Skip to content

Changes to the Privacy Act – Coming soon to a board room near you!

Changes to the Australian Privacy Act are on their way!

Here is how they will affect your IT Security, Data Protection & Automation decisions in 2025.

At long last, “the first tranche” of changes to the Australian Privacy Act (Cth) 1988 were tabled in Parliament in September 2024. Although fewer in number than expected, the first-round reforms tabled are the first steps in updating the baseline privacy provisions for businesses and the privacy rights of individuals.

The Privacy Act is crucial for shaping a business’s approach to cybersecurity. It mandates that businesses implement adequate security measures to protect personal information, thereby preventing data breaches and building consumer trust. By integrating privacy and data requirements into cybersecurity strategies, businesses can better protect sensitive information and reduce the risk of penalties.

The Australian Government has been working on changes to the Privacy Act 1988 since the reform process was first announced in 2020. The first tranche of reforms, introduced recently as the Privacy and Other Legislation Amendment Bill 2024, includes several key changes that aim to enhance privacy protections and align Australia’s privacy laws with global standards.

Summarised below are the first-round reforms expected to come into effect by mid-2025.

Greater Compliance Requirements: Businesses will need to update their privacy policies and data handling practices.

Ensured transparency in Automated Decision-Making: Organisations must disclose publicly how personal information is used in automated decisions.

Tightened Children’s Privacy Protections: Stricter rules on the collection and use of children’s data. Small businesses and those handling children’s data will face stricter rules.

Enhanced Enforcement Powers: The Office of the Australian Information Commissioner (OAIC) will have greater authority to investigate and enforce privacy laws and enforce compliance.

Increased Penalties: Tiered penalties mean even minor breaches can result in significant fines.

Statutory Tort for Privacy Invasions: Individuals can sue for serious invasions of privacy.

Criminalisation of Doxing: Publishing private information with malicious intent will be a criminal offense.

Mid-2025 might feel a way away at this point, but it will come around fast. Here’s our guide to getting started now to ensure you’re ready by this date:

  • Get expert strategic advice: You’ll need to get various types of expert advice – legal, compliance, IT, HR and insurance advice on how the new requirements will affect your organisation. Then you’ll need to bring it all together in a sustainable and consistent approach to ensure you can meet and maintain these new statutory requirements, as well as the ones yet to come!
  • Conduct a comprehensive Risk Assessment: Identify privacy, security and data risks and develop mitigation strategies.
  • Implement stronger IT and data security measures: Implement robust IT and data protection measures and conduct regular audits.
  • Implement well controlled data management practices: Establish clear data retention and destruction policies.
  • Update policies and procedures: Organisation wide including management, IT, HR and customer service departments to ensure transparency and compliance with new regulations.
  • Review and update supply-chain contracts: Ensure third-party agreements comply with your IT, data and privacy standards.
  • Prepare for data breach notifications: Develop a comprehensive data breach response plan.
  • Inform, education and train your staff: Educate staff on new privacy requirements and best practices.
  • Monitor legislative updates: Stay informed about further changes and leverage your strategic advisors for guidance to adapt quickly.

Planning and preparation is key; as is working with the right strategic partners. Your Managed IT Services Provider (MSP) can and must play an integral role in supporting you to identify and assess your risk factors, review your environment, identify where IT and security improvements can drive compliance.

As an ISO-certified MSP that delivers NIST CSF 2.0-aligned strategic advice and project services, Maxsum will assist you with:

Compliance and Risk Management: Expert guidance on regulatory requirements and risk assessments.

Data Security and Protection: Implementation of advanced security measures and continuous monitoring.

Policy and Procedure Updates: Support in updating privacy policies and ensuring IT systems align with new regulations.

Incident Response and Management: Development of data breach response plans and real-time incident detection and response.

Automated Technology Solutions: Provision of automated monitoring compliance tools and robust data management practices.

Third-Party Management: Assessment of third-party vendors’ IT security measures and contract management.

Continuous Improvement: Regular audits and adaptation to new privacy requirements.

Australian organisations of all sizes will be affected by the incoming changes delivered via the Privacy and Other Legislation Amendment Bill 2024. In order to meet the new and strengthened requirements, your legal, IT and HR teams, advisors and providers will need to work collectively to address overlapping legal obligations, technical requirements and employee-related considerations.

We’ve prepared an Action Plan covering the key actions to get your legal, IT and HR teams and advisors working on ahead of these and future Privacy Act changes.