Does Your Business Need a Privacy Policy? What’s Changing on 1 July 2026

What’s Changing on 1 July 2026

On 1 July 2026, major reforms to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML-CTF Act) come into effect. For the first time, the AML-CTF regime will extend to cover professions that have historically operated outside its scope — including accountants, lawyers, conveyancers, real estate agents, and dealers in high-value goods. Full details of the reform are available on the AUSTRAC AML/CTF Reform page.

Here’s what most business owners in these sectors don’t realise: when your business becomes regulated under the AML-CTF Act, you automatically lose the small business exemption under the Privacy Act 1988. It doesn’t matter what your turnover is. The OAIC has published specific guidance on how the Privacy Act applies to AML-CTF reporting entities. A sole practitioner turning over $200,000 a year is treated the same as a large firm. Once you’re an AML-CTF reporting entity, the full force of the Privacy Act applies to you.

This affects over 100,000 small businesses across Australia.

An important clarification: this is not the full removal of the $3 million small business exemption. That broader reform — sometimes called “Tranche 2” of the Privacy Act changes — has been recommended by the 2023 Privacy Act Review but is not yet legislated. However, the sectors covered by the AML-CTF expansion are the first wave. The direction of travel is clear, and the rest of the economy is expected to follow.

Who’s Affected

Newly covered from 1 July 2026 (AUSTRAC summary of obligations)

• Lawyers and conveyancers — when providing certain services including property transactions, managing client funds, or assisting with company formation
• Accountants — when providing financial services, tax advice, or managing financial transactions on behalf of clients
• Real estate agents — when facilitating property sales and purchases
• Dealers in high-value goods — jewellers, art dealers, precious metals dealers, and others when transactions exceed certain thresholds

Already required to comply (never had the exemption)

If your business falls into any of the following categories, you should already be complying with the Privacy Act — regardless of turnover (see the OAIC small business guidance for details):

• Healthcare providers of any size (GPs, dentists, physiotherapists, psychologists, allied health — all of them)
• Businesses with annual turnover above $3 million
• Businesses that trade in personal information (data brokers, lead generators)
• Businesses that handle Tax File Numbers (TFNs)
• Credit reporting bodies
• Government agencies and contractors

Why the Exemption Is Being Removed

The small business exemption dates back to the year 2000. At the time, most small businesses kept paper records and had minimal online presence. Cloud computing, e-commerce, digital marketing, and CRM platforms either didn’t exist or weren’t widely used. The exemption made sense in that context.

It no longer does. Today, even a two-person accounting firm collects and stores significant volumes of personal information — client names, addresses, dates of birth, TFNs, financial records, and identification documents — across cloud platforms, email systems, and practice management software.

There are several reasons this reform is happening now:

• Australia is an international outlier. No comparable jurisdiction exempts small businesses from privacy obligations. The EU, UK, Canada, New Zealand, Japan, and Singapore all require businesses of every size to protect personal information.
• Small businesses are disproportionately targeted. Research consistently shows that 71% of data breaches hit businesses with fewer than 250 employees. Smaller businesses typically have weaker security controls, less staff training, and no dedicated IT security function — making them attractive targets.
• GDPR adequacy. Removing the exemption supports Australia’s pursuit of an adequacy determination from the European Union under the GDPR, which would simplify cross-border data transfers for Australian businesses.
• The 2023 Privacy Act Review. The Attorney-General’s Department review produced 116 recommendations for modernising the Privacy Act. Removing the small business exemption was identified as a necessary reform to align Australia with international standards and close a significant gap in consumer protection.

The Legal Requirement for a Privacy Policy

Under Australian Privacy Principle (APP) 1.4, any business covered by the Privacy Act must have a clearly expressed and up-to-date privacy policy. The policy must be available free of charge to anyone who asks for it.

In practice, this means a dedicated, easily accessible page on your website. Not a PDF buried in a footer. Not a generic template copied from another industry. Your privacy policy needs to accurately reflect how your business collects, uses, stores, and shares personal information.

If you’re a conveyancing firm, your policy should describe the types of identification documents you collect and the property transaction data you handle. If you’re an accountant, it should cover how you manage TFNs, financial records, and client correspondence. If you’re a real estate agent, it should explain what buyer and seller information you collect and which platforms you store it on.

A privacy policy isn’t just a legal document — it’s a practical exercise that forces you to understand your own data handling. Many businesses discover gaps in their security and processes simply by going through the exercise of writing one.

What Your Privacy Policy Must Cover

The Australian Privacy Principles set out what your policy needs to address. In plain English, your privacy policy must explain:

• What personal information you collect and why. Be specific. “We collect personal information” is not enough. List the types: names, addresses, dates of birth, identification documents, financial records, health information (if applicable), and anything else relevant to your services.
• How you collect it. Directly from clients? From third parties such as referral partners or government agencies? Via your website through contact forms, analytics, or cookies?
• What you do with it. Describe the purposes: providing your services, meeting legal obligations, sending communications, managing client relationships.
• Who you share it with. This includes software providers, cloud platforms, third-party services, regulatory bodies, and professional associations. If you use a cloud-based practice management system, that’s a disclosure. If your CRM is hosted overseas, that’s a disclosure.
• How you store and secure it. Describe the security measures you have in place — encryption, access controls, staff training, backup procedures.
• How someone can access or correct their information. You must provide a process for individuals to request access to the personal information you hold about them, and to request corrections if it’s inaccurate.
• How you handle complaints. Include a clear complaints process and note that individuals can also complain to the Office of the Australian Information Commissioner (OAIC).
• Whether information is disclosed overseas. If you use cloud services hosted in the United States, Europe, or other countries, you need to state this and identify the countries where data may be stored or accessed.

Healthcare Providers — Already Required

Healthcare providers have never had the small business exemption. Every GP clinic, dental practice, physiotherapy studio, psychology practice, and allied health provider — regardless of size or turnover — is required to comply with the Privacy Act and the Australian Privacy Principles.

Healthcare providers also face additional obligations because health information is classified as sensitive information under the Privacy Act. This means:

• You need explicit consent to collect health information (not just implied consent)
• There are tighter restrictions on how you can use and disclose it
• You must comply with mandatory record retention periods set by state and territory health records legislation
• You face higher scrutiny from the OAIC in the event of a data breach

Despite these long-standing obligations, many medical and allied health practices still don’t have a compliant public privacy policy. Some have no policy at all. Others have a generic template that doesn’t reflect their actual data practices.

If you’re in healthcare and you don’t have an accurate, published privacy policy, you’re not preparing for a future requirement — you’re catching up on an existing one.

Notifiable Data Breaches

Once your business is covered by the Privacy Act, you’re also subject to the Notifiable Data Breaches (NDB) scheme. This means that if your business experiences an eligible data breach, you must notify both the OAIC and the affected individuals.

An eligible data breach occurs when:

• There is unauthorised access to, or disclosure of, personal information (or it is lost in circumstances where access or disclosure is likely)
• A reasonable person would conclude that the breach is likely to result in serious harm to any of the affected individuals

Examples include a ransomware attack that exposes client records, an employee emailing a spreadsheet of client data to the wrong person, a stolen laptop containing unencrypted client files, or a compromised cloud account.

Having a documented privacy policy and clear data handling practices makes breach response significantly easier. If you already know what data you hold, where it’s stored, and who has access, you can assess the scope of a breach quickly and meet your notification obligations within the required timeframe. Without that documentation, a breach becomes a scramble — and the OAIC takes a dim view of organisations that can’t demonstrate they understood their own data environment.

Practical Steps to Get Ready Before 1 July

As of March 2026, you have roughly 100 days. AUSTRAC has published sector-specific starter kits to help you get started. Here’s what to do:

Penalties

The penalty regime for serious or repeated privacy breaches is significant. Civil penalties can reach the greater of:

• $50 million
• Three times the benefit obtained from the breach
• 30% of adjusted turnover during the relevant period

Whichever amount is greatest applies. The OAIC can investigate complaints, conduct assessments, issue determinations requiring specific actions, and seek court-enforceable orders. Even without reaching the maximum penalty, an OAIC investigation is disruptive, expensive, and damaging to your reputation.

For most small businesses, the real risk isn’t a $50 million fine — it’s the combination of regulatory scrutiny, reputational damage, loss of client trust, and the cost of remediation after a breach that could have been prevented.

Don’t Wait Until July

Compliance isn’t just about avoiding penalties. A clear privacy policy and strong data handling practices build client trust. They demonstrate professionalism. They reduce the risk and cost of a data breach. And increasingly, enterprise clients and government procurement processes require evidence of privacy compliance from their suppliers and service providers.

If you’re an accountant, lawyer, conveyancer, real estate agent, or dealer in high-value goods, 1 July 2026 is your deadline. But the work involved — auditing your data, reviewing your systems, writing a policy, training your staff — takes time. Starting now means you can do it properly rather than rushing to tick a box.

If you’re in healthcare, you should already have this in place. If you don’t, treat this as your prompt to act.

Talk to your IT provider or privacy consultant. The technical side — understanding where your data lives across cloud platforms, implementing encryption, setting up breach detection and response tooling, and ensuring your software stack is properly configured — is where most businesses need the most help. A data audit is the natural starting point, and your IT provider can help you map your systems, identify gaps, and build the documentation you need to support a compliant privacy policy.

The deadline is fixed. The work starts now.