Focus on privacy compliance

Alert
|
6 min read
Nicholas Boyle |
Claire Kermond

Compliance sweep to be undertaken by the OAIC

The Office of the Australian Information Commissioner (the OAIC) has kick-started the year by beginning its first compliance sweep. The OAIC will select approximately 60 businesses whose privacy policies will be reviewed to ensure they comply with the requirements under the Privacy Act 1988 (Cth) (the Privacy Act).

The businesses will be selected from sectors that generally collect information in-person, including:

  • Rental and property
  • Chemist and pharmacists
  • Licensed venues
  • Car rental companies
  • Car dealerships
  • Pawnbrokers and second-hand dealers.

Businesses in the above sectors often collect personal information in-person from individuals (i.e. at property inspections, or as a pre-condition of providing services such as hiring out rental cars or providing access to licensed venues). In-person collection carries unique privacy risks and extra steps should also be taken by businesses collecting personal information in this way to ensure they provide adequate notice to individuals of their privacy policy and practices so individuals clearly understand how their personal information may be handled.

The OAIC has selected these sectors as the starting point for a compliance sweep due to privacy breaches and other issues that have arisen in these sectors. We expect that following this exercise, the OAIC will issue a report of its findings and further guidance on compliance with APP 1.4 based on that report, and may then look at the privacy policies of organisations in other sectors and industries as the OAIC continues the trend of increasing its compliance and enforcement activities.

Focus on APPs 1.3 and 1.4

The OAIC has indicated that the compliance sweep will focus on whether businesses' privacy policies are compliant with the requirements under the Australian Privacy Principles (APPs) which require businesses to have a clearly expressed and up-to-date APP compliant privacy policy, as required by APP 1.3, and APP 1.4, which sets out a list of information that must be included in a privacy policy.

The required information under APP 1.4 includes:

  • information about the kind of personal information collected and held by the business;
  • details about how personal information is collected and handled by the business, including whether the information is likely to be disclosed to recipients overseas and the countries in which those recipients are located;
  • the purposes for which personal information is collected, held, used and disclosed; and
  • mechanisms for individuals to access and correct their personal information and for complaints.

The OAIC’s guidance on APP 1 highlights that privacy policies should contain sufficient information to describe how a business manages and handles personal information and provides examples of other information that could be included in a privacy policy (for example, how the business will update its privacy policy and if the business has any specific data retention practices and policies).

Increasing enforcement

As noted above, the OAIC has become increasingly active in undertaking investigations into the privacy practices of businesses and enforcing compliance with the Privacy Act. In recent investigations, the OAIC has focused upon lines of enquiry into compliance with APPs 1.3 and 1.4 and has found that entities have failed to comply with APP 1.3 by not providing necessary information as required under APP 1.4.

  • Kmart – The OAIC issued a determination last year in relation to its investigation of Kmart’s use of facial recognition technology in its retail stores in which it determined that Kmart breached APP 1.3 by failing to include in its privacy policies details about the kinds of personal information that it collected and held, and how it collected and held that personal information as required under APP 1.4.

    Kmart’s privacy policies specified some of the kinds of personal information collected by its facial recognition technology system and provided general details on the collection of personal information (i.e. that it was collected via cameras). The Commissioner was not satisfied that this information adequately and completely described the kinds of personal information collected by Kmart or how the personal information was collected.

    This highlights that the inclusion of general high-level information about the kinds of personal information collected and the methods of collection, such as those commonly found in privacy policies, may not be enough to satisfy the requirements of APP 1.4.

  • Bunnings – In 2024, the OAIC investigated Bunnings in relation to its use of a facial recognition technology system in its stores and found that Bunnings breached APP 1.3 by failing to include in its privacy policies details about the kinds of personal information that it collected and held, and how it collected and held that personal information as required under APP 1.4.

    Bunnings argued that it did not ‘collect’ personal information and therefore was not required to include details of personal information collected via facial recognition technology in its privacy policy. This argument was rejected, and it was found that personal information was collected using the facial recognition technology system and as such, details about Bunnings’ collection and handling of this personal information (including biometric information collected or derived from the use of facial recognition technology) should have been included in its privacy policies.

  • Property Lovers – In 2024, the OAIC investigated Property Lovers in relation to Property Lovers’ collecting personal information of individuals from third party websites and databases for inclusion in its lead lists. The Commissioner examined Property Lovers’ privacy policy and found that it did not have a clearly expressed and up-to-date policy about the management of personal information by Property Lovers and in several instances did not provide adequate or accurate information in relation to the collection and handling of personal information that was collected for inclusion in its lead lists.

What should businesses be thinking about this year?

The current compliance sweep and the case studies above highlight the increasing focus of the OAIC on verifying and enforcing compliance with the Privacy Act, and in particular ensuring that businesses have accurate and adequately detailed privacy policies.

Whilst the current compliance sweep is targeted at particular sectors, it is likely that the OAIC will conduct similar sweeps across other sectors.

Given the changes to the Privacy Act in late 2024, the prospect of further changes and the continued focus of the OAIC, media, and consumers on privacy compliance, privacy practices should be a key focus for businesses operating in the Australian market.

Businesses should ensure that:

  • Privacy policies are up to date and remain accurate. A privacy policy should reflect the actual practices of a business in the collection and handling of personal information – privacy policies should not be seen or treated as a ‘tick box’ exercise that can be satisfied by populating a template or including high level, generic statements. It should also be transparent and easy to understand.
  • Any form or process for collecting personal information includes a privacy collection statement/privacy collection notice that meets the requirements of APP 5. A number of the OAIC’s recent determinations have emphasised that it isn’t sufficient to refer individuals to privacy policies. Organisations must provide appropriately specific and detailed notices in order to comply with APP 5.
  • Any collection and use of data within the business is understood and mapped. Data mapping exercises are helpful to understand the kinds of personal information collected and how the personal information is used and disclosed. This is key to ensuring that a privacy policy accurately reflects the use of personal information.
  • The collection of personal information is minimised, so the business is only collecting personal information that it strictly requires. This also assists in mitigating the risks associated with handling large amounts of personal information.

Contact a member of our team if you would like to discuss the steps your organisation can and should take to review and strengthen its privacy practices.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

Nicholas Boyle
Nicholas Boyle
Partner|Sydney
Services
Intellectual Property, Data, Privacy & Cybersecurity, Technology, Technology Transactions, Australia, Artificial Intelligence (AI)
Claire Kermond
Claire Kermond
Associate|Sydney
Services
Intellectual Property, Technology, Data, Privacy & Cybersecurity, Technology Transactions, Australia

Service areas

Top