Home/Products/Privacy Act Compliance Kit
Compliance Last updated: 2026-04-03

You Have 72 Hours to Notify OAIC.
Do You Know the Steps?

The December 2024 Privacy Act amendments are now in full enforcement. OAIC is actively investigating and penalising. If your business holds customer data and turns over more than $3M, the 72-hour clock is already ticking -- you just don't know it yet. This kit gives you everything you need to comply before a breach forces your hand.

Essential for AU Professional Services
$97 AUD
$500--$2,000/hour privacy lawyer rate -- One-time purchase
Get the Kit Now →

30-Day Money-Back Guarantee

Instant download APP & NDB aligned Dec 2024 amendments covered

Sound Familiar?

These are the three most common situations AU SMBs face when it comes to Privacy Act compliance. If any of these hit close to home, this kit was built for you.

"We Had a Breach -- No Idea What to Report or When"

The 72-hour clock starts the moment you become aware of an eligible data breach. Most SMBs discover a breach and spend days in internal discussion, burning through their notification window. This kit includes the exact step-by-step workflow from detection to OAIC submission.

"Our Privacy Policy Hasn't Been Updated Since 2019"

If your privacy policy predates the December 2024 amendments, it is out of compliance with APP 1, APP 5, and APP 11 requirements. OAIC investigators look at your privacy policy first. The APP review checklist in this kit tells you exactly what needs to change.

"We Know Privacy Act Applies to Us -- Don't Know Where to Start"

Most SMBs know they need to comply but the legislation is dense and the practical steps are unclear. This kit translates the Act into a 7-step action plan: know what data you hold, who has access to it, how it's protected, and exactly what to do if something goes wrong.

OAIC Penalties Up to $50M. Enforcement Is Active.

The December 2024 amendments gave OAIC significantly expanded powers and penalties. OAIC received 1,113 NDB notifications in the first half of 2024-25 alone -- a 9% year-on-year increase. Enforcement is not hypothetical. It is happening to businesses your size, right now.

The Numbers Behind the Risk

1,113
NDB notifications to OAIC in H1 2024-25 (up 9%)
65%
of NDB reports involve malicious or criminal attacks
$50M
maximum civil penalty for serious Privacy Act breaches
72hrs
to notify OAIC once aware of an eligible data breach

Source: OAIC Notifiable Data Breaches Report H1 2024-25. Average breach cost data: IBM Cost of a Data Breach Report 2024.

What You Get: 7 Documents

Every document in this kit maps directly to a real compliance obligation under the Privacy Act 1988 (as amended December 2024). No filler, no padding -- just the tools you actually need.

Doc
01

Privacy Act 2024 SMB Plain-English Explainer

A clear, jargon-free summary of what changed in December 2024 and what it means for your business specifically.

  • What the December 2024 amendments actually changed
  • Which APPs apply to your business and how
  • The new NDB 72-hour notification requirement explained
  • Who is now in scope (turnover thresholds, sensitive data categories)
  • What OAIC's expanded enforcement powers mean in practice
Doc
02

NDB Response Workflow -- 72-Hour Clock Checklist

Step-by-step process from first detection of a potential breach through to OAIC notification submission.

  • Hour 0--4: Detection, initial assessment, and containment steps
  • Hour 4--24: Eligibility determination and scope analysis
  • Hour 24--48: Evidence preservation and internal escalation
  • Hour 48--72: OAIC notification preparation and submission
  • Decision checkpoints at each stage with clear go/no-go criteria
Doc
03

Data Inventory and Mapping Template

Know exactly what personal information you hold, where it lives, who has access, and what the legal basis for collection is.

  • Pre-built data register with fields mapped to APP requirements
  • Data flow mapping framework (collection, storage, access, disposal)
  • PII classification guide (general, sensitive, health, financial)
  • Third-party data sharing inventory rows
  • Retention and destruction schedule template
Doc
04

Privacy Policy Review Checklist (APP 1, APP 5, APP 11)

Work through your existing privacy policy against the three APPs most likely to require updates after December 2024.

  • APP 1: Open and transparent management of personal information
  • APP 5: Notification of collection obligations (what you must tell people)
  • APP 11: Security of personal information (technical and organisational measures)
  • Line-by-line checklist with pass/fail criteria and remediation notes
  • Sample updated policy language for the most common gaps
Doc
05

Vendor Data Processing Register

Track who has access to your customer data, under what terms, and what your Privacy Act obligations are when sharing data with third parties.

  • Vendor register template with mandatory APP 8 fields
  • Data processing purpose and legal basis columns
  • Cross-border disclosure tracking (APP 8 compliance)
  • Vendor privacy assessment questionnaire (one-page version)
  • Contractual clause checklist for data processing agreements
Doc
06

Staff Privacy Awareness One-Pager

A printable, brandable one-page reference card that gives your team the most important privacy rules in plain language.

  • What counts as personal information (with examples)
  • How to handle customer data requests
  • What to do if you suspect a data breach
  • Who to contact and when to escalate
  • Editable fields for your logo, contact details, and escalation contacts
Doc
07

OAIC Notification Letter Template

Fill-in-the-blanks notification letter aligned to OAIC's current requirements for the 72-hour NDB report.

  • All mandatory fields pre-populated with placeholder guidance
  • Description of breach section with framing notes
  • Affected individuals assessment section
  • Steps taken / remediation actions section
  • Guidance notes on each field with OAIC guidance cross-references

$97 vs. What You'd Pay a Privacy Lawyer

Privacy lawyers in Australia bill at $500 to $2,000 per hour. Here is what the equivalent work would cost if you hired out every component of this kit.

Privacy Act Amendment Briefing $500--$800 value

One hour with a privacy lawyer to walk through what December 2024 changed. This kit gives you the same clarity in a self-paced explainer document built specifically for SMBs.

NDB Response Plan Development $1,500--$3,000 value

A privacy consultant building a custom NDB response workflow for your organisation typically bills 2--4 hours minimum. The 72-hour checklist in this kit covers the same ground.

Data Inventory and Mapping Exercise $800--$2,000 value

Data discovery and mapping engagements with a privacy consultant bill for 2--6 hours depending on complexity. The template in this kit gives you the structure to do it yourself in an afternoon.

Privacy Policy Review and Gap Analysis $600--$1,500 value

Privacy lawyers charge 1--3 hours to review a privacy policy against current APP requirements. The checklist in this kit maps every APP 1/5/11 requirement with pass/fail criteria.

Vendor Data Processing Register Setup $400--$800 value

Building a vendor register that satisfies APP 8 cross-border disclosure requirements takes a compliance consultant 1--2 hours. This template is ready to populate in minutes.

Staff Training Materials $300--$600 value

A privacy-aware one-pager written by a lawyer for staff distribution typically costs 30--60 minutes of legal time. This kit includes a brandable version ready to print.

OAIC Notification Letter Draft BONUS $500--$1,000 value

Drafting an OAIC notification statement under pressure during an active breach is one of the highest-risk moments for legal errors. Having a template ready removes that pressure entirely.

Total Value: $4,600--$9,700+
$97 AUD
vs. $500--$2,000/hour for a privacy lawyer

Why You Cannot Wait Until After a Breach

The Privacy Act December 2024 amendments are not a future consideration -- they are in full enforcement right now. Here is the timeline that makes this urgent.

December 2024: Amendments Enacted

The Privacy and Other Legislation Amendment Act 2024 (Cth) passed Parliament in late 2024. The 72-hour NDB notification requirement, increased penalties, and expanded individual rights took effect immediately for most provisions.

2026: Full Enforcement Active

OAIC is now operating with its expanded powers. Businesses that were compliant under the old regime may not be compliant under the new one. The window to get ahead of this without external pressure is closing.

OAIC Is Notifying and Investigating

1,113 NDB notifications in H1 2024-25 means OAIC is actively reviewing breach reports, following up on incomplete notifications, and in some cases launching investigations. The 9% year-on-year increase shows this is trending up, not levelling off.

Penalties Are Now Serious

The maximum civil penalty for serious or repeated interference with privacy is now $50 million. For mid-tier violations, the penalty is the greater of $2.5M, three times the benefit obtained, or 30% of adjusted turnover in the period. This is no longer a reputational risk -- it is a financial one.

Who This Kit Is For

$3M+
Annual turnover -- Privacy Act threshold for mandatory compliance
5
Industries most exposed: legal, accounting, healthcare, finance, real estate
$4.26M
Average cost of a data breach (IBM 2024 -- AU context)

30-Day Money-Back Guarantee

If this kit is not the clearest, most actionable Privacy Act compliance resource you have seen for an Australian SMB, email us within 30 days for a full refund. No questions, no hassle. Getting compliant before a breach costs $97. Getting caught without a plan costs far more.

Frequently Asked Questions

Does the Privacy Act 2024 actually apply to my small business?
If your business has an annual turnover above $3 million AUD, or if you handle sensitive personal information (health records, financial data, legal files), the Privacy Act applies to you. The December 2024 amendments expanded coverage and increased penalties significantly. Professional services firms in legal, accounting, healthcare, finance, and real estate are all directly in scope. This kit includes a plain-English explainer that tells you exactly where you stand.
What is the 72-hour NDB notification requirement?
Under the updated Notifiable Data Breaches (NDB) scheme, organisations must notify the OAIC within 72 hours of becoming aware of an eligible data breach. This replaces the previous 30-day window for the initial OAIC notification step. This kit includes a step-by-step 72-hour clock checklist covering detection, assessment, containment, and notification -- plus the fill-in-the-blanks OAIC notification letter template.
What changed in the December 2024 Privacy Act amendments?
The December 2024 amendments introduced: a tighter NDB notification timeline (72 hours to OAIC), substantially higher civil penalties (up to $50M for serious or repeated breaches), expanded individual rights including the right to request erasure, stronger requirements for privacy notices under APP 1 and APP 5, and increased OAIC enforcement powers. The plain-English explainer in this kit covers every change and what it means for your business in practical terms.
We have a privacy policy already. Do we still need this kit?
Almost certainly yes. If your privacy policy was written before December 2024, it does not reflect the amended APP requirements. The kit includes an APP review checklist aligned to APP 1 (open and transparent management), APP 5 (notification of collection), and APP 11 (security of personal information) so you can identify exactly what needs updating. The checklist takes 30-60 minutes to work through and produces a clear action list.
Is this legal advice?
No. This kit is a practical compliance resource, not legal advice. It is written by a cybersecurity professional based on the current Privacy Act 1988 (Cth) as amended. For complex breaches, novel situations, or if you face OAIC investigation, engage a qualified privacy lawyer. For the day-to-day compliance work -- setting up your data inventory, knowing your NDB obligations, reviewing your privacy policy -- this kit covers the practical ground at a fraction of lawyer rates.

Get Compliant Before the Clock Starts

The 72-hour window is not a grace period. It is a hard regulatory deadline. Get the kit, work through it in an afternoon, and know exactly what to do when it matters.

Essential for AU Professional Services
$97 AUD
$500--$2,000/hour privacy lawyer rate -- One-time purchase
Get the Kit Now →

30-Day Money-Back Guarantee

Secure checkout via Polar. Instant download. One-time payment. 7 documents, immediate access.

Also Consider

If you are building out your full compliance posture, these two products pair directly with this kit.

AU SMB Cybersecurity Incident Response Playbook -- $97 AUD

The operational playbook for the first 72 hours of any cyber incident. Ransomware, data breach, and BEC scenarios with step-by-step decision trees. Pairs with the NDB workflow in this kit.

Australian Cybersecurity Compliance Bundle -- $197 AUD

The complete AU compliance stack: Essential Eight assessment, security policies, incident response plan, board reporting templates, and 12-month compliance roadmap. Best value if you need the full picture.

Need Help Implementing?

If you would prefer an expert to walk through Privacy Act compliance with you, review your existing policies, or assess your current data handling practices, a consultation is the right starting point.

Book a Consult at consult.lil.business