The OAIC’s 2026 Privacy Compliance Sweep: What It Means and Why January Matters

Australia is entering a new era of increased privacy oversight.

The Office of the Australian Information Commissioner (OAIC) has announced its privacy compliance sweep, commencing January 2026. This marks a significant shift in how regulators expect organisations to demonstrate accountability.

For the first time, the OAIC will proactively review the privacy policies of businesses that collect personal information in person, assessing their alignment with Australian Privacy Principle 1.4 (APP 1.4). While the scope may appear narrow, the implications for operational, legal, and reputational risk are anything but.

Why the Sweep Matters for Organisations

APP 1.4 sets the baseline for transparency. It requires organisations to clearly explain:

  • What personal information is collected
  • Why it is collected
  • How it is used and disclosed
  • How it is stored and secured
  • How individuals can access or correct their information
  • How complaints can be made

These are not administrative niceties; they are foundational obligations.

However, across many sectors where information is collected face-to-face, current practices fall short of what APP 1.4 requires.

The OAIC’s focus on in-person collection is aimed at addressing collection practices where consumers are asked for information on the spot, creating an imbalance and the potential for overcollection.

The Six Sectors Under Direct Scrutiny

The OAIC has identified six industries where in-person collection is common and over-collection is common:

  1. Rental and property

Overcollection of full identity documentation, bank statements, payslips, references, and even family photographs.

  1. Chemists & pharmacies

Identification verification documents, healthcare cover, receipts, medication collection details, and disease diagnosis are all personal information and often sensitive data.

  1. Licensed venues

Identity scanning technologies often lack transparent collection, retention and deletion practices.

  1. Car rental companies

A mix of driver’s licence details, credit cards, and insurance information is routinely collected, sometimes with minimal governance.

  1. Car dealerships

Test-drive and financing processes require verification steps that are not always well controlled.

  1. Pawnbrokers & second-hand dealers

Identity checks are essential, but many operators lack secure storage or clear explanations for how information is used.

For organisations operating within these sectors, January may be a litmus test for compliance maturity.

Where the OAIC Is Likely to Find Non-Compliance

Across both regulated and unregulated industries, the same gaps appear repeatedly:

  • Missing or incomplete APP 1.4 requirements
  • Privacy policies that do not reflect actual practice
  • Overcollection without legitimate purpose
  • No explanation of retention or deletion timeframes
  • No clear data-handling process
  • Opaque storage, security, and third-party disclosures
  • Policies written in technical language which is hard for the consumer to understand

This is more than a compliance issue for business, it directly intersects with customer trust, brand integrity, and future regulatory exposure in broader Privacy Act reforms.

What Should Organisations Do Now? A Proactive Move to Reduce Compliance Risk

Senior leaders should view the 2026 sweep as an opportunity to test whether their organisation is genuinely operating in line with its stated privacy commitments.

For organisations seeking certainty ahead of January, ADAICO offers a Privacy Health Check designed specifically for environments where personal information is collected face-to-face.

It’s a concise, practical way to understand your exposure and ensure your organisation is not caught off-guard by the sweep or the reform trajectory that will follow.

The real question for leaders is simple: If the OAIC reviewed your privacy policy tomorrow, would it reflect what actually happens in your organisation? If not, now is the time to act.