Get your privacy policy in order or risk a fine - new changes to data privacy and security laws now in effect

This article was originally published in AMA Victoria's VICDOC, Autumn 2025

Towards the end of last year, the Commonwealth Government enacted significant changes to Australia’s data privacy and security laws which have some interesting implications for healthcare providers.

Amendments to the Privacy Act

The first legislative change was a series of amendments to the Privacy Act 1988, which came into force on 10 December 2024. The Privacy and Other Legislation Amendment Act 2024 made a number of relatively minor amendments to the Privacy Act – but there are a couple which are particularly worth noting for healthcare providers.

The first is the new regime of penalties and fines under the Privacy Act. It may be surprising to learn that until now, only serious or repeated breaches of the Privacy Act were punishable by a monetary penalties, and the Office of the Australian Information Commissioner (OAIC) had to apply to the Federal Court to seek to impose a penalty. As a result, it was exceedingly rare for the OAIC to seek penalties against anyone.

Now, any breach of the Privacy Act – serious or not - can attract a penalty. Further, the Privacy Act now gives the OAIC the power to issue infringement notices imposing administrative fines of up to A$330,000 for certain minor breaches of the Privacy Act, without going to court - like a parking ticket for privacy offences. Breaches which can attract an administrative fine include:

  • not having a privacy policy which complies with the requirements of the Privacy Act;
  • not providing an “opt-out” on direct marketing communications;
  • not giving effect to a request by an individual to opt-out of direct marketing communications; and
  • not responding to a request by an individual to correct their personal information within a reasonable period.

As the OAIC does not need to go to court to issue an infringement notice, we are expecting that this is a power the OAIC will use regularly to make an example of non-compliant businesses. Accordingly, we recommend that all healthcare providers get their privacy policy in order and check they are compliant with these other basic requirements of the Privacy Act.

The second amendment worth noting is that organisations which use automated processes to make decisions that could significantly affect the rights or interests of individuals are now required to include details about their use of automated decision-making in their privacy policy. “Automated decisions” are not limited to wholly automated decisions; they also include any process in which a computer does something that is substantially and directly related to making a decision. This could include processes which involve humans, if the human generally follows the recommendations of the computer. Healthcare providers will need to consider whether they use automated decision-making in any area of their business – for example, in assessing job applications. To give businesses time to amend their privacy policies, this requirement will not come into effect until 10 December 2026.

The new Cyber Security Act

The second legislative change is a new law, the Cyber Security Act 2024 (Cth). The Cyber Security Act is the first Australian law specifically designed to strengthen cyber security across the whole of the Australian public and private sectors. The Cyber Security Act introduces a new requirement that is relevant to large healthcare providers who experience a cyber security incident.

The Cyber Security Act requires organisations which suffer a cyber security incident and make a ransom payment to the hacker to report that payment to the Australian Signals Directorate within 72 hours of making the payment. While payments to hackers are most commonly paid in response to a ransomware attack, the requirement applies to any cyber security incident in which a ransom is paid – for example, it would also apply where a ransom is paid to stop stolen data being published by the hacker.

The report must include details of the incident, the amount of the payment, and details of any communications with the threat actor. To encourage compliance with this reporting requirement, the Cyber Security Act also contains restrictions on how the information in these reports may be used. In particular, information provided under the Cyber Security Act may not be used to investigate or take enforcement action in relation to the contravention of any law by the organisation, and may not be used as evidence in any civil or criminal proceeding.

The ransom payment reporting obligation comes into effect from 29 May 2025, and will only apply to organisations with an annual turnover above a specified threshold, which is proposed to be A$3 million. Any organisation that fails to notify a ransom payment may be subject to a penalty of up to A$19,800

Services

Sectors

Locations