The $66,000 Fine You Never Saw Coming: OAIC Enforcement and What It Means for Martial Arts Club Owners
You Do Not Need to Be Hacked to Get Fined

Most martial arts club owners, when they think about data risk, imagine a hacker. A shadowy figure somewhere overseas breaking into their member database and stealing contact details. The imagined threat is dramatic — a major attack, a newsworthy breach, the kind of incident that happens to big companies, not a local dojo.
What very few club owners realise is that the Office of the Australian Information Commissioner (OAIC) can issue a $66,000 fine against your business without a single hacker being involved. No breach. No stolen data. No dramatic IT incident. Just a compliance sweep, a quick review of your operations, and the discovery that you are not meeting your basic obligations under the Australian Privacy Principles.
That is the reality of enforcement in 2026. The OAIC has expanded powers, new investigative tools, and a clear mandate to actively audit businesses that collect health data. Martial arts clubs, gyms, and fitness studios are directly in their scope.
Who the OAIC Is and Why They Matter Now
The OAIC is Australia's independent regulator for privacy law. For most of its existence, it operated primarily as an advisory body — educating businesses about their obligations, handling complaints, and providing guidance. The enforcement teeth were there in the legislation, but they were rarely used against small businesses.
That phase is over. Following a series of high-profile data breaches in Australia — including Optus, Medibank, and Latitude Financial — the government significantly strengthened the OAIC's enforcement powers through legislative amendments in 2024 and 2025. The OAIC now has a "new toolkit" that enables graduated enforcement actions, ranging from instant fines to full Federal Court proceedings.
The Enforcement Pyramid: From Warning to $50 Million
Think of OAIC enforcement as a pyramid. At the base are minor compliance failures that attract relatively modest consequences. As you move up the pyramid, the violations become more serious and the penalties become dramatically larger.
Level One: Infringement Notices ($66,000)
For foundational compliance failures — failing to have a visible privacy policy, not telling members what their data will be used for, or not providing a process for members to access their own information — the OAIC can issue an on-the-spot infringement notice of up to $66,000. No court. No lengthy investigation. Just a notice and a deadline to pay.
This is the level that catches most small fitness businesses by surprise, because the violation does not require anything dramatic. If your club collects health information on intake forms but does not have an APP-compliant privacy policy publicly available, you are potentially looking at a $66,000 fine the moment an OAIC compliance sweep lands on you.
Level Two: Compliance Notices and Enforceable Undertakings
At the next level, the OAIC can issue compliance notices that legally compel your business to take (or stop taking) specific actions. They can order you to delete member records, stop using a particular piece of software, or implement specific security measures. Failing to comply with a compliance notice is itself a separate offence.
Enforceable undertakings are a step further: your club publicly admits the failure and commits to spending a specified amount — often hundreds of thousands of dollars — on audits, systems upgrades, and staff training. These are public documents, accessible by anyone, which creates significant reputational risk for the business and its owners.
Level Three: Federal Court Civil Penalties — Up to $50 Million
For serious or repeated privacy breaches — including incidents where a hacker got in because basic security measures like MFA were not in place — the OAIC can pursue Federal Court civil penalties. The maximum for a corporation is the greater of $50 million, three times the benefit obtained from the breach, or 30% of the business's adjusted turnover during the breach period. For individual directors, the maximum personal fine is $2.5 million.
It is worth emphasising: these are not criminal penalties. They are civil. But they are designed to be business-ending for negligent operators, and the courts have shown willingness to impose substantial amounts.
Commissioner-Initiated Investigations: The Random Audit
One of the most significant changes in 2026 is that the OAIC no longer needs someone to complain before they investigate. They can initiate investigations on their own motion — essentially conducting random audits of sectors they have identified as high-risk for data handling.
The fitness and wellness industry is explicitly on their radar. The OAIC can identify 50 gyms or martial arts clubs, send them a formal notice demanding documentation of their data practices, and begin an investigation without any complaint having been lodged. If they find you storing member medical notes on an unencrypted spreadsheet, or discover that no one at your club knows what MFA is, they can act immediately.
Three Scenarios That Are Happening Right Now
Here are three realistic enforcement scenarios based on the OAIC's 2026 powers:
•A martial arts club collects health screening waivers at sign-up but has no privacy policy on their website. During a compliance sweep, the OAIC issues a $66,000 infringement notice for failing to meet APP 1 (transparent management of personal information).
•A gym's staff member clicks a phishing link, and a hacker accesses the member portal. The gym owner decides not to report it. Two months later, a member finds their data on the dark web and reports it to the OAIC. The owner is found to have known about the breach and failed to report within 30 days. The OAIC pursues Federal Court action for serious and repeated interference with privacy.
•A boutique fitness studio uses a US-based booking platform without disclosing this in their privacy policy. When asked by the OAIC during a routine audit where member data is stored, the owner is unable to answer. A compliance notice is issued, requiring immediate policy updates and a comprehensive data audit at the business's expense.
What This Means for Your Insurance
Regulatory defence costs — the money you spend on lawyers when the OAIC comes knocking — are not covered by your public liability policy. They are covered by a standalone cyber insurance policy that includes regulatory defence as a component of cover.
At MAA Insurance Services, we help martial arts and fitness businesses put in place both the insurance protection and the practical compliance steps that reduce their exposure. The cost of preparation is a fraction of the cost of response.
Do not wait for a compliance sweep to land on your doorstep. Contact us today to understand where your business stands and what cover you need.
- Ransomware & cyber extortion
- OAIC fines & privacy breach cover
- Data recovery & system restoration
- Member litigation defence costs
- 1 hour free security training included






