Skip to content

Australia’s Privacy
Act Reforms

Detect eligible data breaches before they escalate. ThreatDefence provides 24×7 breach detection, OAIC notification support, and DFIR for Australian organisations subject to the NDB scheme and Privacy Act reforms.

Book a Demo

Introduction

Australia’s Privacy Act 1988 (Cth) — significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and the Privacy and Other Legislation Amendment Act 2024 — imposes strict obligations on thousands of Australian organisations when personal information is lost, accessed without authorisation, or disclosed. Penalties for serious or repeated breaches now reach $50 million or more. Affected individuals must be notified. The OAIC must be told. And your organisation has just 30 days to assess whether a breach is notifiable.

The window between a breach occurring and your obligation to act is narrow. ThreatDefence gives Australian organisations the continuous detection, forensic investigation, and structured response capability needed to meet Privacy Act obligations — and to prevent breaches from happening in the first place.

The Australian Privacy Act

Notifiable Data Breaches (NDB) Scheme

Introduced in February 2018, the NDB scheme requires any organisation or agency covered by the Privacy Act to notify both the OAIC and affected individuals when an eligible data breach is likely to result in serious harm. A breach is eligible when personal information is:

  • Lost (e.g., a device containing customer records is stolen)
  • Accessed without authorisation (e.g., a database is compromised by an external attacker)
  • Disclosed without authorisation (e.g., data is mistakenly sent to the wrong recipient)

 

Organisations have 30 days to complete an assessment and determine whether a breach is notifiable. Failure to notify within that window — or failure to notify at all — constitutes a separate breach of the Privacy Act.

2022 Enforcement Amendments — Penalties Increased Dramatically

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 increased maximum penalties for serious or repeated interference with privacy from $2.22 million to:

  • $50 million, or
  • Three times the value of any benefit obtained from the conduct, or
  • 30% of adjusted annual domestic turnover during the breach period

 

…whichever is greater. This fundamentally changed the regulatory risk calculus for Australian boards and executives. A single breach that was previously a reputational embarrassment can now be an existential financial event.

2024 Privacy Reforms — New Obligations Take Effect

The Privacy and Other Legislation Amendment Act 2024 introduced further obligations now taking effect:

  • Statutory tort for serious invasions of privacy: Individuals can sue organisations directly in court, without needing to go through the OAIC first. This creates a new layer of civil liability on top of regulatory penalties.
  • Children’s Online Privacy Code (COPC): Organisations that provide online services likely accessed by children face stricter obligations around collecting and handling children’s personal information.
  • Automated Decision-Making Transparency: Organisations using automated systems to make decisions that significantly affect individuals must disclose this in their privacy policies.
  • Doxxing Criminal Offences: New criminal offences for the non-consensual disclosure of personal data with intent to harm.
  • Strengthened OAIC Enforcement Powers: The OAIC can now seek civil penalty orders directly, without requiring referral to the Federal Court.

Who Must Comply?

The Privacy Act applies to:

Organisation Type Coverage
Australian Government agencies All agencies, regardless of size
Private sector organisations Annual turnover > $3 million
Health service providers All, regardless of turnover
Tax file number (TFN) recipients All, regardless of turnover
Credit reporting bodies All credit reporting bodies and credit providers
Businesses operating internationally Organisations carrying on business in Australia
Political parties Following 2024 reforms, partial coverage

Small businesses under the $3M threshold may still be covered if they handle health information, operate in financial services, or participate in the Consumer Data Right scheme.

Reforms to Australia’s Privacy Act

Australia’s privacy framework is continuing to evolve, with recent reforms signalling a clear shift toward stronger accountability, greater transparency, and higher expectations for how organisations handle personal information. The first tranche of changes introduced by the Privacy and Other Legislation Amendment Act 2024 includes a new statutory tort for serious invasions of privacy, a broader penalty framework, stronger protections for children, enhanced OAIC powers, and new privacy policy obligations relating to automated decision-making.

One of the most important changes is the commencement of the new statutory tort for serious invasions of privacy, which took effect on 10 June 2025. This gives individuals a direct legal pathway to seek redress for serious privacy intrusions, separate from the usual Privacy Act complaint process. For organisations, this raises the legal and operational importance of privacy governance, especially where personal information is collected, disclosed, monitored, or used in ways that could be seen as intrusive or disproportionate.

The reforms also place greater attention on children’s privacy and digital services. The OAIC is developing a Children’s Online Privacy Code, which must be in place by 10 December 2026. This is expected to increase expectations for organisations whose products, platforms, or services are likely to be accessed by children, particularly where personal information is collected through online environments.

Another key area is automated decision-making. From 10 December 2026, APP entities will need to include additional information in their privacy policies where they use personal information in computer programs that make, or are substantially and directly related to making, decisions that could significantly affect an individual’s rights or interests. This reform is especially relevant for organisations using AI, machine learning, profiling, scoring, automated approvals, or other rule-based decision systems.

While the next tranche of reforms has not yet been fully legislated, the overall direction is already clear. Australian privacy law is moving toward more active governance, stronger compliance expectations, and closer scrutiny of how organisations use data in practice. Businesses should not treat privacy reform as a future legal issue only — it is already becoming a practical governance, risk, and operational issue that needs attention now.

How to Prepare for the Privacy Act Reforms

1

Map the personal information you hold

Identify what personal information you collect, where it comes from, where it is stored, who can access it, who it is shared with, and how long it is kept. You cannot prepare properly for reform if you do not have a clear data map. This also supports existing obligations to manage personal information openly and securely.

2

Review your privacy policy and collection notices

Update your privacy policy and collection language so they accurately reflect how personal information is collected, used, disclosed, retained, and protected. This is especially important if your organisation uses AI, profiling, scoring, automated approvals, or other systems that make or support significant decisions about individuals. New APP 1 obligations about automated decisions commence on 10 December 2026.

3

Identify where automated decision-making is used

Create an inventory of systems that use personal information in automated or substantially automated decisions. Assess which of those decisions could significantly affect an individual’s rights or interests, then document what data is used, what decisions are made, and how those decisions are explained. That will make the 2026 transparency changes much easier to meet.

4

Tighten retention and deletion practices

Review whether personal information is being kept longer than necessary. Reduce unnecessary data holdings, set retention rules, and make sure disposal or de-identification processes are working in practice. The broader reform direction continues to emphasise stronger lifecycle management and better handling of privacy risk.

5

Reassess vendors, processors, and overseas disclosures

Check which third parties handle personal information on your behalf, what contractual controls are in place, and whether overseas disclosures are properly governed. Privacy compliance is no longer just about your own systems — it also depends on the way suppliers, platforms, and service providers handle data.

6

Strengthen security and breach response

Review access controls, logging, monitoring, encryption, incident response, and breach assessment procedures. The reform direction clearly points toward higher expectations for accountability and security, and organisations still need to meet current obligations to take reasonable steps to protect personal information.

The Core Detection & Response Challenge

Most data breaches are not discovered immediately. The global average time to identify a breach is measured in weeks or months — but under the NDB scheme, your assessment clock starts the moment you become aware of a suspected breach. That creates a dangerous gap between when a breach occurs and when you have the visibility to act.

Common detection failures that lead to Privacy Act enforcement action:

No SIEM or Log Retention

Organisations cannot reconstruct what happened without centralised log collection. The OAIC expects you to be able to scope a breach — what data was accessed, by whom, for how long.

No Behavioural Monitoring

Insider threats and compromised credentials look like normal user activity until you baseline behaviour. Without user and entity behaviour analytics (UEBA), these breaches go undetected for months.

Cloud Blind Spots

Misconfigured S3 buckets, overly permissive cloud storage, and compromised SaaS accounts are among the most common NDB-triggering breach vectors. Without cloud security posture monitoring, you won’t see them.

No Incident Response Plan

The 30-day assessment window passes quickly. Organisations without pre-built playbooks waste the first two weeks just figuring out what to do.

Scope Uncertainty

One of the hardest parts of NDB compliance is determining what personal information was involved. Without network-level evidence retention, scoping a breach is guesswork.

How ThreatDefence Supports Privacy Act Compliance

ThreatDefence delivers end-to-end breach detection, investigation, and response capability for organisations subject to the Privacy Act and NDB scheme. Our Adaptive XDR Platform — integrating SIEM, NDR, deception, cloud visibility, and a 24×7 SOC — is built to detect eligible data breaches early, scope them accurately, and support timely OAIC notification.

Book a Demo

Continuous 24×7 Breach Monitoring

The NDB scheme doesn’t care what time a breach occurs. ThreatDefence provides round-the-clock monitoring across your endpoints, networks, cloud environments, and identity systems — detecting the indicators of unauthorised access, data exfiltration, and privilege abuse the moment they appear.

How this maps to the Privacy Act: – Reduces the gap between breach occurrence and organisational awareness — starting your 30-day assessment clock at the earliest possible moment – Detects unauthorised access and disclosure events covered by the NDB scheme – Provides continuous evidence that you took “reasonable steps” to protect personal information under APP 11

User & Entity Behaviour Analytics (UEBA)

Insider threats and compromised accounts are responsible for a significant proportion of NDB-eligible breaches. ThreatDefence UEBA builds behavioural baselines for every user and entity in your environment, alerting when behaviour deviates — bulk file downloads, after-hours access to customer databases, unusual email forwarding, or mass record exports.

How this maps to the Privacy Act: – Detects insider data theft — one of the most underreported categories of eligible data breach – Surfaces compromised credential abuse before bulk personal information is exfiltrated – Provides person-of-interest evidence for OAIC investigation responses and potential litigation under the new statutory tort

Cloud Security Posture Management (CSPM)

Cloud misconfigurations are among the most common triggers of NDB notifications in Australia — exposed S3 buckets, overly permissive storage accounts, publicly accessible databases. ThreatDefence continuously monitors your cloud environments for misconfigurations, excessive permissions, and exposure events, alerting before data is accessed by unauthorised parties.

How this maps to the Privacy Act: – Prevents cloud-driven eligible data breaches before they occur – Detects cloud storage exposure in real time, minimising the duration of any potential breach – Supports APP 11 obligations to take reasonable steps to protect personal information held in cloud environments

NDB Notification Support & Playbooks

When a breach is confirmed as notifiable, ThreatDefence structured incident playbooks guide your team through the OAIC notification process — what to include in the notification, how to notify affected individuals, what remediation steps to take. Pre-built templates reduce the time from “breach confirmed” to “OAIC notified.”

How this maps to the Privacy Act: – Reduces risk of missing the notification requirement through structured escalation workflows – Provides draft notification content aligned to OAIC guidance – Documents your organisation’s response actions — demonstrating good faith compliance to the regulator

Next-Generation SIEM — Detect the Access, Not Just the Aftermath

Our Next-Generation SIEM ingests and correlates security events from across your environment: Active Directory, email platforms, file servers, cloud storage, SaaS applications, databases, and endpoints. Behavioural baselines and anomaly detection surface abnormal access to personal information before it becomes a notifiable breach.

How this maps to the Privacy Act: – Detects unusual access patterns to databases or file shares containing personal information – Identifies compromised credentials being used to access sensitive personal data – Retains structured, searchable logs for breach scoping and OAIC investigation responses – Supports the 30-day assessment period with a complete timeline of access events

Network Detection & Response (NDR) — Evidence for Breach Scoping

When a breach occurs, one of the hardest questions to answer is: what data left the network? ThreatDefence NDR retains weeks of network-level evidence, enabling forensic reconstruction of data flows. You can determine precisely what was exfiltrated, to where, and when — the information the OAIC needs in your notification.

How this maps to the Privacy Act: – Enables accurate breach scoping: which individuals’ personal information was involved – Provides the network-level evidence required to determine whether harm is “likely” — the test for NDB eligibility – Supports OAIC investigation responses and civil litigation defence under the new statutory tort

Digital Forensics & Incident Response (DFIR)

When a potential breach is identified, your 30-day assessment clock is running. ThreatDefence DFIR capability provides rapid forensic investigation — determining the nature of the incident, what personal information was involved, whether serious harm is likely, and whether the breach meets the NDB notification threshold.

How this maps to the Privacy Act: – Delivers the breach assessment required to determine NDB notification obligations within the 30-day window – Produces structured forensic reports aligned to OAIC notification requirements – Provides legal-grade evidence for regulatory investigations and civil proceedings under the Privacy Act statutory tort – Identifies root cause and containment steps to prevent reoccurrence

APP 11 Security Programme Support

Australian Privacy Principle 11 requires organisations to take reasonable steps to protect personal information from misuse, loss, and unauthorised access. “Reasonable steps” is assessed against the sensitivity of the information, the size of the organisation, and the state of industry practice. ThreatDefence gives you the monitoring, vulnerability management, and configuration benchmarking needed to demonstrate that your security posture meets the APP 11 standard.

How this maps to the Privacy Act: – Provides continuous evidence of proactive security measures for OAIC audits and investigations – Benchmarks your security controls against industry standards including ACSC Essential Eight – Identifies and remediates security weaknesses before they lead to a breach

Privacy Act Compliance Mapping

Privacy Act Obligation ThreatDefence Capability
Detect eligible data breaches (NDB) 24×7 SIEM + UEBA + NDR monitoring
30-day breach assessment DFIR investigation + breach scoping reports
OAIC notification NDB playbooks + structured notification templates
Notify affected individuals Breach scoping to identify whose data was involved
APP 11 — reasonable security steps Continuous monitoring + vulnerability management + CSPM
Insider threat detection UEBA + deception technology
Cloud data exposure prevention CSPM + cloud visibility monitoring
Evidence for OAIC investigations Log retention + NDR evidence + DFIR reports
Statutory tort civil defence Forensic evidence package + incident timeline
Children’s data protection (COPC) Enhanced monitoring for high-sensitivity data categories

The Cost of Getting It Wrong

The regulatory and commercial consequences of Privacy Act non-compliance have never been higher:

Penalties up to $50 million for serious or repeated interference with privacy

Direct civil liability under the new statutory tort — individuals can sue without going through the OAIC

OAIC investigation powers including the ability to seek civil penalty orders directly

Reputational damage — OAIC publishes its enforcement actions; breach notifications are increasingly covered by media

Class action exposure — Australian plaintiff law firms are actively pursuing data breach class actions following successful overseas precedents

Many major public breaches in Australia demonstrated that a single large-scale breach can result in years of regulatory scrutiny, hundreds of millions in remediation costs, and lasting reputational damage. Detection speed is the single biggest variable in limiting breach scope and liability.

Why Australian Organisations Choose ThreatDefence

Australian-Based

Your data stays in Australia. ThreatDefence understands the OAIC’s enforcement posture, NDB scheme requirements, and APP framework — not just generic GDPR compliance.

Evidence-First

We retain the structured, searchable evidence the OAIC expects — not just alert counts. When you receive an OAIC investigation notice, you need logs, timelines, and forensic reports. We build these as a matter of course.

Fast Time-to-Detection

forensic reports. We build these as a matter of course. Fast time-to-detection: The 30-day NDB assessment window starts from when you become aware of a suspected breach. Our 24×7 SOC minimises the gap between a breach occurring and your team knowing about it.

DFIR Capability In-house

Most organisations scramble to find a forensic firm after a breach is confirmed. ThreatDefence includes DFIR capability in the platform — so your investigation starts immediately, not two weeks later.

Scales to Your Team

Whether you are a healthcare provider with limited IT resources or a large enterprise with an established security function, ThreatDefence fills the gaps with managed detection and response.

Frequently Asked Questions

An eligible data breach occurs when personal information held by your organisation is lost, or is subject to unauthorised access or disclosure, and that incident is likely to result in serious harm to one or more individuals. Not every breach is notifiable. The key threshold is whether serious harm is likely in the circumstances. ThreatDefence DFIR can help assess impact, scope, and whether the legal threshold may be met.

If you suspect an eligible data breach, you must take reasonable steps to complete an assessment within 30 days. If you then have reasonable grounds to believe an eligible data breach has occurred, you must notify the OAIC and affected individuals as soon as practicable. The OAIC makes clear that 30 days is the maximum assessment window, not a target.

The scheme requires notification to both the OAIC and affected individuals when there are reasonable grounds to believe an eligible data breach has occurred. In practice, these notifications are typically prepared and issued as part of the same response process, with the focus on acting as soon as practicable once the assessment is complete.

Serious harm can include financial harm, identity theft, physical harm, psychological harm, and serious reputational harm. Whether harm is likely depends on factors such as the type and sensitivity of the information, whether it was encrypted or otherwise protected, who obtained access, and whether remedial action reduced the risk.

For a serious or repeated interference with privacy, maximum penalties for corporations can reach the greater of $50 million, three times the value of any benefit obtained from the conduct, or 30% of adjusted turnover during the relevant breach turnover period where the benefit cannot be determined.

APP 11 requires an APP entity to take reasonable steps to protect personal information it holds from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. It also includes obligations around destroying or de-identifying personal information when it is no longer needed in certain circumstances. In practice, reasonable steps may include access control, logging, monitoring, encryption, backup, incident response, and secure retention and disposal processes.

Reasonable steps are assessed in context. Relevant factors include the size of the organisation, the volume and sensitivity of the personal information, the possible harm that could result, and the practical and technical measures available. Larger organisations and entities handling more sensitive data are generally expected to implement stronger safeguards.

Not all small businesses are exempt. While the Privacy Act generally exempts many private sector businesses with annual turnover of $3 million or less, some are still covered, including private sector health service providers, tax file number recipients, credit reporting bodies, credit providers, and entities that trade in personal information. Some small businesses may also opt in.

Yes. Private sector health service providers are covered by the Privacy Act and the NDB scheme regardless of turnover. That is one of the most important exceptions to the general small business exemption.

The Privacy and Other Legislation Amendment Act 2024 introduced a statutory cause of action for serious invasions of privacy. Schedule 2 of that Act commenced on 10 June 2025. This creates an additional civil litigation pathway in addition to regulatory action under the Privacy Act.

Yes. The new cause of action increases litigation exposure because individuals may bring claims for serious invasions of privacy through the courts where the statutory requirements are met. For organisations, that means a major privacy incident can now create regulatory risk, remediation cost, reputational impact, and private litigation exposure at the same time. This is an inference based on the new cause of action and its commencement.

Yes. A cyber incident affecting personal information may trigger obligations under the Privacy Act’s NDB scheme and, for critical infrastructure entities, separate reporting obligations under the SOCI Act. These regimes operate in parallel, so organisations need an incident process that can assess multiple legal triggers at once.

The first priorities are usually to contain the incident, preserve evidence, understand what information and systems were affected, assess whether serious harm is likely, and determine whether notification obligations may apply. The OAIC also emphasises avoiding destruction of evidence during the early response stage.

Yes. If prompt remedial action means the incident is no longer likely to result in serious harm, the breach may not be an eligible data breach for notification purposes. That makes fast containment and evidence-based assessment especially important.

DFIR helps determine what happened, what data was affected, whether there was exfiltration or access, how serious the likely harm is, and whether the breach is likely to meet the notifiable threshold. It also supports evidence preservation, executive decision-making, and the preparation of defensible records for legal and regulatory review. This is an operational interpretation of how incident response supports compliance.