Privacy Act reforms take effect: What does this mean for construction businesses?


By Adrian Di Bello, Nisha Long, Maya Sathiamoorthy

Within the last decade, we’ve witnessed Privacy Laws lagging as our personal data and decision-making capacity becomes complexly intertwined with AI and online databases. Australian construction businesses are increasingly using automated systems and are legally required to collect sensitive personal data to maintain work health and safety, to facilitate payments, or to investigate and mitigate delays or disputes. Reforms to the Privacy Act address the gap between the law and technology. These reforms are designed to ensure that government agencies and organisations protect personal information which they collect or share – such institutions are now held accountable by new federal protocols. In this newsletter, we give an overview of the recently passed Privacy and Other Legislation Amendment Bill 2021 (the Bill), aiming to equip readers with an understanding of the implications of these significant reforms to privacy and data security legislation.

Why was the Bill introduced?

The Bill represents a timely and critical update to Australia’s privacy framework, addressing the challenges posed by rapid advancements in digital technology. The existing Privacy Act has faced criticism for its inability to keep up with technological progress, which has significantly expanded opportunities for sharing personal information. The reforms introduced by the Bill aim to protect the privacy of individuals and their personal information. The Bill also strengthens the monitoring and investigative powers of the Australian Information Commissioner (the Commissioner).

Key amendments which might be relevant to your business

  1. New Statutory Cause of Action for Serious Invasions of Privacy

(Effective from the 10th of June 2025.)

Schedule 2 of this Bill gives individuals a cause of action for serious invasions of privacy; courts will be able to award plaintiffs with damages or other remedies where appropriate. However, there are exemptions for state authorities or a staff member of authority where an invasion of privacy occurs in good faith, in the function of authority, within the ambits of their powers as an authority, or invasions that are required by law. The Bill brings personal privacy to the foundation of its purpose; there are requirements that the public interest in the plaintiff’s privacy outweigh other public interests which may interfere.

  1. Anti – Doxxing measures

(Date for effect ensue has not been specified.)

Schedule 3 of the Bill contains amendments to the Criminal Code, adding two new doxxing offences. The proposed sections would make it an offence to use a carriage service to distribute personal data1 or the data of one or more members of a group2 in a menacing or harassing manner. ‘Personal data’ is defined in the legislation, and includes an individuals name, photographs of an individual, contact details, home and work addresses, and places of education and worship. These offences are punishable by up to 7 years’ imprisonment. They ensure that secrecy provisions, duties of confidence, and Australian Privacy codes are upheld, and provides legal protections regarding the disclosure of personal information. However, institutions such as the Australian Human Rights Commission have expressed concerns that this reform may unfavourably capture journalism and public interest whistleblowing.3

  1. Automated Decision making

(Effective from the 10th of December 2026)

If your business uses automated decision-making to vet job applicants or process payments, these new laws could change how you operate. The Bill aims to protect personal information as Automated decision making becomes exponentially more common. It constitutes the use of a computer program to either completely make decisions without a human decisionmaker or directly assist human staff in making decisions. Whilst ‘computer program’ is not defined by the Bill, the explanatory memorandum divulges that the rules are intended to “encompass a broad range of matters, including pre=programmed rule-based processes, artificial intelligence and machine learning processes.” It also provides an example to guide the scope of this term, such as “(using) Microsoft Excel…to generate a score about an individual that (is) a key factor in a human-decision maker making the decision”

Courts will also have to determine whether a decision could reasonably be expected to significantly affect the rights or interest of an individual. Again ‘interests’ is not clearly defined; this leaves room for courts to exercise discretion in a flexible way that applies to unique personal circumstances and rapidly evolving technology. The Bill provides a non-exhaustive list of decisions which may meet this threshold, such as decisions that affect individuals’ rights under a contract, agreement or arrangement, decision hat affect the individuals access to a significant service or support, or decisions made under an Act regarding the provision of a benefit to an individual.

  1. Data breach declarations

S 26X of The Bill allows a Minister to make a ‘data breach declaration’, which is a formal statement with respect to an entity4. To achieve this, the Minister must be satisfied that the declaration is necessary to prevent or reduce a risk of harm resulting from the misuse of personal information, for example, fraud or identity theft5. Once made, the declaration enables specific actions; for example, it might allow related entities to collect, use or disclose personal data in a manner which would normally be permitted to prevent further misuse. The specified permitted purposes as outlined in s 26X (4)-(5) as follows: (a) preventing a cyber security incident (within the meaning of the Security of Critical Infrastructure Act 2018), fraud, scam activity or identity theft; (b) responding to a cyber security incident, fraud, scam activity or identity theft; (c) responding to the consequences of a cyber security incident, fraud, scam activity, identity crime and misuse, financial loss, emotional and psychological harm, family violence and physical harm or intimidation; (d) addressing malicious cyber activity.

There are certain legal protections regarding the disclosure of personal information, such as entities not being liable for breaching secrecy provisions (except designated secrecy provisions), violating duties of confidence and breaching APPs or APP codes when acting under the declaration.

  1. Overseas Dataflows and Whitelist Powers

(Effective since the 11th of December 2024)

Does your business send personal data overseas? If so, this new provision regulates how Australian businesses share personal data with international entities. The Act introduces a new mechanism whereby countries whose privacy laws provide an adequate level of protections that align with Australia’s policies can be ‘whitelisted’’. Accordingly, companies can disclose personal information to overseas recipients in whitelisted countries. This mechanism benefits organisations by reducing barriers for sharing information and compliance burdens.

  1. Powers to Issue Infringement and Compliance Notices and Civil Penalties

(Effective since the 11th of December 2024)

The Office of the Australian Information Commissioner has been granted new powers to issue compulsory compliance notices as an alternative to civil penalty orders. A failure to comply with a compliance notice may result in the imposition of civil penalties arising from an infringement notice. Additionally, the commissioner can request information from Australian Privacy Principle entities about actual or suspected data breaches, conduct compliance assessments within the data breach scheme, and has an increased ability to investigate or resolve privacy breaches. These powers allow the OAIC to be able to address breaches with more flexibility, leading to better case specific enforcement.

How do we respond to these reforms?

  • Review your data collection and storage practices, ensuring that your privacy policies align with the new regulations.
  • Train your employees who handle personal data and understand their obligations under the Privacy Act reforms.
  • Monitor AI and automated decision making
  • Prepare for potential legal action by consulting with Crisp Law; the new rights and offences under the reforms means that businesses must be increasingly cautious with data handling.

Contact Crisp Law for advice and information at:

Telephone: +61 2 8042 8701

Email: admin@crisplaw.com.au

Back To Top