The Privacy Act 1988 is undergoing the most significant reform of its lifetime. Some changes are already in force; others are progressing through Parliament and consultation. The practical takeaway for Australian businesses is the same regardless of timing: privacy maturity is no longer optional, and what was acceptable five years ago will not be acceptable five years from now.

What is changing

The Privacy Act reform programme is broad. The themes that matter most to typical Australian businesses are these:

  • Removal or narrowing of the small business exemption. Many small businesses (under $3M turnover) have historically been outside the Privacy Act. The trajectory is for that exemption to be substantially narrowed or removed, bringing far more businesses inside the regulatory perimeter.
  • Statutory tort for serious invasions of privacy. A standalone right for individuals to sue for serious invasions of privacy, with the courts able to award damages.
  • Enhanced enforcement powers. The OAIC has gained, and is expected to continue gaining, stronger investigative and enforcement powers, including significantly higher civil penalties.
  • Children’s privacy. Stronger protections for personal information of children, including the prospect of a Children’s Online Privacy Code.
  • Automated decision-making. Transparency obligations where personal information is used in substantially automated decisions affecting individuals.
  • Direct right of action. The ability for individuals to bring matters directly, in addition to (or beyond) OAIC complaints.

What this means in practice

You need to know what personal information you hold. The single most useful artefact a business can produce is a current, accurate data inventory: what personal information, where it is stored, how it is used, who it is shared with, and how long it is kept. Most Australian businesses do not have this. Building it is the precondition for almost every other obligation.

Privacy by design becomes operational. Privacy can no longer sit only in a policy on a website. Decisions about new systems, new vendors, and new uses of data need a privacy lens applied at design time, with documented assessment.

Vendor and third-party management matters more. Liability for breaches by your processors does not transfer to them by virtue of a contract clause. Diligence at onboarding and throughout the relationship is required.

Notifiable Data Breach response capability. The threshold for notification, and the speed expected, are not getting easier.

Where to start if you are behind

  1. Appoint a Privacy Officer or equivalent. Someone accountable, named in your privacy policy, and reachable.
  2. Build a data inventory. A spreadsheet is fine to start. The format matters less than its existence and accuracy.
  3. Update your Privacy Policy. Plain language. Specific. Updated when practices change.
  4. Review your top ten vendors. Where do they process personal information, under what terms, and where is the data stored?
  5. Run a Privacy Impact Assessment on any system or initiative involving substantial personal information — particularly automated decision-making and AI.

How this connects to ISO 27001 and AI governance

Privacy reform, ISO 27001, and the emerging AI governance frameworks (notably ISO 42001) all converge on the same operational backbone: knowing what data you have, why you have it, how it is protected, and who is accountable. Organisations that build that backbone once tend to find each successive obligation cheaper to comply with than the last.

If you would like a privacy maturity assessment that maps your current state against the reformed Privacy Act and produces a prioritised plan, we can help.