What the reforms change
The Privacy Act reforms expand the definition of personal information, introduce a statutory tort for serious invasions of privacy, give individuals new rights (erasure, objection to direct marketing, automated decision explanations), require a 'fair and reasonable' test on collection and use beyond just consent, and significantly increase the OAIC's enforcement capability. Civil penalties for serious or repeated interferences are capped at the higher of $50M, 30 percent of adjusted turnover, or three times the benefit obtained.
What 'reasonable steps' looks like in 2026
The reforms tighten the expectation of what counts as 'reasonable steps' to protect personal information. In practice this means encryption at rest and in transit, MFA for all access to personal information (not just admins), Conditional Access enforcing context-aware access, sensitivity labels on documents containing personal information, retention with auto-disposal, DLP across SharePoint, OneDrive, Teams, Exchange and endpoints, and a documented incident response process for the NDB scheme. The Microsoft 365 stack covers all of this — but only if you turn it on.
Notifiable Data Breaches — the 72-hour test
The NDB scheme already requires notification of eligible data breaches 'as soon as practicable' — practically interpreted as 72 hours. The reforms tighten enforcement around notification timeliness and content. Microsoft Purview Insider Risk Management, Microsoft Sentinel and Defender for Cloud Apps are the typical detection sources for breaches inside an M365 tenant; Frontrow's NDB readiness tool maps the controls.
Practical actions for Australian midmarket
The pragmatic order is: (1) classify what personal information you hold and where; (2) confirm encryption, MFA and Conditional Access cover all access paths; (3) deploy sensitivity labels and DLP to cover personal information categories; (4) document the NDB response runbook with named owners and a 72-hour clock; (5) write the AI use policy if you use Copilot or any AI processing of personal information. Frontrow runs Privacy Act readiness assessments mapping current state to expected 2026 baseline.