Privacy Act Reforms and Cyber Security Compliance in Australia: What Businesses Must Know in 2026
Australia's Privacy Act 2024 amendments and Cyber Security Act create new obligations. Learn the Essential Eight, OAIC penalties, and how to stay compliant.
Australia's privacy and cyber security regulatory landscape has undergone its most significant transformation in decades. The Privacy and Other Legislation Amendment Act 2024, the new Cyber Security Act 2024, and the Australian Signals Directorate's (ASD) Essential Eight framework together create a demanding compliance environment for Australian businesses of all sizes. Understanding these obligations — and engaging a qualified cyber consultant to help meet them — is no longer optional for organisations that handle personal data or operate digital infrastructure.
Understanding the New Australian Privacy and Cyber Security Framework
Two landmark pieces of legislation now define Australia's cyber and privacy compliance landscape. The Privacy and Other Legislation Amendment Act 2024 introduced sweeping changes to the Privacy Act 1988, while the Cyber Security Act 2024 established new mandatory reporting obligations and security standards.
Together, these laws signal a clear shift in regulatory philosophy: Australian regulators are moving from reactive enforcement after breaches to proactive compliance monitoring. Organisations must now be able to demonstrate their privacy and security practices at any time — not just when something goes wrong.
Key commencement dates that every Australian business should be aware of include:
- 10 June 2025 — A new statutory tort for serious invasions of privacy commenced, allowing individuals to sue organisations for intentional or reckless misuse of personal information
- Late 2024 — Ransomware payment reporting obligations took effect for entities with annual turnover of $3 million or more, requiring notification to the Department of Home Affairs within 72 hours
- 10 December 2026 — Organisations must disclose in their privacy policies the use of automated decision-making systems that substantially influence decisions affecting individuals
- 10 December 2026 — A Children's Online Privacy Code is expected to be registered, mandating stricter protections for minors' personal data
The Privacy Act Reforms: What Has Changed
The Privacy and Other Legislation Amendment Act 2024 represents the most significant update to Australian privacy law since the introduction of the Australian Privacy Principles (APPs) in 2014. The key changes affecting businesses include:
Statutory Tort for Privacy Invasion
From 10 June 2025, individuals can bring civil claims against organisations for serious, intentional, or reckless invasions of privacy. This includes both the misuse of personal information and physical intrusion upon seclusion. Organisations that suffer data breaches due to inadequate security controls now face not only regulatory penalties but also direct civil liability to affected individuals.
Expanded OAIC Enforcement Powers
The Office of the Australian Information Commissioner (OAIC) has been granted significantly expanded enforcement powers, including the ability to conduct proactive compliance sweeps, issue infringement notices, and pursue civil penalties. Maximum penalties for serious or repeated privacy breaches can reach up to $50 million, 30% of adjusted annual turnover, or three times the benefit obtained from the breach — whichever is greatest.
Automated Decision-Making Transparency
By 10 December 2026, organisations must update their privacy policies to disclose the use of automated systems that make or substantially influence decisions affecting individuals. This requirement has significant implications for businesses using AI-driven tools for credit assessments, recruitment, customer service, or marketing personalisation.
The Small Business Exemption Under Pressure
The long-standing exemption for businesses with annual turnover below $3 million remains in effect but is under active review. The government has signalled its intention to narrow or remove this exemption in future legislation. Importantly, the exemption already does not apply to health service providers or businesses that trade in personal information. Small businesses should begin preparing for full Privacy Act compliance now, rather than waiting for the exemption to be removed.
The ASD Essential Eight: Australia's Cyber Security Baseline
The Australian Signals Directorate's (ASD) Essential Eight is the de facto cyber security baseline for Australian organisations. Originally developed for government agencies, it is now widely adopted across the private sector and is increasingly required for cyber insurance policies and government contracts.
The Essential Eight consists of eight mitigation strategies organised around three objectives:
- Prevent attacks — Application control, patch applications, configure Microsoft Office macro settings, and user application hardening
- Limit the extent of incidents — Restrict administrative privileges, patch operating systems, and multi-factor authentication (MFA)
- Recover data and system availability — Regular, tested backups
The framework uses a maturity model with four levels (0–3). Maturity Level 1 is the recommended starting point for small businesses, focusing on mitigating opportunistic, commodity-based attacks. Maturity Level 2 is increasingly viewed as the expected baseline for mid-sized organisations and those handling sensitive data. Maturity Level 3 addresses highly sophisticated, adaptive adversaries and requires advanced automation and privileged access isolation.
A key 2025–2026 development is the shift toward phishing-resistant multi-factor authentication (MFA) — such as FIDO2 hardware keys — for privileged users, as SMS-based one-time passwords are increasingly vulnerable to interception attacks. Patching timelines for actively exploited vulnerabilities are also becoming more stringent, with 48-hour remediation windows now expected for critical systems.
Common Cyber Compliance Mistakes Australian Businesses Make
Many Australian businesses underestimate their cyber and privacy compliance obligations. Here are the most common pitfalls a qualified cyber consultant can help you avoid:
- Assuming the small business exemption provides full protection — The exemption does not cover health data, traded personal information, or the new statutory tort for privacy invasion
- Failing to report ransomware payments — Businesses with turnover above $3 million that pay ransomware demands without notifying the Department of Home Affairs within 72 hours face regulatory penalties
- Inconsistent Essential Eight maturity — Having high maturity in some controls but gaps in others creates exploitable weaknesses. The ASD recommends achieving a consistent maturity level across all eight strategies
- Outdated privacy policies — Many businesses have not updated their privacy policies to reflect the 2024 amendments, leaving them exposed to OAIC compliance sweeps
- No data mapping — Without a clear inventory of what personal data is collected, stored, and shared, organisations cannot demonstrate compliance or respond effectively to a breach
- Ignoring automated decision-making obligations — Businesses using AI tools for customer-facing decisions must begin mapping these systems now to meet the December 2026 disclosure deadline
- Inadequate incident response planning — The 72-hour reporting window for critical infrastructure incidents and ransomware payments requires a pre-planned, tested response process
Australian Regulatory Context
Cyber security and privacy compliance in Australia involves several key regulators and frameworks:
The Office of the Australian Information Commissioner (OAIC) administers the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme. The OAIC has broad powers to investigate complaints, conduct audits, and impose civil penalties for serious privacy breaches.
The Australian Signals Directorate (ASD), operating through the Australian Cyber Security Centre (ACSC), publishes the Essential Eight framework, threat intelligence, and guidance for Australian businesses. The ASD also administers the Cyber Security Act 2024 and the Security of Critical Infrastructure Act 2018 (SOCI Act).
The Department of Home Affairs receives mandatory ransomware payment reports and coordinates Australia's national cyber security strategy under the 2023–2030 Australian Cyber Security Strategy.
For businesses in regulated sectors, additional cyber security obligations may apply. Financial services firms are subject to APRA Prudential Standard CPS 234 (Information Security), which requires robust information security frameworks and mandatory incident notification. Healthcare providers must comply with the My Health Records Act and the Privacy Act's health information provisions.
What to Look For in a Cyber Consultant
Engaging the right cyber consultant is critical to navigating this complex regulatory environment. When evaluating candidates, look for the following:
- Relevant certifications — CISSP, CISM, ISO 27001 Lead Auditor, or ASD-endorsed certifications demonstrate technical credibility
- Essential Eight assessment experience — Ask for examples of Essential Eight maturity assessments they have conducted and the remediation roadmaps they have delivered
- Privacy Act compliance expertise — Ensure they understand the 2024 amendments, including the statutory tort, OAIC enforcement powers, and automated decision-making requirements
- Incident response capability — A good cyber consultant can help you develop and test an incident response plan that meets the 72-hour reporting requirements
- Industry experience — Cyber risks vary significantly by sector. A consultant with experience in your industry will better understand your specific threat landscape and regulatory obligations
- Vendor independence — Consultants who are not tied to specific technology vendors will provide more objective recommendations
Cyber Compliance Checklist for Australian Businesses
Use this checklist to assess your current cyber and privacy compliance position:
- Have you conducted an Essential Eight maturity assessment in the last 12 months?
- Is multi-factor authentication (MFA) enabled for all remote access and privileged accounts?
- Are critical systems patched within 48 hours of actively exploited vulnerabilities being identified?
- Do you have a tested, documented incident response plan that addresses the 72-hour ransomware reporting requirement?
- Have you updated your privacy policy to reflect the 2024 Privacy Act amendments?
- Have you mapped all automated decision-making systems that affect individuals, in preparation for the December 2026 disclosure deadline?
- Do you conduct regular, tested backups stored offline or in an immutable format?
- Have you assessed whether the small business Privacy Act exemption applies to your organisation?
- Do you have a data breach response procedure aligned with the Notifiable Data Breaches scheme?
- Is cyber security governance a standing agenda item at board or senior management level?
How MyMoney® Can Help
Australia's evolving cyber security and privacy regulatory landscape requires specialist expertise that goes well beyond general IT support. A qualified cyber consultant can assess your current maturity, identify compliance gaps, and build a practical remediation roadmap that protects your business and satisfies regulatory requirements.
MyMoney® connects Australian businesses with verified cyber consultants who have demonstrated expertise in the ASD Essential Eight, Privacy Act compliance, incident response planning, and sector-specific regulatory frameworks. Whether you need a one-off maturity assessment or ongoing advisory support, our marketplace makes it easy to find the right professional.
To get started, post a brief describing your cyber security and privacy compliance needs and receive tailored proposals from qualified consultants. You can also browse our cyber consultant directory to explore professionals by specialisation, certification, and industry experience.
With the regulatory stakes higher than ever, proactive cyber compliance is not just good practice — it is a legal and commercial imperative for Australian businesses in 2026.
This article provides general information only and does not constitute personal financial advice. Consider whether the information is appropriate for individual circumstances before acting on it. MyMoney® Marketplace is operated by Global Mutual Funds Pty Ltd (ABN 20 090 555 436, AFSL 222640).