In response to evolving digital risks and growing concerns about data misuse, Australia has introduced a substantial privacy reform via the Privacy and Other Legislation Amendment Act 2024 (POLA Act) passed on December 10, 2024 Designed to modernise the country’s privacy framework and better align it with international standards like the General Data Protection Regulation (GDPR), the POLA Act marks a pivotal shift in how personal information is defined, managed, and protected.
This article explores the key changes introduced under the POLA Act and outlines what steps organisations operating in Australia can take to remain compliant, particularly around data discovery, classification, risk mitigation, and breach response.
What Is Australia’s POLA Act 2024?
The Privacy and Other Legislation Amendment Act 2024 introduces significant amendments to Australia’s Privacy Act 1988 (Privacy Act). The Act implements recommendations from the Attorney-General’s 2022 review, which identified key gaps in existing legislation—particularly around digital data, cross-border transfers, and individual privacy rights. The Privacy Act outlines 13 Australian Privacy Principles (APPs) that apply to all entities covered by the Privacy Act. They define how personal information must be handled, including individuals’ rights and businesses’ and organisations’ responsibilities.
Who Does it Apply To?
The POLA Act applies to any person or organisation, including Australian government agencies and organisations that operate in Australia and handle personal information.
Who Can Make a Claim?
An individual can initiate legal action against any individual or organization, including governmental bodies, regardless of whether they qualify as an ‘APP entity’ under the definition set by the Privacy Act. There are various exemptions regarding who can sue for serious invasions of privacy under tort law. Key exemptions include journalists, publishers, law enforcement, intelligence agencies, individuals under 18, and staff of Commonwealth, State, and Territory agencies if the invasion occurred in good faith while performing their duties. Additionally, corporations cannot sue for privacy invasions; the law only applies to individuals acting in their personal capacity.
When Does Enforcement Begin?
While the full reform process is ongoing, the POLA Act represents the first legislative phase and includes measures that have already passed Parliament, with enforcement mechanisms being expanded through the Office of the Australian Information Commissioner (OAIC). The majority of the Act’s provisions commenced on 10 December 2024, with some measures going into effect at later dates: tort of serious invasion of privacy (10 June 2025); and automated decisions provisions (10 December 2028).
What Are the Key Changes Introduced by the POLA Act?
The legislation introduces several critical requirements for businesses that collect, process, or store personal information in Australia:
1. Expanded Definition of Personal Information
Under Australia’s Privacy Act 1988, personal information means any information or opinion about an identified, or reasonably identifiable individual, whether true or not and whether recorded or not. This definition is intentionally broad and covers expansive details such as, but not limited to:
- Names
- Contact information
- Identification numbers
- Sensitive information (race, political opinion, religion, sexual orientation, criminal record, health, etc.)
- Credit information
- Employee record information
- Tax file number information
- Any data that can indirectly identify someone when combined with other information
Under the POLA Act, personal information now explicitly includes inferred and technical identifiers, such as:
- Metadata
- IP addresses
- Cookies and device identifiers
This change broadens the scope of what must be protected under privacy law and places more emphasis on behavioural and analytical data.
2. Mandatory Technical and Organisational Security Controls
The expanded APP 11 requires entities to implement “reasonable security measures” to protect personal data from misuse, interference, or unauthorised access using technical and organisational measures. This includes steps to proactively protect information, detect vulnerabilities and respond proactively, as well as employee training.
3. Data Minimisation and Retention Limits
Organisations must only collect data necessary for their business functions and must destroy or de-identify data once it is no longer needed, unless a legal requirement necessitates its retention.
4. Stronger Individual Rights
Individuals now have reinforced rights to:
- Access their personal information
- Request corrections
While deletion and objection rights have not yet been fully legislated, they are under active consideration in future reform stages.
5. Enhanced Breach Notification
If a data breach is likely to result in serious harm, the entity must notify the Office of the Australian Information Commissioner (OAIC) and the individuals affected.
6. Stricter Consent and Purpose Limitation
Consent must now be:
- Informed
- Voluntary
- Specific
- Current
Entities must limit data use to the specific purpose for which it was collected unless an exemption applies.
7. Higher Penalties for Non-Compliance
For corporations with serious or repeated breaches, maximum penalties have increased up to the greater of:
- AUD $50 million;
- 30% of the organisation’s adjusted turnover during the breach period; or
- Three times the value of any benefit obtained from the breach.
- Criminal penalties for doxxing, the deliberate dissemination of personal information in a harmful way utilising a carriage service.
For unincorporated entities like individuals and partnerships, the highest penalty is $2.5 million.
8. Children’s Online Privacy Code
The POLA Act mandates the OAIC create a code focused on the privacy protections for children. It will:
- Specify how online services accessed by children must comply with the Australian Privacy Principles (APPs)
- Reflect the real experiences and needs of children and their families
- It may also impose additional requirements provided they are not inconsistent with the existing principles
The Code will apply to businesses or organisations covered by the Privacy Act 1988 (APP entities) if:
- They provide services for social media, relevant electronic, or designated internet services
- The service is likely to be accessed by children, and
- The entity is not providing a health service
The OAIC may introduce additional compliance requirements once the Code is released (expected in 2025).
How can the organisations take steps to comply with the Privacy and Other Legislation Amendment Act?
To comply with the POLA Act, personal data must be appropriately labeled and safeguarded. What makes this a challenge is the fact that sensitive data is spread out everywhere — from cloud platforms to on-premises tools to employee laptops.
The protection of sensitive data can be summarized in four critical steps: discovery, classification, governance and enforcement.
- Discovery to understand the location and sensitivity level of all business information,
- Classification to categorize data appropriately,
- Governance to define policies around who can access data and under what conditions, and,
- Enforcement to apply all the necessary protective measures according to the sensitivity level.
By taking the steps above, organisation’s can ensure their data is properly identified, governed and protected to meet compliance obligations.
How archTIS Helps Organisations Meet Privacy and Other Legislation Amendment Act Requirements
The reforms introduced under POLA require a data-centric, proactive approach to privacy and risk management. A robust end-to-end solution for sensitive data management and compliance can help organisations quickly achieve compliance goals.
Discovery and Classification
archTIS’ Spirion Sensitive Data Platform (SDP) offers a unified, precise solution that enables organizations to align with these new obligations through:
- Comprehensive Data Discovery:
SDP identifies sensitive personal information, including technical identifiers and inferred data, across cloud, on-premises, and endpoint environments. This visibility is foundational for complying with the broadened definition of personal data. - Advanced Classification & Risk Prioritization:
With SDP, sensitive data is classified not just by format or keyword but by context and business purpose, allowing organisations to apply controls proportionate to the data’s sensitivity and usage. - Minimisation & Retention Management:
SDP supports the identification and remediation of redundant, obsolete, or trivial (ROT) data, helping enforce minimization and retention obligations. - Policy-Based Protection & Real-Time Monitoring:
Security playbooks can automatically trigger encryption, redaction, or deletion based on the risk score. Combined with Spirion Data Watcher, organisations gain continuous insight into data access and potential misconfigurations. - Breach Response Readiness:
SDP maintains a searchable inventory of sensitive records linked to identities, enabling rapid and accurate notification workflows in the event of a breach.
Access Control & Data Protection
archTIS’ NC Protect provides advanced access controls and data protection for information stored in Microsoft 365, SharePoint Server and file shares with:
- Real-Time Zero Trust Access Controls
With NC Protect, attribute-based access control (ABAC) polices determine who can access personal data and under what conditions. - Precise Control over Sensitive Data Usage & Sharing
If access is granted, NC Protect can restrict how personal data can be accessed and apply file-level protection (e.g. edit rights or read-only, watermarked with handler information, and more). It can also control how and with whom it can be shared. - Dynamic Encryption
Encryption can be automatically applied based on the data’s classification to - Auditing & Reporting
Log and track sensitive data access, user activities and actions such as producing, editing or deleting data, and general access for compliance auditing and reporting.
Learn more about NC Protect’s Access Control and Data Protection Capabilities for Data Privacy
Achieving POLA Compliance through Data Visibility & Access Control
The POLA Act ushers in a more rigorous era for privacy compliance in Australia, with legal, operational, and reputational stakes at an all-time high. Organisations must invest in the tools and practices that allow them to locate, understand, and protect personal information at scale.
archTIS products deliver the core Data Security Posture Management (DSPM) capabilities needed to support this shift. This provides not only visibility but actionability in response to the evolving demands of privacy law.
