The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It represents the most significant change to Australian privacy law since the Privacy Act was introduced in 1988. For Australian small businesses that use software vendors โ€” which is almost every business โ€” these changes have direct, practical consequences.

This article explains what changed, what it means for your vendor relationships specifically, and what you should do right now.

Does the Privacy Act apply to your business? If your business has an annual turnover above $3 million, or if you handle health information, operate as a tax agent, or provide services under the AML/CTF regime (real estate, legal, accounting, conveyancing), the Privacy Act applies to you. From 1 July 2026, AML/CTF businesses are also covered for their data handling obligations.

What changed in 2024-2026

1. Strengthened security obligations

The amendment strengthened the requirement for businesses to take "reasonable steps" to protect personal information. What was previously a vague standard is now interpreted more strictly, and the Office of the Australian Information Commissioner (OAIC) has greater enforcement powers including higher fines.

What this means for vendor relationships: Simply signing a vendor contract and hoping they handle your data correctly is no longer sufficient. You need to demonstrate that you assessed the vendor's security posture before engaging them.

2. Statutory tort for serious privacy invasions

From June 2025, individuals can sue businesses directly for serious invasions of privacy โ€” through the courts, not just via the OAIC. This means if a vendor breach leads to your clients' data being exposed, those clients may now have a direct cause of action against your business.

3. Expanded breach notification obligations

The Notifiable Data Breaches scheme has been strengthened. The obligation to notify affected individuals and the OAIC applies even if the breach occurred at a vendor, not at your business directly. Your notification obligations begin when you become aware of the breach โ€” not when it's confirmed.

4. Consent requirements tightened

Bundled consents and vague "by continuing you agree" language are no longer sufficient. This affects how your vendors collect consent from your customers if they're doing so on your behalf.

The vendor relationship obligations you have right now

Under the Australian Privacy Principles, specifically APP 11, you are required to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. This obligation extends to information you have shared with a vendor.

In plain English: if you give a software vendor access to your client data and they suffer a breach, the Privacy Act looks to you โ€” not just them โ€” for compliance. You need to be able to demonstrate that you:

The 5 things you need to do right now

Run all 13 checks automatically

Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ€” sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.

Check a vendor free โ†’

Free to view ยท $19.99 for the full report ยท No subscription

Special note for AML/CTF businesses (from 1 July 2026)

If your business provides designated services under the Anti-Money Laundering and Counter-Terrorism Financing Act โ€” which includes real estate agents, lawyers, accountants, and conveyancers โ€” the Privacy Act now applies to your AML/CTF data handling from 1 July 2026. This means your vendor assessment obligations apply to every software tool and service provider you use in connection with those designated services.

What "reasonable steps" means in practice

The OAIC has not published a prescriptive definition of "reasonable steps" โ€” it is assessed contextually. But the following are generally considered reasonable for a small business:

None of these require a legal team or a compliance department. They require about 30-40 minutes per vendor โ€” or 60 seconds with an automated tool.

The practical reality: The OAIC is unlikely to investigate a small business that can demonstrate it took the above steps. It is very likely to take a dim view of a small business that suffered a vendor breach and can show no evidence of having assessed the vendor at all.