The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It represents the most significant change to Australian privacy law since the Privacy Act was introduced in 1988. For Australian small businesses that use software vendors โ which is almost every business โ these changes have direct, practical consequences.
This article explains what changed, what it means for your vendor relationships specifically, and what you should do right now.
Does the Privacy Act apply to your business? If your business has an annual turnover above $3 million, or if you handle health information, operate as a tax agent, or provide services under the AML/CTF regime (real estate, legal, accounting, conveyancing), the Privacy Act applies to you. From 1 July 2026, AML/CTF businesses are also covered for their data handling obligations.
What changed in 2024-2026
1. Strengthened security obligations
The amendment strengthened the requirement for businesses to take "reasonable steps" to protect personal information. What was previously a vague standard is now interpreted more strictly, and the Office of the Australian Information Commissioner (OAIC) has greater enforcement powers including higher fines.
What this means for vendor relationships: Simply signing a vendor contract and hoping they handle your data correctly is no longer sufficient. You need to demonstrate that you assessed the vendor's security posture before engaging them.
2. Statutory tort for serious privacy invasions
From June 2025, individuals can sue businesses directly for serious invasions of privacy โ through the courts, not just via the OAIC. This means if a vendor breach leads to your clients' data being exposed, those clients may now have a direct cause of action against your business.
3. Expanded breach notification obligations
The Notifiable Data Breaches scheme has been strengthened. The obligation to notify affected individuals and the OAIC applies even if the breach occurred at a vendor, not at your business directly. Your notification obligations begin when you become aware of the breach โ not when it's confirmed.
4. Consent requirements tightened
Bundled consents and vague "by continuing you agree" language are no longer sufficient. This affects how your vendors collect consent from your customers if they're doing so on your behalf.
The vendor relationship obligations you have right now
Under the Australian Privacy Principles, specifically APP 11, you are required to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. This obligation extends to information you have shared with a vendor.
In plain English: if you give a software vendor access to your client data and they suffer a breach, the Privacy Act looks to you โ not just them โ for compliance. You need to be able to demonstrate that you:
- Assessed the vendor before engaging them
- Put appropriate contractual protections in place
- Have a breach notification process that includes vendor incidents
The 5 things you need to do right now
- Audit your current vendors: List every software tool and service provider that has access to personal information about your clients or employees. This includes cloud accounting, HR systems, CRM, email platforms, and payroll providers.
- Check each vendor's security posture: Run at minimum a breach history check, sanctions check, and review their privacy policy for data residency and breach notification commitments. For higher-risk vendors, run the full 15-point checklist.
- Update your contracts: Add breach notification clauses (72-hour notification requirement aligned with the NDB scheme) and data deletion obligations (APP 11.2) to any contracts that don't already have them.
- Establish a vendor breach response process: If a vendor notifies you of a breach, you need to know what to do โ how to assess severity, when to notify the OAIC, and how to communicate with affected individuals.
- Document everything: Keep records of your vendor assessments. If the OAIC investigates a breach, being able to demonstrate that you ran checks and implemented protections is the difference between a reprimand and a fine.
Run all 13 checks automatically
Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.
Check a vendor free โFree to view ยท $19.99 for the full report ยท No subscription
Special note for AML/CTF businesses (from 1 July 2026)
If your business provides designated services under the Anti-Money Laundering and Counter-Terrorism Financing Act โ which includes real estate agents, lawyers, accountants, and conveyancers โ the Privacy Act now applies to your AML/CTF data handling from 1 July 2026. This means your vendor assessment obligations apply to every software tool and service provider you use in connection with those designated services.
What "reasonable steps" means in practice
The OAIC has not published a prescriptive definition of "reasonable steps" โ it is assessed contextually. But the following are generally considered reasonable for a small business:
- Checking the vendor's breach history before engaging
- Verifying the vendor's basic security controls (SSL, email authentication)
- Including a breach notification clause in the contract
- Including a data deletion clause covering contract termination
- Reviewing the vendor's privacy policy for data residency and sub-processor disclosures
None of these require a legal team or a compliance department. They require about 30-40 minutes per vendor โ or 60 seconds with an automated tool.
The practical reality: The OAIC is unlikely to investigate a small business that can demonstrate it took the above steps. It is very likely to take a dim view of a small business that suffered a vendor breach and can show no evidence of having assessed the vendor at all.