The HR & Payroll Data to Lock Down Before Australia's 2026 Privacy Changes
Privacy obligations are tightening for Australian businesses in 2026. Here's what's actually changing, why your HR and payroll data is the highest-risk information you hold, and the concrete steps to get ready now.
Small Business & Compliance Writer · Former small business owner · Cert IV in Small Business Management
What's actually changing for business privacy in 2026?
Two concrete changes are worth an employer's attention. First, from 1 July 2026, Tranche 2 of the AML/CTF reforms extends anti-money-laundering obligations to new "designated services" — including real estate agents, buyer's agents, property developers, lawyers and accountants. The OAIC estimates more than 100,000 small businesses will, for the first time, have to comply with the Privacy Act for the personal information they handle in connection with those AML/CTF obligations — the long-standing small-business exemption (turnover under $3 million) won't cover it.
Second, the statutory tort for serious invasions of privacy is now in force. Crucially, it applies regardless of whether you're formally covered by the Privacy Act — an individual can sue an entity for a serious invasion of privacy, exemption or not. Note: separate proposals to remove the broader small-business and employee-records exemptions have been discussed but are not yet law — so plan for the direction of travel, not a specific repeal date.
Why HR and payroll data is your highest-risk information
Whatever your exemption status, the data you hold on your own staff is the most sensitive you'll ever handle: tax file numbers, bank account details, superannuation, dates of birth, home addresses, and often health information and disciplinary records. A breach of this data isn't just embarrassing — TFNs and bank details are exactly what identity thieves want, and payroll systems are a known target for business email compromise and ransomware.
That's why the smart move — regardless of exactly which reform lands when — is to treat your HR and payroll files as if they're already in scope. If a breach happens, "we were technically exempt" is not a comfortable place to stand in front of your staff or a court.
The Notifiable Data Breaches scheme
If you are covered by the Privacy Act and a data breach is likely to result in serious harm, the Notifiable Data Breaches (NDB) scheme requires you to notify the affected individuals and the OAIC. For HR/payroll data, "serious harm" is easy to reach — leaked TFNs and bank details clear that bar readily. Being able to detect, contain and report a breach quickly is the difference between a managed incident and a crisis.
The controls to get ready now
You don't need to wait for the final shape of the reforms. The controls that matter are the same either way: encrypt HR and payroll data at rest; apply role-based access so only the people who need it can open it; turn on audit logging and data-loss-prevention (DLP) so you can see and stop sensitive data leaving; enforce multi-factor authentication on every account that touches it; and keep tested backups. A short privacy policy and a documented breach-response plan round it out.
The HR/legal side of this — knowing what data you hold and why — is manageable in-house. The technical controls (encryption, DLP, access logging, MFA, backup, breach detection) are where most businesses need specialist help. Our IT partner Frontrow Tech handles Essential 8 cyber and Microsoft 365 security for Australian businesses if you want your HR data locked down before the deadlines bite. General information only — not legal advice.
Try these free tools
Official resources
Have a workplace question?
Got a specific situation this article didn't cover? Ask our workplace advisor.
General information and estimates only — not legal, financial or tax advice. Always check your specific award, agreement or contract, or a qualified professional, before you rely on the result.
Related articles
Step-by-step guide if your employer isn't paying super. How to check via myGov, report to the ATO, and what enforcement powers exist for unpaid super.
Can My Employer Change My Roster Without Notice? (Know Your Rights)Your employer must give 7 days' notice for roster changes under most awards. Here's when you can say NO — plus what to do if they change your hours without asking.
Payslip Requirements Australia — What Your Employer MUST Include (Checklist)Australian payslips must include 12 mandatory items or your employer faces fines up to $19,800 per violation. Full checklist: ABN, gross/net pay, super, tax withheld, leave balances, and more. Free 30-second compliance checker.
Being Bullied at Work? Here's What to Do (Step-by-Step Guide)If you're experiencing workplace bullying in Australia, you have legal protections. Step-by-step: how to document it, report it, apply for a stop bullying order, and get help.
Ran Kirkwood Landscaping in Bendigo for eight years before moving into trade supply operations. Writes about Modern Award compliance, employer obligations, and contractor classification from an operator's perspective. Cert IV in Small Business Management (La Trobe TAFE Bendigo, 2014). Based in Kangaroo Flat, Victoria.
Recommended partners
Free tools surface the issue. Our partners help you solve it.
Authorised Employment Hero Partner
Employment Hero
Australian HR, payroll, rostering and award interpretation in one platform. Used by 300,000+ businesses. Fixes the underlying payroll/compliance issues our calculators surface.
Best for: SMEs that have outgrown spreadsheet payroll or want automated award interpretation.
See Employment HeroHR support partner
Liquid HR
Senior, hands-on HR support for your toughest workforce challenges — performance and conduct, grievances and mediation, redundancy and change. Liquid HR picks up where the technology ends.
Best for: employers and individuals who need a human HR professional to guide a workplace situation, not just a calculator.
Talk to Liquid HRIT, Microsoft & cyber partner
Frontrow Tech
Microsoft 365, Copilot rollouts, Essential Eight, Privacy Act 2026 and board-level cyber compliance for Australian SMBs. Where pay and HR end, your data and IT obligations begin.
Best for: SMBs running on Microsoft 365, anyone hitting cyber/privacy compliance, boards wanting an outside read on IT risk.
See FrontrowRecommended partners — we only recommend partners we've vetted as a good fit for Australian workplaces. Some partnerships help fund the free tools on this site.