On 9 December 2025, the Office of the Australian Information Commissioner (OAIC) announced it will be launching into the new year with significant momentum with plans to undertake its first ever privacy compliance reviews.
Who is the OAIC targeting?
Starting in the first week of January 2026, the OAIC’s targeted review will assess 60 entities across six sectors engaging in ‘in person’ collections of personal information privacy practices against the requirements under the Australian Privacy Principle (APP) 1.
The six sectors include:
- Rental and property – collection of individuals’ personal information during property inspections;
- Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication;
- Licensed venues – collection of identity information to enable individuals to access a venue;
- Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
- Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive; and
- Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.
Requirements of APP 1 – Pulse checking your Privacy Policy
The OAIC’s announcement is a timely reminder to ensure that your Privacy Policy is clear, accessible up to date and captures any changes to personal information handling practices as we head into 2026.
A key element of the review is the OAIC’s assessment of how these selected APP entities are complying with APP 1.4 which sets out items which must be included in your Privacy Policy to be compliant. The information required includes:
- the kinds of personal information that the entity collects and holds;
- the purposes for which the entity collects, holds, uses and discloses personal information;
- how an individual may access personal information about themselves that is held by the entity and seek the correction of such information;
- how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
- whether the entity is likely to disclose personal information to overseas recipients; and
- if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
Key takeaways
The Commissioner has power to conduct an assessment relating to the Australian Privacy Principles (under S 33C of the Privacy Act 1988 (Cth)). The January 2026 sweep is indicative of a move toward exercise stronger enforcement powers and a shift in the OAIC’s regulatory approach.
How we can help
The Privacy and Data Security team at Moores can help you to proactively review your privacy practices including by ensuring your organisation has an up-to date privacy policy and undertake privacy audits. .
Stay tuned for our New Privacy Toolkit, to be released in early 2026.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.