The Privacy Act reforms have been staged across 2024, 2025, and 2026. The first tranche raised the maximum penalty for serious or repeated breaches to $50 million. The second tranche gave the Office of the Australian Information Commissioner (OAIC) substantially expanded enforcement powers. The third tranche, now arriving, brings the SMB enforcement reality into focus.
If you read one piece on Privacy Act compliance this year, this is the practical one. Written for AU SMBs of 20-200 staff who hold personal information about clients, staff, or both, which means almost all of them.
The Privacy Act now applies to more AU SMBs than ever before. The $3 million annual turnover small business exemption is being progressively narrowed, with several categories of small business already brought into the regulated population (health service providers, businesses trading in personal information, related entities of larger organisations, contracted service providers to Commonwealth agencies). The pattern is clear: the exemption is shrinking and most SMBs will need to comply within 24-36 months.
Penalties for serious or repeated interference with privacy are now $50 million, three times the value of the benefit obtained, or 30% of adjusted turnover, whichever is greatest. The OAIC can also seek civil penalty orders for the new mid-tier and lower-tier civil penalty provisions, with penalties scaled appropriately. The era of “the OAIC has no teeth” is over.
The notifiable data breaches scheme has been tightened. Reporting timeframes are stricter, the OAIC has stronger investigation powers, and the public-facing transparency on breaches has increased.
A statutory tort of serious invasion of privacy is now part of the legislation. This means individuals can sue businesses directly for serious privacy invasions, without going through the OAIC. The bar for serious invasion is high, but the existence of the direct cause of action changes the legal landscape for businesses handling sensitive personal information.
From OAIC public statements and recent determinations, three patterns stand out for SMB enforcement.
Failure to take reasonable steps to protect personal information. This is APP 11.1, and it is the most common basis for findings against SMBs. The OAIC is increasingly specific about what “reasonable steps” means: multi-factor authentication, supported operating systems, current patches, documented access controls, staff training. The implicit standard now references frameworks like the Essential Eight and SMB1001 as evidence of reasonable steps. Businesses that cannot demonstrate alignment with a recognised framework are on weaker ground.
Our Essential 8 compliance guide and SMB1001:2026 guide cover what “reasonable steps” practically looks like in 2026.
Breach response timing and quality. Under the tightened notifiable data breaches scheme, the OAIC is examining whether businesses are detecting breaches, assessing them properly, and notifying within the required timeframe. Late notification is a separate enforcement issue from the breach itself. Businesses without a documented incident response plan and a tested notification process are at material risk.
Unnecessary collection or retention. APP 3 (collection) and APP 11.2 (destruction or de-identification) are being enforced more actively. Businesses that collect more personal information than they need, or retain it longer than necessary, are being asked to justify their practices. The OAIC’s view is that retention by default is no longer acceptable.
The $50 million headline figure applies to serious or repeated interference. For most SMB breaches, penalties at the mid-tier or lower-tier are more likely, but they are still substantial: the OAIC can seek civil penalty orders well into the hundreds of thousands of dollars for SMB-scale failures.
The non-penalty costs are typically larger than the penalty itself. A serious breach for a 50-person Perth professional services business typically costs $200,000-500,000 in breach response, legal advice, customer communication, regulatory engagement, and remediation, on top of any penalty. Cyber insurance covers some of this but not all of it, and your premium at the next renewal will reflect the incident.
The reputational cost is harder to measure but real. The OAIC publishes findings and determinations. Client confidence does not recover quickly, particularly in legal, financial, and healthcare sectors where confidentiality is fundamental.
The OAIC will not give a definitive checklist, but the pattern from recent determinations and guidance is clear. For most AU SMBs holding personal information, reasonable steps include:
These map directly onto the controls in Essential Eight and SMB1001 frameworks. The frameworks are not legally mandatory but they are the closest thing to a defensible standard if the OAIC ever asks what reasonable steps you have taken.
The Privacy Act applies broadly but enforcement varies by industry sensitivity.
Legal services. Already subject to professional conduct rules around confidentiality. The Privacy Act layers additional obligations on top. Law firms handling sensitive client matters need documented information handling practices that can survive both Law Society audits and OAIC scrutiny.
Healthcare. Health information attracts the highest sensitivity tier. Healthcare practices in Perth are increasingly being asked to demonstrate framework-aligned controls (typically Essential Eight or SMB1001) as a condition of professional indemnity insurance and Medicare provider agreements.
Financial services and accounting. Existing privacy and financial services regulations already drive most of the right behaviours, but the 2026 enforcement focus on retention practices is catching out firms that have kept client records longer than the law requires.
Real estate and property management. Holding extensive personal information on tenants, buyers, and landlords. Historically lighter-touch on privacy compliance, now firmly in OAIC focus.
We work with Perth and AU SMBs on Privacy Act readiness as part of our managed cybersecurity service. The approach is practical: identify what personal information your business actually holds, where it sits, who accesses it, and what controls are in place. From there we map the gaps to the OAIC’s expected reasonable steps and build a plan to close them.
For businesses without managed cybersecurity in place, we offer a Privacy Act readiness review as a standalone engagement. The output is a written assessment, a gap analysis, and a costed plan for compliance. Typical engagement size is $5,000-15,000 depending on business scale and current state.
Confirm whether the small business exemption still applies to your business. The exemption is narrowing and many SMBs that were exempt in 2023 are no longer exempt. If you handle health information, trade in personal information, or contract to Commonwealth agencies, you are likely already covered. Our Privacy Act 2026 small business guide covers the exemption rules.
Map what personal information you actually hold. Most businesses underestimate this. The exercise of listing every system, every database, every spreadsheet that contains personal information often surfaces compliance gaps immediately.
Book a Privacy Act readiness review with us. Contact us on 1300 EPIC IT. We will assess your current position, identify the gaps, and give you a practical, costed plan for compliance.
The small business exemption is being progressively narrowed. Several categories of small business are already covered: health service providers, businesses that trade in personal information, related entities of larger organisations, contracted service providers to Commonwealth agencies. The general $3 million turnover threshold still applies for now, but the pattern is clear and most SMBs will need to comply within 24-36 months. If your business handles client or staff personal information seriously, treat the Act as applicable now.
For serious or repeated interference with privacy, the maximum penalty is $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover, whichever is greatest. Mid-tier and lower-tier civil penalty provisions also exist with scaled penalties for less serious breaches. SMB-scale breaches typically attract penalties in the hundreds of thousands of dollars rather than the headline $50 million.
The OAIC does not publish a definitive checklist but the pattern from recent determinations is clear: multi-factor authentication, supported operating systems with current patches, endpoint detection and response, tested backups, documented access controls, documented incident response plan, staff privacy training, vendor management. Alignment with recognised frameworks like Essential Eight or SMB1001 is the closest thing to a defensible standard.
The notifiable data breaches scheme requires assessment within 30 days of becoming aware of suspected unauthorised access or disclosure, and notification to affected individuals and the OAIC as soon as practicable after assessment confirms the breach is likely to result in serious harm. The 2026 amendments tightened these timeframes and the OAIC’s enforcement focus on late notification has increased.
The Privacy Act now includes a statutory tort allowing individuals to sue businesses directly for serious invasions of privacy, without going through the OAIC. The threshold for “serious” is high, but the existence of a direct cause of action changes the legal landscape, particularly for businesses handling sensitive personal information about clients, patients, or staff.
No, the frameworks are not legally mandatory under the Privacy Act. However, the OAIC increasingly references framework-aligned controls as evidence of reasonable steps under APP 11.1. Businesses with formal Essential Eight or SMB1001 alignment are in materially stronger position if the OAIC ever asks what reasonable steps have been taken to protect personal information.
