processing agreements
Build / mature vendor data processing agreements — APP 8 — overseas disclosure.
highAccess & correction process
Build / mature access & correction process — APP 12 / APP 13.
highAutomated decision-making register & transparency
Build / mature automated decision-making register & transparency — 2026 ADM transparency requirements.
highPrivacy complaints process
Build / mature privacy complaints process — APP 1 + complaint-handling expectations.

Sources

Reference tool — not legal advice. The Privacy Reform Bill 2024 (Tranche 2) is still progressing through Parliament; this tool reflects the obligations now in force plus the 2026 commencement.