Is your organisation Privacy Act compliant? BlackFlag Advisory conducts passive privacy compliance assessments — no systems accessed, Board-ready report delivered.

Request an Assessment →
Home / Intelligence / Australian Privacy Act
Privacy & Compliance

What the Australian Privacy Act Means for
Your Business Right Now

Cluny Archibald
Founder, BlackFlag Advisory
April 2026
8 min read

The Australian Privacy Act 1988 is one of the most misunderstood pieces of legislation affecting Australian businesses. Most organisations believe they either clearly fall under it or clearly do not. The reality is more nuanced — and the consequences of getting it wrong have grown significantly since the 2022 and 2024 amendments.

This article explains who the Act applies to, what it actually requires, where most organisations fall short, and what you should be doing about it now.

Key Points

  • The Privacy Act applies to organisations with an annual turnover above $3 million — and many smaller organisations
  • Maximum penalties increased to $50 million (or more) following the 2022 amendments
  • Notifiable Data Breaches scheme requires mandatory reporting within 30 days
  • A privacy policy is required — but most published policies do not meet the minimum standard
  • Third-party data sharing obligations are the most commonly overlooked compliance gap

Who Does the Privacy Act Apply To?

The Act applies to Australian Government agencies and to private sector organisations that meet at least one of the following criteria. You are covered if your annual turnover exceeds $3 million. You are also covered regardless of turnover if you provide health services, trade in personal information, are a contractor to the Commonwealth, operate a residential tenancy database, or are a credit reporting body.

Critically, the $3 million threshold is assessed annually. An organisation that was below the threshold last year may now be covered. Many organisations that grew during COVID-era expansion have never revisited whether they now fall within scope.

Important Even organisations below the $3 million threshold may have voluntarily opted in to Privacy Act coverage through their contractual arrangements with government or enterprise clients. If your contracts include privacy obligations, you are effectively bound by the Act regardless of your turnover.

What Are the Australian Privacy Principles?

The Act is given practical effect through 13 Australian Privacy Principles (APPs). These are not aspirational guidelines — they are legal obligations. The most commonly breached principles in small and medium organisations are as follows.

APP 1 — Open and Transparent Management of Personal Information

You must have a clearly expressed and up-to-date privacy policy that is freely available. The policy must explain what personal information you collect, why you collect it, how you store it, who you share it with, and how individuals can access or correct their information. Most published privacy policies fail on at least two of these requirements.

APP 3 — Collection of Solicited Personal Information

You may only collect personal information that is reasonably necessary for your functions or activities. If you collect information through a contact form, newsletter subscription, or assessment intake form, you must be able to justify why each field is necessary. Many organisations collect far more than they need and have no documented justification for doing so.

APP 5 — Notification of Collection

At or before the time of collection, you must notify individuals of the key facts about how their information will be used. A privacy policy link buried in a footer does not satisfy this requirement. The notification must be brought to the individual's attention at the point of collection.

APP 8 — Cross-Border Disclosure

If you disclose personal information to an overseas recipient, you remain accountable for how that recipient handles the information. Many organisations using US-based SaaS tools (CRMs, marketing platforms, analytics tools) are technically disclosing personal information overseas without having assessed the privacy implications or disclosed this to their customers.

The Notifiable Data Breaches Scheme

Since 2018, covered entities have been required to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs. An eligible data breach is one that is likely to result in serious harm to any individual whose information was involved.

The notification must occur as soon as practicable and within 30 days of becoming aware that a breach has occurred or is likely to have occurred. This is a hard deadline. Failure to notify within 30 days is itself a breach of the Act, separate from the breach that triggered the obligation.

2022 Amendments — Penalties Increased Significantly Following the Optus and Medibank breaches in 2022, the maximum penalty for a serious or repeated privacy breach was increased from $2.22 million to the greater of: $50 million; three times the value of any benefit obtained through the misuse of information; or 30% of the organisation's adjusted turnover in the relevant period. These are not theoretical maximums — the OAIC has increased enforcement activity and is actively pursuing non-compliant entities.

Where Most Organisations Fall Short

In conducting privacy compliance assessments, the same gaps appear consistently across organisations of all sizes. The following are the most common failures observed from a passive, publicly observable assessment alone.

  • Privacy policy does not disclose all third-party data recipients, including analytics platforms, advertising networks, and CRM providers
  • No notification mechanism at point of collection — just a footer link
  • Privacy policy last updated more than two years ago and does not reflect current technology stack
  • Website deploys tracking scripts (Meta Pixel, Google Analytics, LinkedIn Insight Tag) without disclosing these in the privacy policy
  • Cross-border data transfers to US-based SaaS providers not disclosed or assessed
  • No documented data retention policy or process for handling access and correction requests
  • No incident response plan covering data breach identification, assessment, and notification obligations

What You Should Do Now

If you have not reviewed your privacy obligations in the past 12 months, the following actions should be prioritised.

First, confirm whether the Act applies to your organisation. If your turnover is approaching $3 million or you handle health information or government data, you need to assess your coverage now rather than after a breach occurs.

Second, review your privacy policy against the APP 1 requirements. It must name every category of personal information you collect, every purpose for which you collect it, and every type of organisation or individual you share it with. If your policy was drafted by a generic template generator, it almost certainly does not meet this standard.

Third, audit your technology stack for cross-border data flows. Every third-party script on your website, every SaaS tool you use, and every cloud platform you store data on is potentially a cross-border disclosure that requires assessment and disclosure.

Fourth, establish a data breach response process. You do not need to wait for a breach to occur to prepare your response. A documented process for identifying, assessing, containing, and notifying breaches is both a legal requirement and a practical necessity.

BlackFlag Advisory Note A passive OSINT privacy assessment conducted by BlackFlag Advisory will identify the observable compliance gaps on your public-facing presence — including undisclosed tracking scripts, cross-border data transfers, and privacy policy deficiencies — without accessing any of your internal systems. The resulting report maps findings against the relevant Australian Privacy Principles and provides a prioritised remediation roadmap.

The Bottom Line

The Australian Privacy Act is not a compliance checkbox. It is a legal framework that imposes specific obligations on how you collect, use, store, and disclose personal information. With penalty thresholds now in the tens of millions and the OAIC increasingly active, the cost of non-compliance has moved well beyond reputational risk.

The organisations that will be best positioned are those that treat privacy as an operational discipline rather than a legal formality. That means having current, accurate documentation; transparent practices; and a tested response process before a breach occurs rather than after.

If you are unsure whether your organisation is compliant, the honest answer is that you probably are not — and a structured assessment is the fastest way to find out exactly where you stand.

Ready to Assess Your
Privacy Compliance?

Submit your domain and we will assess your observable privacy compliance posture against the Australian Privacy Principles — identifying gaps in your public-facing presence before a regulator or breach does it for you.

Request an Assessment →
What You Receive

A structured assessment report mapping observable privacy compliance gaps to the relevant Australian Privacy Principles, with a prioritised remediation roadmap and Board-level executive summary. Delivered within 5 business days.