Privacy Act Changes 2025: What NSW & QLD Construction Firms Must Do Now
Mandatory privacy policy updates for developers, builders, and contractors under the new reforms
If you run a construction or property development business, you are probably used to juggling contracts, DA approvals, tender submissions, and safety compliance. But one overlooked risk can be far more costly than project delays: privacy compliance.
With the biggest shake-up to Australia’s privacy laws in decades now in force under the Privacy and Other Legislation Amendment Act 2024, the way businesses collect, store, use and disclose personal information has fundamentally changed. If your Privacy Policy has not kept up, your company may face automatic fines of up to $66,000 and penalties of up to $50 million, as well as reputational damage for mishandling client or subcontractor data.
These risks are now very real, as shown by the Federal Court’s first civil penalties under the Privacy Act, including a $5.8 million fine imposed on Australian Clinical Labs in October 2025. Source: OAIC Media Release - Australian Clinical Labs ordered to pay penalties in relation to Medlab Pathology data breach in first for Privacy Act
At Law Team, we've seen how easily construction and development businesses can be caught off guard by these changes. In this article, we explain what’s changed under the Privacy Act, why it matters specifically for your industry, and exactly what you need to do now to stay compliant and protect your business.
Key Takeaways
New changes to the Privacy Act result in increased penalties, new offences, and stricter obligations for construction and development firms.
Your Privacy Policy must be current and comprehensive, covering offshore storage, doxxing, and disclosures related to AI decision-making.
The Commissioner can fine you without warning if your public privacy documents don’t comply with the law.
A Data Breach Response Plan is essential, not optional.
Proactive compliance protects both your reputation and your bottom line.
Why does privacy matter for construction and property development businesses?
Construction firms store sensitive data, such as subcontractor licenses, buyer financial records, and site surveillance footage. This data is a primary target for cybercriminals. If it is mishandled, hacked, disclosed without consent, or accessed without proper authorisation, your business could be in breach of theAustralian Privacy Principles (APPs).
Why should you act on privacy compliance now?
Privacy compliance is no longer optional, and regulators can now impose immediate fines for noncompliance. In January 2026, the OAIC launched its first-ever compliance sweep targeting the rental and property sectors, issuing $66,000 infringement notices to firms with outdated Privacy Policies. Source: OAIC - Privacy compliance sweep to put privacy policies under the spotlight
What are the 2025 Australian Privacy Act changes for construction firms?
The Privacy and Other Legislation Amendment Act 2024 introduced some of the most significant changes to Australian privacy law in a decade. Some of the key changes include mandatory disclosure of offshore data, criminal penalties for doxxing, new transparency obligations around AI and automated decision-making and enhanced powers for the Privacy Commissioner to audit site security. Source: Parliament of Australia - Privacy and Other Legislation Amendment Act 2024
Commissioner On-the-Spot Fines
The Privacy Commissioner can now issue infringement notices with fines of up to $66,000 for clear violations, such as:
Not having a Privacy Policy on your website
Publishing a Privacy Policy that does not comply with the Australian Privacy Principles
Not providing an easy opt-out from marketing communications.
Massive Penalties for Serious or Repeated Breaches
If your business engages in serious or repeated interferences with privacy, the penalties now reach up to $50 million.
New Criminal Offence for Doxxing
It is now both a civil wrong and a criminal offense to publish someone’s personal information with the intention of causing harm or harassment. For example, if a dispute with a disgruntled subcontractor escalates and personal details are posted online to “warn others”, this could amount to doxxing and expose the business to both civil and criminal penalties.
Mandatory Disclosure of Offshore Data Storage and Processing
If personal information is stored or accessed outside Australia, your Privacy Policy must:
Identify the countries involved
State whether those countries have equivalent privacy protections
Confirm that offshore providers are contractually required to comply with the Privacy Act
This is a serious compliance issue for construction and development companies that use international CRM systems, project management tools, or virtual assistants.
New Disclosure Obligations for Automated Decision Making
One of the lesser-known but high-risk Privacy Act changes is the new requirement to disclose when computer programs or AI are used to make, or assist in making, decisions about individuals. This applies whether the decision is fully automated or ultimately reviewed by a human, and non-disclosure can expose businesses to the same penalty regime as other privacy breaches.
This requirement is particularly relevant for construction and development businesses that:
Use automated systems to pre-qualify subcontractors for tender lists
Apply AI-based scoring tools to buyer or tenant applications
Rely on automated credit-checking or compliance verification software
Use algorithm-driven marketing to target potential buyers for off-the-plan projects
Where these tools are used, the law requires businesses to:
Inform individuals that a computer program was used to make or assist in the decision
Explain, in plain language, the factors or logic behind the decision without revealing proprietary code
Provide a clear pathway for the decision to be reviewed by a human
Example:
A Queensland developer uses an automated system to assess tenant affordability when reviewing tenancy applications, with the output informing a final decision made by a person. The developer must now notify applicants that a computer program was used to assist the decision, explain the key factors considered, and provide a way for the decision to be reconsidered by a human. This information can be disclosed through the developer’s Privacy Policy.
The Cost of Ignoring Privacy Compliance
In 2026, the maximum penalty for serious interference with privacy is $50 million or 30% of adjusted turnover, whichever is greater. Beyond fines, the new statutory tort for serious invasions of privacy allows individuals to sue your company directly for damages, even if no data breach occurs. Source: OAIC – Statutory tort for serious invasions of privacy.
Privacy compliance can no longer be treated as a task to do “when there’s time”. The risk is immediate, as the Privacy Commissioner can act without waiting for a complaint. If they identify gaps or inconsistencies in publicly available materials, such as your website’s Privacy Policy, they can issue fines on the spot.
| Civil Penalty Type | Maximum Penalty |
|---|---|
| Serious interference | Up to $50 million |
| Non-serious interference | Up to $3.3 million |
| Infringement notice | Up to $66,000 (on-the-spot fines) |
Case Study – Queensland Developer Data Breach
A mid-sized developer experienced a cyberattack when an employee’s email was hacked, giving attackers access to confidential project sales lists and marketing databases. At the time, the business had:
A Data Breach Response Plan
A Privacy Policy last updated in 2025
Contractual protections with its offshore email marketing provider
The developer engaged us immediately to assess whether the breach was notifiable (it was), prepare the statutory notifications to the Commissioner and the relevant individuals and manage the messaging and communications around the breach.
As the developer did everything correctly, the Privacy Commissioner saw that they were doing their best to comply despite the breach, avoiding a massive fine and reputational damage.
Case Study – NSW Civil Contractor Compliance Audit
During a government prequalification audit, a major contractor was found to have an incomplete Privacy Policy and no offshore data disclosure statements. They narrowly avoided fines but had to update documents and implement team training within 30 days, which was costly and disruptive.
These examples show that cyber incidents and compliance failures can be costly in every sense, which is why taking proactive steps to protect privacy is critical.
What practical steps can Australian businesses take to stay privacy compliant?
Updating your Privacy Policy is just one step. Here’s what construction and development firms should do:
Identify the personal information you collect, where it is stored, who accesses it, and whether it leaves Australia.
Include all mandatory disclosures, such as offshore data, doxxing protections, and AI decision-making in your Privacy Policy.
Add Privacy Act compliance clauses to all agreements with data handlers.
Implement a Data Breach Response Plan that enables you to respond within the 30-day notification period.
Cover privacy compliance in site inductions, office onboarding, and ongoing staff programmes.
Run privacy drills just as you would for safety compliance.
How Law Team has helped clients avoid (and survive) privacy breaches
We help construction and development businesses across Australia become privacy compliant, from drafting Privacy Policies to negotiating supplier agreements and training teams to handle sensitive information correctly.
At Law Team, we help our clients with:
Privacy Policy reviews and rewrites to meet the latest legislative requirements
Supplier contract updates to ensure offshore data handlers comply with the Privacy Act
Data Breach Response Plans tailored for site and office operations
Staff training to reduce human error in handling sensitive data
Get in touch with Law Team today to make your business privacy compliant before the Commissioner comes knocking.
About the Author: Erin Vassallo
Erin Vassallo is the Principal Solicitor and founder of Law Team, a values-led law firm with a strong reputation across New South Wales and Queensland. With over two decades of experience in commercial, construction, and property development law, Erin is a trusted advisor to developers, landowners, and business owners navigating complex projects and legal risks.
Her hands-on experience includes joint ventures, structuring development deals, contract negotiation, risk mitigation, and project governance across residential, commercial, and mixed-use developments. Erin holds qualifications in law, political science, mediation, and disruptive strategy (Harvard Business School) and is the founder of Certified BCorp Law Team, committed to ethical business practices and social impact.
Frequently Asked Questions
-
Yes - if your turnover is over $3 million OR if you handle sensitive information (such as health records, background checks, or certain financial data), you must comply, regardless of size.
-
You risk immediate fines of up to $66,000, higher penalties for serious breaches, and reputational damage if clients or regulators discover non-compliance.
-
Not if you disclose it in your Privacy Policy and ensure the overseas provider complies with the Privacy Act through contractual obligations.
-
Doxxing is publishing someone’s personal information with intent to cause harm. It’s now both a criminal offence and a civil wrong – and could apply in workplace disputes or public conflicts.
-
You must tell individuals if a decision about them was made with the assistance of a computer program, explain how it works in plain terms, and offer human review.
-
You must notify affected individuals and the Privacy Commissioner as soon as practicable – generally within 30 days of becoming aware.