TL;DR: Australia’s privacy regulator has started a targeted compliance sweep reviewing whether privacy policies match real-world practices, with penalties of up to $66,000 for non-compliance and new automated decision-making disclosures due from December 10, 2026, according to OneTrust. Privacy governance now depends on operational evidence, not document quality alone.
NHIMG editorial — based on content published by OneTrust: OAIC’s Privacy Policy Sweep: How to Get Audit-Ready for Australia’s New Enforcement Era
By the numbers:
- From December 10, 2026, additional requirements will apply to how organizations disclose the use of automated decision-making in their privacy policies.
Questions worth separating out
Q: What breaks when a privacy policy does not match real-world data handling?
A: When policy and practice diverge, the organisation loses evidential credibility.
Q: Why do in-person collection processes create privacy enforcement risk?
A: In-person collection creates risk because individuals often cannot see the full data flow at the moment information is captured.
Q: How do organisations know if a privacy policy is actually working?
A: A privacy policy is working only when its claims can be verified in forms, workflows, system settings, and business procedures.
Practitioner guidance
- Audit privacy policy clauses against live workflows Compare policy statements with actual collection forms, consent journeys, retention settings, and complaint handling routes.
- Inventory automated decision-making paths Identify every system that uses personal information to influence eligibility, access, pricing, prioritisation, or profiling.
- Map data lifecycle ownership across teams Assign named owners for collection, storage, correction, overseas disclosure, retention, and deletion so policy updates can be traced to operational changes.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Practical guidance for aligning privacy policy language with real collection workflows, including consent and notice design.
- Examples of how to structure policy updates around automated decision-making disclosures before the 2026 requirement takes effect.
- Operational steps for mapping ownership across legal, privacy, IT, and business teams so policy changes remain auditable.
- Implementation detail on how OneTrust positions privacy automation across policy, data mapping, and governance workflows.
👉 Read OneTrust's analysis of the OAIC privacy policy sweep and audit readiness →
OAIC privacy policy sweep: what compliance teams need to fix now?
Explore further
Policy-to-practice drift is now a privacy control failure, not a documentation issue. The OAIC sweep shows that regulators are testing whether privacy statements describe the real operating model, especially where collection happens in person and individuals have limited visibility. That shifts accountability from legal review alone to joint ownership across legal, operations, and technology teams. Practitioners should treat the policy as a control surface, not a brochure.
A question worth separating out:
Q: Who is accountable when automated decision-making disclosures are incomplete?
A: Accountability usually spans legal, privacy, product, data, and system owners because the disclosure problem is created by both governance and design. Organisations need a named owner for each automated decision pathway, plus review controls that ensure the policy reflects current data use and decision impact.
👉 Read our full editorial: Australia’s privacy policy sweep exposes the policy-practice gap