When the OAIC announced its upcoming privacy compliance sweep, one detail stood out: the regulator will be examining whether organisations comply with APP 1.4, the section of the Privacy Act that governs what must be disclosed in a privacy policy.
(Read the announcement here: https://www.oaic.gov.au/news/media-centre/privacy-compliance-sweep-to-put-privacy-policies-under-the-spotlight)
For many businesses, this will be the most significant data privacy compliance challenge they’ve faced in years.
APP 1.4 in Plain English
APP 1.4 requires every organisation covered by the Privacy Act to make certain information clearly available, usually through a privacy policy.
This includes:
- What personal information you collect
- How and why you collect it
- How you store and protect it
- How individuals can access or correct their data
- Whether you share it with third parties
- Whether the information is optional or mandatory
- How a consumer can make a complaint
For transparency and informed consent, APP 1.4 is the backbone of the entire Privacy Act.
Do Most Privacy Policies Meet APP 1.4 Standards?
Short answer: no.
Common problems include:
- Missing or incomplete information
- Outdated policies not aligned with current practices
- No explanation of in-person collection
- Technical or legal jargon that confuses customers
- No mention of optional vs mandatory disclosures
The OAIC has made it clear: Being opaque is no longer acceptable.
In practice, many privacy policies fall short of this standard. They may be technically correct but too generic to reflect what staff are actually doing day-to-day. Others have not been updated in years and no longer align with the organisation’s products, services, or collection methods.
Some are written in complex legal language that obscures rather than clarifies an organisation’s practices. And in many cases, there is simply no mention of in-person data collection at all—even when staff routinely collect identity information, contact details, or other personal information during face-to-face interactions.
The OAIC’s focus on APP 1.4 shows how central transparency has become to consumer protection. The regulator’s concern is not only what businesses collect but whether customers are given enough information to make an informed decision about providing that data.
When someone is asked for their details in person—at a reception desk, during a property inspection, at a pharmacy counter—they may not feel comfortable questioning the request. Without clear information, consent becomes a formality rather than a choice.
This is why businesses need to ensure their policies and practices tell the same story. If the privacy policy says one thing but staff are doing something else, the organisation is exposed to unnecessary risk. The January sweep will likely reveal just how widespread these inconsistencies are.
How to Strengthen Your APP 1.4 Compliance
Improving APP 1.4 compliance doesn’t have to mean starting from scratch. Often, it simply requires rewriting policies in more accessible language, adding clarity around why information is collected, and documenting in-person interactions that previously went unacknowledged.
Staff awareness is equally important. Frontline teams should understand the reasons behind the data they collect and be able to explain those reasons confidently and consistently.
How de.iterate Helps
This is where de.iterate provides value. For organisations that lack internal privacy expertise, de.iterate offers a guided pathway to compliance that fits within operational budgets.
At $99 per month, businesses can modernise their privacy policies, structure their internal practices, and ensure they are better aligned with both the letter and the spirit of APP 1.4.
The January sweep is a reminder that transparency is not just a legal requirement. It is a foundation of customer trust. Businesses that invest in it now will be better positioned for the broader Privacy Act reforms that lie ahead.
Learn more about how de.iterate can help: https://deiterate.com/privacy-acts/
Tags:
