Australian Privacy Compliance Checklist: 15 Essential Requirements for 2026

Quick Overview

Use this checklist to ensure your Australian business complies with the Privacy Act 1988, all 13 Australian Privacy Principles (APPs), and the December 2024 reforms. Each item is a legal requirement that could result in penalties up to $50 million if not addressed.

Who this applies to: Currently businesses with annual turnover over $3 million, all private health service providers, and some small businesses. The small business exemption is expected to be removed in 2026-2027, affecting 2.3 million additional businesses.

Essential Requirements Checklist

Privacy Policy & Documentation

Privacy policy is published on your website and easily accessible (footer, checkout, contact forms)
Privacy policy is current and accurately reflects how you actually handle information
All 13 APPs are addressed in your privacy policy - not just some of them
NDB scheme is included - explains your data breach response procedures (mandatory since 2018, but 100% of companies we analyzed miss this)
December 2024 reforms reflected - cybersecurity requirements now explicitly include "technical and organisational measures"

Collection & Consent

Collection notices provided at or before you collect personal information (on forms, at signup, during checkout)
Consent mechanisms in place for marketing emails, data sharing, and any use beyond the primary purpose
Only collecting what you need - not asking for information "just in case" it might be useful later

Security & Access

Technical security measures implemented - encryption, access controls, firewalls, secure backups
Organisational security measures documented - staff training, incident response plans, vendor management, security policies
Access and correction procedures established - customers can request their data and get it within 30 days
Data retention policy documented - you destroy or de-identify information when no longer needed

Training & Compliance

Staff training conducted on privacy obligations, new penalties, anti-doxxing laws, and statutory tort implications
Training documented - records of who was trained and when
Privacy officer designated or responsible person identified for privacy matters

Preparation for Changes

Preparing for upcoming reforms - automated decision-making transparency (December 2026), small business exemption removal (2026-2027), stronger consent requirements

Why These Matter

Enhanced enforcement: The Office of the Australian Information Commissioner (OAIC) can now issue infringement notices up to $66,000 per violation without going to court. Throughout 2025, they've actively used these powers.

Massive penalties: Maximum penalties increased from $2.22 million to $50 million for companies (a 2,250% increase) under the December 2024 reforms.

Litigation risk: Since June 2025, individuals can sue directly for serious privacy invasions without proving damage first. Privacy class actions are already proceeding through the courts.

Criminal offences: Anti-doxxing laws now carry penalties up to 7 years imprisonment for maliciously sharing personal information.

Common Gaps We See

Based on our analysis of Australian companies:

100% miss: The Notifiable Data Breaches scheme - even billion-dollar companies with legal teams fail to include this mandatory requirement in their privacy policies.

Average coverage: Only 8.6 of 13 APPs covered when using US-based privacy policy generators that claim "Australian compliance."

Most overlooked:

Cross-border disclosure requirements (APP 8) when using overseas service providers like AWS, Mailchimp, Stripe
Proper security documentation (APP 11) - having technical controls but no documented policies and training
Collection notices (APP 5) - having a privacy policy but not notifying people at the point of collection

Quick Action Steps

This Week

Review your current privacy policy against this checklist
Identify any missing requirements
Update or generate a compliant policy

This Month

Implement any missing technical security measures
Document your organisational security policies
Conduct staff training on privacy obligations

This Quarter

Prepare for automated decision-making transparency (due December 2026)
If under $3M turnover: prepare for exemption removal (expected 2026-2027)
Conduct privacy impact assessment for new projects

Need Help?

If you're missing items on this checklist, you're not alone. Privacy compliance has become significantly more complex since the December 2024 reforms.

DIY Approach

Review our comprehensive guides:

Complete Guide to Australian Privacy Principles (15 min read)
December 2024 Privacy Reforms Explained (12 min read)

Automated Approach

ComplianceKit generates privacy policies specifically for Australian businesses, covering:

All 13 Australian Privacy Principles
Notifiable Data Breaches scheme
December 2024 reforms and June 2025 statutory tort
Automatic updates when laws change (with Managed Compliance)

Generate Once - $79 one-time:

Complete policy in 5 minutes
Download in 4 formats (PDF, DOCX, HTML, TXT)
Update anytime for free

Managed Compliance - +$29/year:

Automatic updates for December 2026 and Tranche 2 reforms
Hosted at secure URL
Email notifications when updated
Complete version history

Generate Your Compliant Privacy Policy →

Additional Resources

Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au
Privacy enquiries: 1300 363 992
Guidance on all 13 APPs
Information about December 2024 reforms

When to get legal advice:

You handle sensitive information (health, financial, children's data)
You've experienced a data breach
You're facing a privacy complaint
You're making major changes to data practices

Last updated: February 6, 2026

This checklist provides general guidance on Australian privacy compliance. It's not legal advice. For specific legal questions, consult a qualified privacy lawyer.