If you’re running a construction or property development business, you’re probably used to juggling building contracts, DA approvals, tender submissions, subcontractor negotiations, and safety compliance.

But here’s one risk that could cost you more than a delayed DA or defective works order - your privacy compliance.

With the biggest shake-up to Australia’s privacy laws in decades now in force, the way you collect, store, use, and disclose personal information has changed. And if your Privacy Policy hasn’t changed with it, you could be exposed to automatic fines of up to $62,600 and penalties as high as $50 million - not to mention the reputational damage of mishandling client or subcontractor data.

In this article, we’ll break down what’s changed, why it matters for construction and development businesses, and exactly what you need to do to stay on the right side of the law.

Why Privacy Matters in Construction & Development

It’s easy to assume privacy laws are just for tech companies or online retailers. But in reality, your business probably collects a mountain of personal and sensitive data every day:

Buyer details from off-the-plan sales
Subcontractor licences, qualifications, and insurance documents
Tender applicant contact and financial details
Employee HR files and health information
Marketing databases for project launches
Security footage from worksites, sales suites, and display homes

This is valuable information - and a goldmine for cybercriminals.

If it’s mishandled, hacked, disclosed without consent, or accessed without proper authorisation, your business could be in breach of the Australian Privacy Principles (APPs).

And with the new laws, the Privacy Commissioner can now fine you instantly if they see on your website that your Privacy Policy is missing mandatory details or doesn’t match your actual practices.

What’s Changed in the Privacy Act

The Privacy and Other Legislation Amendment Act 2024 introduced some of the most significant changes to Australian privacy law in a decade – and there are more reforms to come.

Here’s what construction and development businesses need to know:

Commissioner “On-the-Spot” Fines

The Privacy Commissioner can now issue infringement notices - just like a speeding ticket - for clear breaches, such as:

Not having a Privacy Policy on your website
Having a Privacy Policy that doesn’t meet the Australian Privacy Principles
Failing to provide an easy opt-out from marketing communications

For corporations, these notices can mean fines of up to $62,600 per breach.

Massive Penalties for Serious Breaches

If your business engages in serious or repeated interferences with privacy, the penalties now reach up to $50 million.

New ‘Doxxing’ Offence

It’s now a civil wrong and a criminal offence to publish someone’s personal information with the intention of causing harm or harassment.

For example: If a dispute with a disgruntled subcontractor escalates and someone posts their personal details online to “warn others”, that could amount to doxxing - and expose your business to both criminal and civil penalties.

Mandatory Offshore Data Disclosure

If your data is stored or accessed outside Australia - whether via overseas servers, cloud storage, or a virtual assistant - your Privacy Policy must:

Disclose the countries where the data is stored or accessed
State whether those countries have equivalent privacy protections
Ensure the offshore provider contractually agrees to comply with the Privacy Act

For construction and development firms using overseas CRM or project management tools, or even VA’s, this is a big one.

AI & Computer Program Decision-Making – New Disclosure Rules

One of the lesser-publicised changes - but one that could trip up many businesses - is the new requirement to disclose if you use computer programs or AI to make decisions about individuals, with or without human review.

This is particularly relevant if you:

Use automated systems to pre-qualify subcontractors for tender lists
Run AI-based scoring tools for buyer or tenant applications
Use automated credit-checking or compliance verification software
Employ marketing algorithms to target potential buyers for off-the-plan projects

The law now requires that you:

Tell individuals if a decision that affects them was made by a computer program.
Explain, in plain language, how the decision was made (without revealing proprietary code).
Offer the person the chance to have the decision reviewed by a human.

Whilst you do not need to update your privacy policy for this particular change until 2026, as other changes are required to be made now, we recommend including this in your update now so you do not forget to do it next year.

Example

A QLD developer uses an automated system to sort through tenancy applications to assess tenant affordability, and the developer uses this information to inform their human-made decision as to which tenants can afford the property. The business must now notify the applicants that the decision was made with the assistance of a program, explain the key factors used in that decision, and provide a way for it to be reconsidered by a person - this can be done in the developer’s privacy policy.

Failing to comply with this disclosure obligation could see you facing the same penalty regime as other Privacy Act breaches - meaning infringement fines up to $62,600 or higher for serious cases.

The Cost of Inaction

Privacy compliance is no longer something you “get to when there’s time”.

The risk is immediate - because the Commissioner no longer has to wait for a complaint. They can act on what they see publicly, like your website’s Privacy Policy, and fine you on the spot.

Case study – QLD Developer Data Breach

A mid-sized developer suffered a cyberattack when an employee’s email was hacked. Hackers accessed confidential project sales lists and marketing databases. The business had:

A Data Breach Response Plan
A Privacy Policy last updated in 2025
Contractual protections with its offshore email marketing provider

The developer engaged us immediately to asses whether the breach was notifiable (it was), prepare the statutory notifications to the Commissioner and the relevant individuals and manage the messaging and communications around the breach.

Result: As the developer had done all the right things, the Privacy Commissioner saw they were doing their best to comply, despite the breach and as such avoided a massive fine and reputational damage.

Case study – NSW Civil Contractor Compliance Audit

During a government prequalification audit, a major contractor was found to have an incomplete Privacy Policy and no offshore data disclosure statements. They narrowly avoided fines but were required to update documents and implement team training within 30 days - at significant cost and disruption.

How We’ve Helped Clients Avoid (and Survive) Privacy Breaches

We’ve assisted construction and development businesses across Australia with:

Privacy Policy reviews and rewrites to meet the latest legislative requirements
Supplier contract updates to ensure offshore data handlers comply with the Privacy Act
Data Breach Response Plans tailored for site and office operations
Staff training to reduce human error in handling sensitive data

Case Study: Developer Privacy Audit

For a Sydney-based developer running multiple apartment projects, we audited their buyer database processes, identified offshore hosting risks, and updated both contracts and public privacy disclosures. They’re now privacy compliant and confident they can pass regulator scrutiny.

Practical Steps You Need to Take Now

Updating your Privacy Policy is just one part of the puzzle. Here’s how to build a privacy-ready framework:

Audit Your Data: Identify what personal information you collect, where it’s stored, who accesses it, and whether it leaves Australia.
Update Your Privacy Policy: Include all mandatory disclosures (offshore data, doxxing protections, AI decision-making).
Review Supplier & Contractor Contracts: Add Privacy Act compliance clauses to all agreements with data handlers.
Implement a Data Breach Response Plan: Ensure you can respond within the 30-day notification requirement.
Train Your Team: Include privacy compliance in site inductions, office onboarding, and ongoing compliance programs.
Test Your Systems: Run privacy drills - just like you would for safety compliance.

Why Act Now (Not Later)

Privacy compliance isn’t just about avoiding fines - it’s about protecting your relationships with buyers, investors, subcontractors, and regulators.

In a competitive market, being known as a builder or developer who protects client information as carefully as you protect project quality is a brand asset.

And with the Commissioner now empowered to fine you instantly, proactive compliance is the only safe option.

Key Takeaways

New Privacy Act changes mean higher penalties, new offences, and stricter obligations for construction and development firms.
Your Privacy Policy must be current and comprehensive, covering offshore storage, doxxing, and AI decision-making disclosures.
The Commissioner can fine you without warning if your public privacy documents don’t comply.
A Data Breach Response Plan is essential, not optional.
Proactive compliance protects both your reputation and bottom line.

Next Steps

We help construction and development businesses across Australia become privacy compliant –
from drafting Privacy Policies to negotiating supplier agreements and training teams. Book your free consult to get started.
Let’s make sure your business is ready - before the Commissioner comes knocking.

BOOK YOUR FREE CONSULTATION

About the Author: Erin Vassallo

Erin Vassallo is the Principal Solicitor and founder of Law Team, a values-led law firm with a strong reputation across New South Wales and Queensland. With over two decades of experience in commercial, construction, and property development law, Erin is a trusted advisor to developers, landowners, and business owners navigating complex projects and legal risk.

Her hands-on experience includes joint ventures, structuring development deals, contract negotiation, risk mitigation, and project governance across residential, commercial, and mixed-use developments. Erin holds qualifications in law, political science, mediation, and disruptive strategy (Harvard Business School) and is the founder of Certified BCorp Law Team, committed to ethical business practices and social impact

FAQs: Privacy Act Changes for Developers

Yes - if your turnover is over $3 million OR if you handle sensitive information (such as health records, background checks, or certain financial data), you must comply, regardless of size.
You risk immediate fines of up to $62,600, higher penalties for serious breaches, and reputational damage if clients or regulators discover non-compliance.
Not if you disclose it in your Privacy Policy and ensure the overseas provider complies with the Privacy Act through contractual obligations.
Doxxing is publishing someone’s personal information with intent to cause harm. It’s now both a criminal offence and a civil wrong - and could apply in workplace disputes or public conflicts.
You must tell individuals if a decision about them was made with the assistance of a computer program, explain how it works in plain terms, and offer human review.
You must notify affected individuals and the Privacy Commissioner as soon as practicable - generally within 30 days of becoming aware.

Disclaimer: This article is general information only and cannot be regarded as legal advice as it does not take into account your personal circumstances. For tailored advice, please call us on 13 55 29 or email us at hello@lawteam.com.au.