Upcoming Privacy Compliance Sweeps and How they Affect You

OAIC Announces plans to conduct onsite inspections of businesses for Privacy Breaches starting 1 January 2026

Privacy of Data, especially customer data, has become an increasingly hot button issues for businesses.

High Profile Leaks of Customer data (such as Optus and Qantas) have highlighted at all levels of government the importance of maintaining customer privacy.

To that end, the Office of the Australian Information Commissioner (The OAIC) has announced that it will undertake its first official privacy compliance sweeps, crossing several industry types, including Car Dealerships and Car Rental Companies.

The above comes in line with a raft of additional investigation and penalty issuing powers being provided to both the OAIC and the courts, as well as new enforcement regimes.

What You Need to Know

The inspections will primarily be concerned with how businesses apply management to private information obtained by parties such as consumers (Australian Privacy Principle 1). Under recent reforms to the powers of the OAIC, inspectors will be empowered to:

·         Require a business to disclose its Privacy policies and make available any documentation or systems related to such policies

·         Provide information regarding how data is shared and stored

·         Disclose how private information is gathered, and it’s use, including ensuring that it’s use is following a valid privacy policy

How this will Impact You

A business who is found to be in breach of the Privacy Principles may be subject to on-the-spot fines and (in the case of serious breaches) court notices. Whilst the OAIC has yet to release further details at this stage, penalties under general enforcement of the relevant sections can reach as high as $66000 (200 penalty units), so its important that businesses take their obligations seriously.

It should be noted that businesses do have the capacity to dispute any such fines in court if any are issued.

What Businesses need to do to stay compliant

As Privacy continues to become a more important issue, businesses will need to ensure that they implement and maintain robust internal privacy systems.

However, at minimum, businesses can start this process now by:

·         Ensuring that their privacy policies and procedures are up to date

·         Review their information handling practices, including:

o   What is collected

o   Who can access this information

o   Where it is stored

o   What is it primarily used for

·         Update privacy policies to ensure that it aligns with the actual practices of a business

·         Review current access protocols and develop a clearer picture of who can access, edit, amend and/or delete data, and at what level. Consider putting in controls to limit data access, or control what data is available for access based on necessity of access and the needs of the specific employee to undertake their roles.

·         Review and prepare Data Breach Response Plans to limit the impact of a data breach

·         Remind staff regularly (and in writing) of their privacy obligations and expectations.

·         Check whether any information has been added to internal AI systems. If so, triple check that the AI software privacy provisions, including whether data is shared for the purpose of updating the software.

Sweeps like these are likely to become more common, but by taking some small steps now, businesses can protect themselves against compliance breaches, and develop more robust frameworks for privacy in the future.

MTA NSW can assist members with policies and processes which are necessary for compliance with the Privacy Act. For more information, please reach out to Joshua Burns from our Legal team on (02)9016 9022 or [email protected]