Skip to main content
FairWorkMate

The HR & Payroll Data to Lock Down Before Australia's 2026 Privacy Changes

|2 min read

Privacy obligations are tightening for Australian businesses in 2026. Here's what's actually changing, why your HR and payroll data is the highest-risk information you hold, and the concrete steps to get ready now.

TK

Small Business & Compliance Writer · Former small business owner · Cert IV in Small Business Management

What's actually changing for business privacy in 2026?

Two concrete changes are worth an employer's attention. First, from 1 July 2026, Tranche 2 of the AML/CTF reforms extends anti-money-laundering obligations to new "designated services" — including real estate agents, buyer's agents, property developers, lawyers and accountants. The OAIC estimates more than 100,000 small businesses will, for the first time, have to comply with the Privacy Act for the personal information they handle in connection with those AML/CTF obligations — the long-standing small-business exemption (turnover under $3 million) won't cover it.

Second, the statutory tort for serious invasions of privacy is now in force. Crucially, it applies regardless of whether you're formally covered by the Privacy Act — an individual can sue an entity for a serious invasion of privacy, exemption or not. Note: separate proposals to remove the broader small-business and employee-records exemptions have been discussed but are not yet law — so plan for the direction of travel, not a specific repeal date.

Why HR and payroll data is your highest-risk information

Whatever your exemption status, the data you hold on your own staff is the most sensitive you'll ever handle: tax file numbers, bank account details, superannuation, dates of birth, home addresses, and often health information and disciplinary records. A breach of this data isn't just embarrassing — TFNs and bank details are exactly what identity thieves want, and payroll systems are a known target for business email compromise and ransomware.

That's why the smart move — regardless of exactly which reform lands when — is to treat your HR and payroll files as if they're already in scope. If a breach happens, "we were technically exempt" is not a comfortable place to stand in front of your staff or a court.

The Notifiable Data Breaches scheme

If you are covered by the Privacy Act and a data breach is likely to result in serious harm, the Notifiable Data Breaches (NDB) scheme requires you to notify the affected individuals and the OAIC. For HR/payroll data, "serious harm" is easy to reach — leaked TFNs and bank details clear that bar readily. Being able to detect, contain and report a breach quickly is the difference between a managed incident and a crisis.

The controls to get ready now

You don't need to wait for the final shape of the reforms. The controls that matter are the same either way: encrypt HR and payroll data at rest; apply role-based access so only the people who need it can open it; turn on audit logging and data-loss-prevention (DLP) so you can see and stop sensitive data leaving; enforce multi-factor authentication on every account that touches it; and keep tested backups. A short privacy policy and a documented breach-response plan round it out.

The HR/legal side of this — knowing what data you hold and why — is manageable in-house. The technical controls (encryption, DLP, access logging, MFA, backup, breach detection) are where most businesses need specialist help. Our IT partner Frontrow Tech handles Essential 8 cyber and Microsoft 365 security for Australian businesses if you want your HR data locked down before the deadlines bite. General information only — not legal advice.

Have a workplace question?

Got a specific situation this article didn't cover? Ask our workplace advisor.

Ask FairWork Mate AI

General information and estimates only — not legal, financial or tax advice. Always check your specific award, agreement or contract, or a qualified professional, before you rely on the result.

TK
About Tom Kirkwood

Ran Kirkwood Landscaping in Bendigo for eight years before moving into trade supply operations. Writes about Modern Award compliance, employer obligations, and contractor classification from an operator's perspective. Cert IV in Small Business Management (La Trobe TAFE Bendigo, 2014). Based in Kangaroo Flat, Victoria.

Recommended partners

Free tools surface the issue. Our partners help you solve it.

Authorised Employment Hero Partner

Employment Hero

Australian HR, payroll, rostering and award interpretation in one platform. Used by 300,000+ businesses. Fixes the underlying payroll/compliance issues our calculators surface.

Best for: SMEs that have outgrown spreadsheet payroll or want automated award interpretation.

See Employment Hero

HR support partner

Liquid HR

Senior, hands-on HR support for your toughest workforce challenges — performance and conduct, grievances and mediation, redundancy and change. Liquid HR picks up where the technology ends.

Best for: employers and individuals who need a human HR professional to guide a workplace situation, not just a calculator.

Talk to Liquid HR

IT, Microsoft & cyber partner

Frontrow Tech

Microsoft 365, Copilot rollouts, Essential Eight, Privacy Act 2026 and board-level cyber compliance for Australian SMBs. Where pay and HR end, your data and IT obligations begin.

Best for: SMBs running on Microsoft 365, anyone hitting cyber/privacy compliance, boards wanting an outside read on IT risk.

See Frontrow

Recommended partners — we only recommend partners we've vetted as a good fit for Australian workplaces. Some partnerships help fund the free tools on this site.