What Has Changed in the Privacy Act?

The Privacy and Other Legislation Amendment Act 2024 introduced a series of significant changes that took effect progressively from late 2024. The reforms follow the Attorney-General's Department review of the Privacy Act and represent the most substantial update since the Notifiable Data Breaches scheme was introduced in 2018.

The key changes relevant to Melbourne SMBs are:

💲
Penalties dramatically increased

The maximum penalty for serious or repeated Privacy Act breaches has increased to the greater of $50 million, three times the benefit obtained, or 30% of the company's adjusted turnover. For serious breaches, the OAIC now has direct civil penalty powers without needing to go through the courts.

📋
Small business exemption being wound back

Currently, businesses with annual turnover under $3 million are exempt from most Privacy Act obligations. This exemption is being wound back — particularly for businesses that handle health information, trade in personal information, or provide services to the government. Many Melbourne SMBs that previously assumed they were exempt may no longer be.

🔒
Strengthened security obligation

The existing obligation to take "reasonable steps" to protect personal information has been strengthened. Businesses must now implement security measures proportionate to the sensitivity and volume of personal information they hold. The OAIC has signalled that "reasonable steps" increasingly means implementing recognised frameworks like the ACSC Essential Eight.

🚨
Tighter breach notification timeframes

Under the Notifiable Data Breaches scheme, organisations must notify the OAIC and affected individuals as soon as practicable — and no later than 30 days after becoming aware of an eligible data breach. The reforms have strengthened enforcement of this timeframe, with the OAIC increasingly pursuing organisations that delay notification.

👥
New individual rights

Individuals now have a direct right of action against organisations for Privacy Act breaches — meaning they can sue without first going through the OAIC. A new statutory tort for serious invasions of privacy is also being introduced, creating additional exposure for organisations that mishandle personal data.

Does This Apply to Your Melbourne Business?

If your business handles personal information — and almost every business does — you need to understand your obligations. Here's a quick guide:

Business type Likely applies?
Accounting / bookkeeping firm Yes — financial and tax information
Law firm Yes — legal and personal information
Medical / allied health practice Yes — health information (always covered)
Real estate agency Yes — tenant and buyer personal data
Pharmacy Yes — health and medication information
Any business with $3M+ turnover Yes — full Privacy Act obligations
ℹ Health information is always covered regardless of business size or turnover

What Your IT Environment Needs to Comply

Privacy Act compliance isn't just a legal exercise — it requires specific IT controls. The OAIC's guidance and recent enforcement actions make clear that "reasonable steps" now means concrete, documented, technical measures. Here's what your IT environment needs:

01

Data Inventory — Know What You Hold and Where It Is

You cannot protect what you don't know you have. A data inventory maps what personal information your business holds, where it's stored (email, SharePoint, practice management software, shared drives), who has access, and how long you retain it. This is the foundation of Privacy Act compliance and increasingly required for cyber insurance.

02

Access Controls — Minimum Necessary Access

Staff should only have access to the personal information they need for their role. Shared logins, broad SharePoint permissions, and unrestricted access to client databases all increase your Privacy Act exposure. Review and restrict access in Microsoft 365, your practice management software, and any cloud applications that hold personal information.

03

Encryption — At Rest and In Transit

Personal information should be encrypted both at rest (on devices and in cloud storage) and in transit (when sent by email or over the network). BitLocker for Windows devices, Azure Information Protection for sensitive documents, and enforced TLS for email are the baseline. This is particularly critical for laptops and mobile devices that can be lost or stolen.

04

Multi-Factor Authentication

A compromised account that exposes personal information is an eligible data breach under the NDB scheme. MFA prevents the vast majority of account compromises. The OAIC has indicated in enforcement guidance that failure to implement MFA on accounts with access to personal information is increasingly considered a failure to take "reasonable steps."

05

Audit Logging — Know When Data Is Accessed

To meet the 30-day notification requirement, you need to be able to detect a breach quickly. Unified audit logging in Microsoft 365 records every access to email, files, and SharePoint — giving you the forensic trail to determine what data was accessed, when, and by whom. Without logging, you may not know a breach has occurred until it's too late.

06

Data Retention & Disposal Policy

The Privacy Act requires that personal information is not retained longer than necessary. A documented retention policy — and the technical means to enforce it — is now part of compliance. Microsoft Purview (included in M365 Business Premium) provides retention policies, labels, and automated disposal for email and SharePoint content.

07

Incident Response Plan with OAIC Notification Procedure

When a breach occurs, you have 30 days to notify. Your incident response plan must include: how to identify an eligible data breach, who is responsible for making the notification decision, how to notify affected individuals, and how to submit a report to the OAIC. This plan should be documented, tested, and known to relevant staff.

📊
The Essential Eight and Privacy Act compliance
The ACSC Essential Eight, when implemented at Maturity Level 2, directly addresses most of the technical requirements for Privacy Act compliance — particularly around access control, patching, MFA, and backups. Businesses that have achieved Essential Eight ML2 are well-positioned to demonstrate "reasonable steps" to the OAIC. Read our Essential Eight compliance guide for the full picture.

What to Do Now

Privacy Act compliance isn't something to address after a breach — the time to act is before one occurs. The OAIC has made clear that its enforcement approach is moving from education to action, with several high-profile investigations and determinations already issued against Australian businesses of all sizes.

Three practical steps you can take immediately:

1
Assess your current exposure — Map what personal information you hold, where it is, and who has access. This doesn't need to be a lengthy exercise; a two-hour workshop with your IT provider can cover the essentials for most SMBs.
2
Close the obvious gaps first — Enable MFA, enable audit logging, review SharePoint permissions, and ensure devices are encrypted. These are low-cost, high-impact controls that immediately reduce your breach risk and demonstrate "reasonable steps."
3
Document your response plan — A one-page incident response plan that covers detection, assessment, notification, and review is far better than nothing. Your IT provider can help you draft one tailored to your business.

At Melbits, we help Melbourne businesses understand and meet their Privacy Act obligations from an IT perspective. We're not lawyers — for specific legal advice you should consult a privacy law specialist — but we can ensure your IT environment has the technical controls in place to support compliance. Contact us for a free initial consultation.