Privacy Action List for 2026

From the evolving list of global privacy laws to the Office of the Australian Information Commissioner’s (OAIC) more recent enforcement push, there’s plenty happening in privacy to keep Australian organisations on their toes. But, our ongoing survey of the privacy landscape reveals some key themes in Australia and more broadly – because at the end of the day, many individuals want the same protections from privacy laws, regardless of where they live. Our Privacy Action List for 2026 focuses on the five pillars we have seen defining privacy lawmaking and enforcement in recent years: transparency, accountability, increasing user rights, AI governance, and data minimisation. 

Tasks that should be on your Privacy Action List for 2026

Whether your organisation’s privacy ‘to-do’ list could use some focus and streamlining or you’re just getting started creating it, these privacy actions can have big results: 

Ensure your Privacy Notice is up-to-date

The OAIC started its first ever ‘privacy compliance sweep’ this month – focusing on whether select businesses have compliant privacy policies. This sweep is targeting businesses that engage in in-person collection of personal information because the OAIC believes that this practice can involve power and information asymmetries. The categories of businesses being targeted include realtors, chemists and pharmacists, licensed venues, car rental companies, car dealerships, and pawnbrokers. 

But, even if your organisation isn’t currently being targeted by the OAIC’s privacy compliance sweep, it’s a good idea to review your privacy policy to ensure it’s up-to-date and in line with the requirements laid out in APP 1. 

APP 1.4 outlines some information that covered organisations must include in their privacy policies:

• the kinds of personal information collected and held by the entity
• how and why personal information is collected and held
• how an individual may access and/or correct their personal information
• The compliant process for an organisation’s breach(es) of the APPs, and
• whether the entity is likely to disclose personal information to overseas recipients.

But your obligations extend beyond just including the required information, how you communicate those practices is also relevant. The OAIC states:

“At a minimum, a clearly expressed policy should be easy to understand (avoiding jargon, legalistic and in-house terms), easy to navigate, and only include information that is relevant to the management of personal information by the entity”

The OAIC recently updated its guidance covering this privacy principle. It’s a helpful starting point for any organisation reviewing its privacy notices.  

Lift the maturity of your PIA process – and extend it to cover AI assessments

While Privacy Impact Assessments (PIAs) are often required as part of your broader compliance obligations, they’re not just a compliance checklist item. PIAs can be used liberally to help organisations understand the impact of a project on privacy, and to identify how to manage, mitigate, or reduce privacy risk. 

PIAs can be used for everything from deciding whether to introduce new software or tools (even if they may seem benign or widely adopted, like generative AI tools) to assessing what should be included in your customer-facing forms. 

For those organisations using AI, you can adopt a more mature privacy posture by including AI ethics assessments as part of your impact assessment process. It should consider the potential privacy implications of adopting and implementing the AI, as well as whether the tech adoption is fair and explainable, and if there’s a human with real oversight in the AI process (more on this in our privacy predictions for 2026, if you’re interested). 

You can learn more about PIAs in the following resources: 

• PIAs as a Business Tool
• 3 Tips for Better Privacy Impact Assessments.
• Triggers for Conducting a Privacy Impact Assessment
• The AFP in Trouble Again for AI Use with no PIA.

Check and update your data inventory

An accurate, dynamic data inventory is key to managing your privacy risks – and fundamental to any data minimisation effort. However, keeping your data inventory up-to-date can be one of those tasks that keeps getting pushed back. Your data handling processes should include regular audits and updates to your data inventory, so if yours is looking a little stale – consider yourself reminded. 

Beyond checking that you know what information is being collected and where it’s stored, mature organisations will routinely confirm that it’s still necessary to collect that information and that retention and deletion rules have been identified for different data collections in the inventory. 

Paring down the categories and volume of information you collect and store remains one of the most valuable changes your organisation can make. It reduces risk as well as costs associated with collecting and storing information. Plus, if your organisation can avoid collecting and storing sensitive information, you can reduce the overall burden of technical security requirements – since the OAIC expects your security measure to reflect the sensitivity and volume of the data you collect. This can offer significant cost savings over time. 

Review your access request / complaint handling procedures

Privacy access requests and complaints are both on the rise – in line with increasing general awareness of privacy rights. Your processes should be robust enough to handle them, and your frontline team should be trained on how to recognise them.

In terms of your processes for handling any access requests or complaints, time is of the essence. Organisations covered by the APPs generally have around 30 days to respond to an individual before the complainant can escalate that complaint to the OAIC. In our experience, most privacy complaints can easily be resolved at this stage using a standard workflow, or at least responded to in a meaningful way. 

The OAIC’s Privacy Complaint Handling Process

The OAIC has published a process for managing privacy complaints. It hasn’t been updated since 2016, but it is a good starting point for organisations conducting this review. It suggests: 

Step 1: Train frontline teams to recognize any inquiry about personal information as a “privacy complaint.” This should be a ‘catch-all’ so potential requests don’t fall through the cracks before being passed to your privacy professionals.

Step 2: Confirm the person is inquiring about their own information or is authorized to act on their behalf. You don’t want to provide individual information to someone who isn’t authorized to receive it.

Step 3: Let your privacy team determine if the Privacy Act applies. If it doesn’t, handle the matter through your organisation’s regular complaint channels.

Step 4: Use a template to outline your next steps and provide contact details for the staff member handling the case. Ask the complainant what they hope the outcome will be.

Step 5: Consider whether your organisation failed to meet Australian legal obligations and if you can meet the complainant’s resolution requests (e.g., an apology, change in procedure, or compensation).

Step 6: Formally respond to the complainant and invite them to reply. Include an apology if you did not comply with your obligations under Australia’s privacy laws.

Step 7: If the complainant remains unsatisfied, refer them to your external dispute resolution scheme or the OAIC.

Step 8: Regardless of the reply, consider implementing changes to address the underlying issues, such as updated privacy training, internal policies, or notices.

Step 9: Securely store all information regarding the complaint, the investigation, and the final outcome.

Uplift your privacy maturity with Privacy 108

If your organisation needs help implementing more mature privacy practices this year, don’t hesitate to reach out for help. You can get started with an obligation-free 30-minute consultation to see how we can help. Email us at hello@privacy108.com.au or fill out our short form to get started. 

If you’d like insights like this in your inbox bi-monthly, join our mailing list. We only need your first name and email address to add you – and you can unsubscribe at any time.