The Office of the Australian Information Commissioner (OAIC) has shifted from polite guidance to active enforcement. It’s running its first-ever privacy compliance sweep — a targeted review of around 60 businesses’ privacy policies — backed by new powers to issue infringement notices of up to $66,000 for failing basic transparency obligations, as the OAIC confirmed. The first sweep targets sectors that collect ID in person, but the direction is clear: a privacy policy that doesn’t meet the standard now carries a price.

Why this matters for wealth firms

Wealth managers, financial planners and advice firms hold some of the most sensitive personal information going — tax file numbers, account details, identity documents and full portfolio histories. Almost all are comfortably over the $3 million turnover threshold that brings a business under the Privacy Act, and the long-standing small-business exemption is being wound back under the next tranche of reforms anyway. Layer on the new transparency rules for automated decision-making, which firms must reflect in their privacy policies by 10 December 2026, and “we’ll tidy up the policy later” stops being a safe position.

What to check now

Start with the privacy policy itself. Does it clearly set out what personal information you collect, why, where it’s stored, who it’s shared with, and how a client can access it or make a complaint? Measure it against the OAIC’s updated APP 1 guidance. Then look at the practical side — where client data actually lives, who can reach it, and whether any automated or AI-assisted tools touch client decisions without being disclosed.

Lining your systems and documentation up with the Privacy Act, APRA and AUSTRAC is the unglamorous work that keeps regulators and insurers comfortable. See how we support Australian wealth and financial services firms.