In 2026 the OAIC has broader enforcement powers than ever before, including the ability to pursue individual directors for privacy failures at their organisations. Here's what boards need to know and what questions they should be asking management.

The regulatory shift

The Privacy and Other Legislation Amendment Act 2024 introduced several significant changes that came into force during 2025:

Higher civil penalties (up to $50m for bodies corporate, $2.5m for individuals)
Direct right of action for individuals in court
Expanded powers for the OAIC to conduct investigations
New "mid-tier" and "low-tier" civil penalties for less serious breaches
Clearer pathways for director liability in cases of willful or reckless non-compliance

Boards that treated privacy as a "management issue" can no longer do so safely. It's now firmly a board-level governance topic.

The five questions boards should ask

1. What personal information do we hold, where is it stored, and who has access? If management can't answer this clearly, the board has a problem. The inventory is the foundation of everything else.

2. What's our mandatory breach notification readiness? If a breach happened today, could we meet the 30-day NDB deadline? Who makes the call? What's the escalation process?

3. How are we monitoring for breaches? The average time to detect a breach in Australia is 204 days. What are we doing to reduce that number?

4. What's our third-party risk posture? Most breaches come through vendors, contractors, or cloud providers. How are we assessing and monitoring them?

5. When was our last privacy program review? Privacy programs need regular updates as the business and regulation evolve. Annual reviews are the minimum.

What boards should document

If there's ever an enforcement action or legal proceeding, the board's defence will hinge on being able to demonstrate that privacy was taken seriously. That means:

Board minutes showing privacy discussion at least annually
Risk appetite statements that explicitly address data privacy
Approved policies on data handling, breach response, and third-party management
Evidence of management reporting against privacy KPIs
Approved budget for privacy and cyber security capability

The director liability risk

The practical reality is that individual director liability under the new Privacy Act is an extreme outcome reserved for egregious failures. But the threat is real, and the defence requires the same rigour as any other governance matter. Directors who want to sleep soundly should ensure privacy is on the agenda, management is held accountable, and the evidence of oversight is documented.