Australia’s new privacy reforms

17 March 2025

In late 2024, the federal government gave Australia’s privacy laws their biggest overhaul in decades, largely as a result of the need to update them in the age of digitalisation of the workplace. If you’re a practice owner, manager or HR professional, you need to be across the changes now, or face the possibility of legal or reputational risk, writes Merilyn Speiser from Catalina Consultants.

AN OVERVIEW OF THE PRIVACY REFORMS

The Privacy and Other Legislation Amendment Act 2024 changes the way personal information can be used, stored, accessed and handled. It applies to all Australian businesses. However, businesses with annual turnovers exceeding $3 million must comply with more stringent privacy standards.

Key reforms relevant to HR professionals include:

• A new statutory tort for serious invasions of privacy
• Transparency obligations for automated decision-making systems
• Simplified overseas data transfers
• Enhanced regulatory powers and penalties.

We’ll look at each of these in more detail below.

Statutory tort for serious invasions of privacy

From 10 June 2025, the Act will create a new statutory tort (i.e. a legal wrong defined by legislation) of serious invasions of privacy.

This new legal avenue allows individuals, including employees, to directly sue an organisation or individual who commits a significant privacy breach, including:

• Unauthorised surveillance or monitoring. Employers need to make sure they don’t excessively intrude upon employees’ privacy without adequate justification and explicit consent.
• Misuse of employee personal data. Employers need to manage personal and sensitive information vigilantly to make sure it isn’t improperly shared or mishandled. This includes health records, performance evaluations and payroll data.

Breaching these provisions could lead to significant financial pain, including the risk of class action lawsuits if the breach involves multiple employees.

Transparency in automated decision making

More employers are beginning to use automated decision-making tools such as AI in HR-related functions such as recruitment, performance evaluation and administration. From 10 December 2026, businesses will be legally required to disclose which types of decisions they make through automated means and what types of personal information they use to make them.

After all, AI-based decision making can fall victim to several potential flaws, including:

• Algorithmic bias. AI systems can inadvertently perpetuate historical biases, so that they discriminate against certain demographic groups.
• Lack of transparency. There can be a lack of clarity around automated decision making which sometimes even the user themselves won’t fully understand. If this happens it can lead to distrust and dissatisfaction.
• Inaccuracies. Where a decision is based on incorrect or outdated data, it can lead to an unjust outcome.

It’s important that automated processes support human decision making rather than entirely replacing it. So, every business should review and articulate how they’re using these technologies. They should also make sure employees understand how automated decisions impact them and provide the transparency needed to minimise potential bias and inaccuracy.

Simplified overseas data transfers

From 11 December 2024, the legislation introduced a ‘whitelist’ mechanism that simplified the overseas transfer of personal data.

The whitelist streamlines international data sharing by identifying jurisdictions deemed to have privacy protections substantially similar to Australia’s.

While the official list has not yet been announced, you should make sure international third-party providers handling employee data adhere to Australian Privacy Principles (APP). As a minimum this should involve:

• Evaluating current overseas providers and their privacy compliance
• Updating contracts and data processing agreements to align with these reforms
• Establishing clear internal guidelines for data transfer, including steps for vetting and approving new overseas data processors.

Enhanced regulatory powers and penalties

The amendments give the Office of the Australian Information Commissioner (OAIC) expanded enforcement powers.

OAIC can now issue infringement or compliance notices directly to businesses. These allow it to mandate immediate corrective action or impose financial penalties. These include:

• Up to $50 million for significant privacy breaches by large corporations.
• $660,000 for less severe breaches.
• $66,000 for administrative violations.

PRACTICAL HR COMPLIANCE STEPS

To make sure your business is complying with the amendments, you should undertake a comprehensive review of your policies, procedures and plans. This includes:

1. Audit and review: Assess your privacy policies and data handling practices. Try to identify any compliance gaps and then fix them.
2. Policy updates: Revise your privacy policies to reflect your new obligations, including the need to explicitly disclose any automated decisions.
3. Training and education: Introduce privacy compliance training in your workplace to make sure employees and managers understand their obligations and the risks associated with not complying.
4. Enhance data security: Strengthen any data security protocols in your workplace through things like two-factor authentication and secure cloud-based storage. Restrict access to sensitive data.
5. Breach response plan: Develop or refine your organisation’s response strategies for potential data breaches so that you can respond to an incident swiftly.
6. Third-party compliance: Verify international third-party vendors are complying with Australian standards. Update your contracts and service-level agreements to reflect these obligations.

AND FINALLY …

The Privacy and Other Legislation Amendment Act 2024 reshapes the privacy compliance landscape for Australian organisations. Businesses need to respond proactively, so that they embed the changes in their organisational practices as soon as possible.