What Is the Australian Privacy Act Small Business Exemption?
The Privacy Act 1988 has long required organisations with an annual turnover above $3 million to comply with the 13 Australian Privacy Principles. These principles govern how personal information is collected, used, stored, disclosed, and destroyed. Small businesses below the $3 million threshold were largely exempt from these obligations. As a result, the majority of Australian businesses operated without a formal privacy policy, without data breach response plans, and without any structured approach to consent management. The Privacy and Other Legislation Amendment Act 2024 removes this exemption. The legislative changes are phased, with the small business exemption removal commencing on 10 December 2026. That deadline gives businesses a finite window to build and embed a compliant privacy framework before the law takes full effect.Why This Matters More Than You Think
2.5 Million Businesses Are Now in Scope
The scale of this change is significant. Approximately 2.5 million Australian businesses that previously had no formal obligations under the Privacy Act will become regulated entities from December 2026. Most of these are small businesses operating in sectors like real estate, healthcare, retail, trades, hospitality, and professional services. This is not a technical compliance exercise designed for large enterprises. It directly affects small business owners, operators, and the IT systems they rely on every day.The OAIC Is Already Enforcing
The Office of the Australian Information Commissioner (OAIC) is not waiting until December 2026 to signal its intent. The OAIC is currently running its first-ever compliance sweep, targeting approximately 60 organisations across real estate, healthcare, and retail sectors. The focus of this sweep is whether organisations have adequate privacy policies and whether those policies are being followed in practice. This enforcement activity is a clear signal that the regulator is building its capability and appetite for action ahead of the broader expansion of Privacy Act coverage.The Penalties Are Substantial
Non-compliance carries real financial consequences. For serious or repeated breaches of the Privacy Act, penalties can reach up to $50 million or 30 per cent of adjusted annual turnover, whichever is greater. For smaller contraventions, including operating with a privacy policy that does not comply with the Australian Privacy Principles, penalties of up to $66,000 per breach apply. These are not figures reserved for large corporations. Once small businesses are covered by the Act, they are subject to the same penalty framework as everyone else.What Changes on 10 December 2026
The 13 Australian Privacy Principles Apply in Full
From December 2026, newly covered small businesses must comply with all 13 Australian Privacy Principles. These principles cover every stage of the personal information lifecycle.Collection (APPs 1 to 4)
Businesses must have an up-to-date privacy policy, only collect personal information that is reasonably necessary, notify individuals at the time of collection, and not collect sensitive information without explicit consent.Use and Disclosure (APPs 5 to 7)
Personal information can only be used or disclosed for the primary purpose for which it was collected, or for secondary purposes with consent or in limited circumstances defined by law. Direct marketing has specific opt-out requirements under APP 7.Data Quality and Security (APPs 10 to 11)
Businesses must take reasonable steps to keep personal information accurate and up to date, and must protect it from misuse, interference, loss, and unauthorised access or disclosure.Access and Correction (APPs 12 and 13)
Individuals have the right to access the personal information a business holds about them and to request corrections. Businesses must have a documented process to handle these requests within reasonable timeframes.The Notifiable Data Breaches Scheme Applies
The Notifiable Data Breaches (NDB) scheme, which already applies to large organisations, will extend to newly covered businesses from December 2026. Under the NDB scheme, if a data breach occurs that is likely to cause serious harm to one or more individuals, the business must notify both the OAIC and the affected individuals as soon as practicable. This means small businesses need a documented data breach response plan before the deadline. Discovering a breach and then working out what to do is not an acceptable approach under the NDB scheme. The expectation is that you have already planned your response.Automated Decision-Making Transparency Obligations
One of the most forward-looking changes commencing on 10 December 2026 is the introduction of automated decision-making (ADM) transparency obligations. Businesses that use artificial intelligence or algorithmic systems to make decisions about customers, such as pricing decisions, loan assessments, content personalisation, or eligibility determinations, will be required to disclose this in their privacy policies. This is a direct response to the growing use of AI tools across Australian businesses. If your business uses any system that makes or significantly influences decisions about individuals, you will need to describe this clearly and in plain language in your privacy policy from December 2026.Meaningful Consent Rules Are Tightening
The changes also address how businesses obtain consent from individuals. Pre-ticked boxes, bundled consent clauses buried in terms and conditions, and vague authorisations are no longer acceptable. Consent must be informed, specific, voluntary, and current. Businesses that rely on default opt-ins or that lump privacy consent together with other agreements will need to redesign their consent flows before the December deadline. This applies to website forms, booking systems, email sign-ups, and any other touchpoint where you collect customer information.What Your Business Needs to Do Before December 2026
The following nine steps represent the minimum compliance baseline for a small business preparing for Privacy Act coverage. Each step builds on the last, so working through them in order is the most efficient approach.1. Conduct a Data Audit
Start by understanding what personal information your business actually holds. Map out what you collect, why you collect it, where it is stored, how long you keep it, and who can access it. This audit provides the foundation for every other compliance step. Without knowing what data you hold, you cannot manage it properly or protect it effectively.2. Write or Update Your Privacy Policy
Your privacy policy must comply with all 13 Australian Privacy Principles. It needs to explain what information you collect, why you collect it, how you use and disclose it, whether you send it overseas, how individuals can access or correct their information, and how they can make a complaint. If your current privacy policy is a generic template downloaded years ago, it almost certainly does not meet these requirements. A compliant privacy policy is specific to your business, reflects your actual data practices, and is written in plain language that your customers can actually understand.3. Implement a Complaints and Access Process
Individuals have the right to request access to the personal information your business holds about them and to request corrections if that information is inaccurate. They also have the right to make a complaint if they believe your business has mishandled their data. Your business needs a documented process for handling these requests, including nominated contact details and reasonable timeframes for response.4. Establish a Data Breach Response Plan
Under the NDB scheme, a reportable data breach requires prompt notification to both the OAIC and affected individuals. Your response plan should define what constitutes a reportable breach, who is responsible for assessing and containing it, how and when notifications will be issued, and how the incident will be documented for regulatory purposes. A breach response plan that exists only in someone’s head is not a plan. It needs to be written, tested, and understood by everyone in the business who might be first to identify an incident.5. Review Your Consent Mechanisms
Audit every point where your business collects consent from customers or prospects. This includes website forms, booking systems, email sign-ups, and any point-of-sale or onboarding process where personal information is gathered. Replace pre-ticked boxes with explicit opt-in mechanisms. Separate privacy consent from other terms where the two are currently bundled together. Document what people are consenting to and when.6. Adopt Privacy by Design
Privacy by design means building privacy protections into your systems and processes from the start, rather than adding them as an afterthought. When you implement a new customer management system, update your website, or introduce a new service workflow, privacy considerations should be part of the design process from day one. This approach reduces the cost and complexity of compliance over time.7. Review Third-Party Processors and Overseas Data Transfers
If your business shares personal information with third-party software providers, cloud services, or overseas contractors, APP 8 places obligations on you regarding those cross-border transfers. You need to understand where your data goes, what contractual protections are in place, and whether those arrangements meet the Privacy Act requirements. Many common business tools, including email platforms and cloud storage services, store data on overseas servers by default.8. Implement Security Measures and Staff Training
Technical and organisational security is a core requirement under the Privacy Act. This includes access controls, encryption where appropriate, secure disposal of data that is no longer needed, and regular software updates. It also means making sure your staff understand their obligations under the Act. A well-intentioned employee who does not know the rules is still a compliance and reputational risk. Our managed cybersecurity services are designed to help businesses like yours build the technical foundation for data security without needing an in-house IT team to manage it around the clock.9. Add AI and Automated Decision-Making Disclosures
If your business uses any AI tools or algorithmic systems that make decisions about customers or individuals, you need to document this in your privacy policy before December 2026. This includes automated marketing tools that segment customers, pricing engines that adjust rates based on data profiles, and any workflow automation that influences individual outcomes. The disclosure must be written in plain language and must accurately describe how the technology is used.The IT Dimension: Why Your Technology Choices Matter
Privacy compliance is not just a legal exercise. It is also an IT challenge. The way your business stores data, who can access it, how it is backed up, and how breaches are detected and contained all depend on the technology you use and how it is configured. Small businesses that have grown organically often end up with personal data scattered across multiple systems: a CRM in one place, a shared inbox in another, spreadsheets on someone’s desktop, and cloud storage that was set up without much thought about access controls. Cleaning this up and implementing a coherent data management approach takes time and technical effort. Starting early is significantly less disruptive than rushing before a regulatory deadline. Common IT issues that create Privacy Act exposure include:- Personal data stored in email inboxes rather than secure, auditable systems
- Cloud services configured with overly broad access permissions
- Customer databases without audit trails or access logging
- No documented backup and recovery process in place
- Software and devices that are not regularly patched or updated
- Staff using personal devices to access business data without any controls
- No process for securely disposing of data when it is no longer needed
Is Your Business Actually Covered? Key Questions to Ask
Not every business will be affected in exactly the same way, but the vast majority of small businesses that collect any kind of customer or employee information will be covered. Use these questions to understand your exposure.- Do you collect personal information? Personal information includes names, contact details, email addresses, payment details, health information, location data, photos, and any other information about an identifiable individual. If the answer is yes, which it is for almost every business, you will be covered from December 2026.
- Do you have fewer than 20 staff? If you previously relied on the small business exemption, December 2026 is the date your full Privacy Act obligations begin.
- Do you use AI tools in your operations? Automated decision-making disclosure obligations apply from the same date. Review all AI-assisted systems before the deadline and update your privacy policy accordingly.
- Do you send customer data overseas? Many common business tools, including email platforms, CRMs, and cloud storage services, store data on overseas servers. This triggers APP 8 obligations that require you to take reasonable steps to ensure overseas recipients handle the data in accordance with Australian Privacy Principles.
- Do you have a privacy policy? If not, you need one before December 2026. If you do have one, it almost certainly needs to be reviewed and updated to reflect the full requirements of all 13 APPs.
Frequently Asked Questions
When does the small business exemption removal take effect?
The small business exemption removal commences on 10 December 2026. From that date, businesses previously exempt under the $3 million turnover threshold will be required to comply with all 13 Australian Privacy Principles and the broader obligations of the Privacy Act 1988.How many businesses will be affected by this change?
Approximately 2.5 million additional Australian businesses will come within the scope of the Privacy Act when the exemption is removed. This represents a substantial expansion of the regulated population under Australian privacy law.What are the penalties for non-compliance?
For serious or repeated privacy breaches, penalties can reach up to $50 million or 30 per cent of adjusted annual turnover, whichever is greater. For less serious contraventions, including having a privacy policy that does not comply with the Australian Privacy Principles, penalties of up to $66,000 apply.Do I need a privacy policy if I run a small business?
Yes. From December 2026, all businesses covered by the Privacy Act must have an APP-compliant privacy policy that is available to the public. This document must explain how the business collects, uses, stores, and discloses personal information, and how individuals can access their data or make a complaint.What is the Notifiable Data Breaches scheme?
The NDB scheme requires businesses to notify both the OAIC and affected individuals when a data breach occurs that is likely to cause serious harm. This obligation will extend to newly covered small businesses from December 2026, meaning you need a breach response plan in place before that date.What are automated decision-making transparency obligations?
From 10 December 2026, businesses that use AI or algorithmic systems to make or significantly influence decisions about individuals must disclose this practice in their privacy policies. This applies to tools that automate pricing, eligibility assessments, content recommendations, marketing segmentation, and similar functions.What are meaningful consent requirements?
Meaningful consent means that individuals must actively and explicitly agree to the collection and use of their personal information. Pre-ticked boxes, bundled consent buried in terms and conditions, and vague opt-in language are no longer sufficient. Consent must be informed, specific, voluntary, and easy to withdraw.How can Otto IT help my business prepare?
Otto IT works with small and medium businesses across Australia to build secure, compliant IT environments. Our managed cybersecurity services include data security controls, access management, and breach detection that directly support Privacy Act compliance. You can also get in touch with our team to discuss your specific situation and what preparation looks like for your business.Start Preparing Now
December 2026 is closer than it looks. Businesses that leave compliance preparation to the final months will face rushed decisions, higher costs, and greater risk of getting it wrong. The OAIC’s current enforcement sweep is a direct signal that the regulator is watching the sector closely and building its capability to take action when businesses fall short. The good news is that Privacy Act compliance, approached methodically and with the right support, is achievable for businesses of any size. The key is to start the data audit, engage the right expertise, and build the framework before the deadline arrives rather than scrambling in its final weeks. If you want to understand what Privacy Act compliance means for your specific business and IT environment, book a conversation with our team. We will walk through your current setup, identify the gaps, and help you build a practical plan that fits your business and your budget.Book a Privacy Compliance Consultation
Your IT Setup Checklist for Privacy Act Compliance
The Privacy Act Is Not Just a Legal Problem — It Is an IT Problem
Most Australian businesses treat Privacy Act compliance as something for the lawyers to sort out. They get a privacy policy drafted, put it on their website, and consider the job done. That approach misses the point entirely. The Privacy Act 1988, and specifically the Australian Privacy Principles that sit underneath it, places obligations on how personal information is collected, stored, accessed, and protected. Every single one of those obligations has a direct technical component that lives inside your IT systems.
If your IT setup is not configured to meet those obligations, no amount of policy documentation will protect you when something goes wrong. Privacy act compliance for small business australia is not primarily a legal exercise; it is an IT configuration and process exercise that lawyers support, not lead.
This guide is written for business owners, practice managers, and operations people who want to understand what their IT environment actually needs to look like to meet their Privacy Act obligations. No legal jargon. No unnecessary complexity. Just what you need to know.
What the Privacy Act Actually Requires From Your IT
The Australian Privacy Act applies to all businesses with an annual turnover of more than $3 million, as well as health service providers, businesses that trade in personal information, and certain other categories regardless of turnover. If you hold personal information about your clients, employees, or the public, there is a reasonable chance the Privacy Act applies to you.
The Australian Privacy Principles (APPs) set out 13 specific obligations. From an IT perspective, the most relevant are APP 1 (open and transparent management of personal information), APP 6 (use and disclosure), APP 11 (security of personal information), and APP 12 (access to personal information). APP 11 is particularly important because it requires organisations to take “reasonable steps” to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure.
The phrase “reasonable steps” is doing a lot of heavy lifting in that sentence. The Office of the Australian Information Commissioner (OAIC) has published guidance on what reasonable steps looks like in practice, and it includes both physical and technical security measures. The technical measures are where most businesses have gaps.
The Notifiable Data Breach Scheme Explained Simply
The Notifiable Data Breach (NDB) scheme has been in force since February 2018 and it fundamentally changes the consequences of a data breach for Australian businesses. Before the NDB scheme, a business could suffer a breach, quietly deal with it internally, and move on. That option no longer exists for entities covered by the Privacy Act.
Under the NDB scheme, if a data breach is likely to result in serious harm to any individual whose information is involved, you are required to notify both the affected individuals and the OAIC. The notification must happen as quickly as possible, and the OAIC expects notification within 30 days of becoming aware that a breach may have occurred.
Serious harm is defined broadly. It includes physical, psychological, emotional, financial, and reputational harm. In practice, a breach involving health information, financial records, identity documents, or sensitive personal details is almost always going to meet the serious harm threshold.
The penalties for failing to notify have increased significantly following recent amendments to the Privacy Act. Serious or repeated breaches of the Privacy Act can result in civil penalties of up to $50 million for companies, or the greater of three times the benefit obtained or 30 percent of adjusted turnover, for the relevant period. That is not a theoretical risk; the OAIC has been actively investigating and taking enforcement action in recent years.
What this means practically is that your IT systems need to be configured to detect breaches quickly, contain them effectively, and provide the information needed to assess notification obligations. A business that takes three months to discover a breach is in a much worse position than one that detects it within 24 hours.
What “Reasonable Steps” Actually Means for Your IT Controls
The OAIC considers a range of factors when assessing whether reasonable steps were taken. These factors include the sensitivity of the information held, the potential harm if information is disclosed, the size and resources of the organisation, and the practicality of implementing particular measures. For most businesses that hold sensitive client data, the bar for reasonable steps is higher than most realise.
The OAIC’s guidance specifically references technical security measures including access controls, encryption, authentication, and network security. These are not optional nice-to-haves; they are baseline expectations for any organisation holding sensitive personal information.
The 5 IT Controls Every Business Needs for Privacy Act Compliance
1. Multi-Factor Authentication on All Accounts That Access Personal Data
Unauthorised access to systems that hold personal information is one of the most common causes of notifiable data breaches in Australia. Passwords alone are not sufficient protection. MFA creates a second barrier that significantly reduces the risk of account compromise. For Privacy Act compliance purposes, MFA should be enabled on email, cloud storage, CRM systems, HR systems, and any other platform that holds personal information about clients or employees.
2. Role-Based Access Control and the Principle of Least Privilege
Not everyone in your organisation needs access to all personal information. A marketing coordinator does not need access to payroll records. A receptionist does not need access to client financial data. Implementing role-based access controls means that each person only has access to the data their role requires. This directly reduces the attack surface and limits the scope of a potential breach. It also addresses the insider threat, which is a more common cause of data breaches than most businesses acknowledge.
3. Encryption of Personal Data at Rest and in Transit
Personal information that is stored on devices or transmitted across networks should be encrypted. This applies to laptops, mobile devices, cloud storage, email containing sensitive data, and any database that holds personal information. Encryption means that even if a device is lost or stolen, the data cannot be accessed without the encryption key. Most modern operating systems and cloud platforms support encryption natively, but it often needs to be explicitly enabled and configured correctly.
4. A Documented Data Breach Response Process
When a breach occurs, the clock starts immediately. If your team has never discussed what to do, the first 24 to 48 hours will be chaotic, decisions will be made under pressure, and the response will be slower and less effective than it needs to be. A documented breach response process identifies who is responsible for what, how breaches are identified and contained, how the harm assessment is conducted, and how notifications are prepared. This process does not need to be complex, but it needs to exist and your team needs to know about it.
5. Regular Security Monitoring and Logging
You cannot respond to a breach you do not know about. Security monitoring means having visibility into what is happening on your systems: who is logging in, what data is being accessed, whether there are unusual patterns of activity. Log retention is also important because investigations and OAIC inquiries may require you to produce evidence of what happened and when. Many businesses have no logging in place at all, which creates significant problems when a breach needs to be investigated.
Otto IT’s managed cybersecurity services cover all five of these controls as part of a managed security programme. If your current IT provider is not actively managing these areas, your Privacy Act exposure is higher than it should be.
What Happens When a Business Breaches the Privacy Act
The OAIC investigates complaints from individuals and can also conduct commissioner-initiated investigations of its own. An investigation can be triggered by a complaint, by a notifiable data breach report, or by the OAIC’s own intelligence gathering. During an investigation, the OAIC can require a business to provide detailed information about its data handling practices, security controls, and incident response.
The outcomes of an OAIC investigation range from undertakings to improve practices, through to formal determinations and civil penalty proceedings. The reputational impact of a public determination or media coverage of a data breach can be significant for a professional services firm, where client trust is a core part of the business model.
Beyond the regulatory consequences, there is also the direct cost of a breach to consider. This includes forensic investigation costs, legal advice, notification costs, credit monitoring for affected individuals, and the time and resources consumed by the response. For a 30-person professional services firm, a serious breach can easily cost $100,000 to $300,000 all up.
Many businesses believe that because they are small, they are unlikely to be targeted or investigated. That belief is increasingly wrong. The OAIC has published multiple determinations involving small businesses, and cyber criminals specifically target small businesses because they tend to have weaker defences than large enterprises.
Building a Privacy-Ready IT Environment
Getting your IT environment to a Privacy Act-compliant standard is not a single project. It is an ongoing programme of configuration, monitoring, and improvement. The good news is that the foundational controls are well understood and can be implemented systematically with the right IT partner.
The starting point is always an assessment of your current state. What personal information do you hold, where is it stored, who has access to it, and what controls are currently in place? From that baseline, gaps can be identified and prioritised based on the sensitivity of the data and the practical risk they represent.
With managed IT support that includes ongoing security management, your controls stay active and documented over time rather than degrading as systems change and staff turn over. This is important because the Privacy Act does not just require controls to be in place at a point in time; it requires reasonable steps to be maintained on an ongoing basis.
The Bottom Line on Privacy Act Compliance for Australian Businesses
Privacy Act compliance for small business australia is not optional, it is not just a legal box to tick, and it is not something you can address by updating your privacy policy. It requires your IT systems to be configured correctly, your team to be trained on their obligations, and your breach response processes to be ready before something goes wrong.
The businesses that get this right are the ones that have invested in the right IT foundation, not the ones that have the most detailed privacy policy on their website.
Get a privacy-ready IT assessment from Otto IT. We will review your current controls against Privacy Act obligations, identify gaps, and give you a clear plan to close them. No legal jargon. No unnecessary complexity. Just what you need to know and what you need to do.
managed it support articles
Related Blog Articles
Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions