This guide explains what is changing, why accounting practices are affected, and what your firm should do now to meet its privacy obligations before the 1 July 2026 commencement date.
Privacy reform is now a real business risk
Penalties up to $50M
Serious or repeated privacy breaches can attract penalties up to AU$50 million, 30 percent of adjusted turnover, or three times the benefit gained.
Small business exemption falls away
Accounting practices that become reporting entities under the AML/CTF Act lose the small business exemption under the Privacy Act. If you provide designated services, the Privacy Act applies to you from 1 July 2026 - regardless of turnover.
Over-collection is a regulatory red flag
The OAIC has confirmed that AML/CTF obligations do not give reporting entities a blank cheque to collect personal information. You must still only collect what is reasonably necessary and should not retain copies of full identification documents for record-keeping purposes.
Individuals can sue
The statutory cause of action for serious invasions of privacy has been in force since 10 June 2025. Litigation and class action risk is real and present.
Online conduct matters
Using client information in ways that go beyond the original purpose of collection - including marketing, cross-selling, or sharing with referral partners - can breach the Privacy Act without proper consent.
Partner-level issue
Privacy risk should sit alongside professional indemnity and AML/CTF compliance in your firm's governance and risk framework. It is not a back-office task.
Does the Privacy Act apply to your practice?
The Privacy Act 1988 (Cth) includes a small business exemption that generally excludes businesses with annual turnover of $3 million or less. Most accounting practices have historically relied on this exemption.
That changes from 1 July 2026. Under section 6E of the Privacy Act, any small business operator that is a reporting entity under the AML/CTF Act must comply with the Privacy Act in relation to its AML/CTF-related activities. The small business exemption simply does not apply.
Your practice is likely affected if it provides any of the designated services set out in the AML/CTF Act, including acting on a client's behalf in buying, selling, or transferring a business or legal entity, managing client money or assets, or creating or managing trusts, companies, or similar structures.
Not every service an accounting firm provides is a designated service. Standard tax return preparation, general bookkeeping, and routine audit work are generally not captured. But if any part of your practice provides a designated service, the Privacy Act obligations follow.
What has changed under the privacy act?
Much stronger enforcement powers
The Privacy and Other Legislation Amendment Act 2024 significantly expanded the powers of the OAIC, including the ability to issue infringement notices for certain breaches, stronger investigation and information-gathering powers, and public inquiries into systemic privacy practices.
Significantly higher penalties
Maximum penalties for serious or repeated interferences with privacy have been increased to the greater of AU$50 million, three times the value of the benefit obtained, or 30 percent of adjusted turnover during the breach period.
Individuals can now sue
The statutory cause of action for serious invasions of privacy commenced on 10 June 2025. Individuals can now take legal action where a privacy invasion was intentional or reckless, serious in nature, and where they had a reasonable expectation of privacy.
New Privacy Act coverage for accounting practices
From 1 July 2026, accounting firms providing designated services under the AML/CTF Act become reporting entities. All reporting entities are subject to the Privacy Act regardless of turnover. The OAIC has published specific guidance confirming that firms should not retain copies of full identification documents for record-keeping, and that privacy obligations operate alongside - not in place of - any other regulatory requirements.
WHY IT MATTERS
Why accountants are in the regulatory frame
Accounting firms have not traditionally been subject to the Privacy Act. Most practices fall under the $3 million turnover threshold and have operated without needing to comply with the Australian Privacy Principles.
The AML/CTF Tranche 2 reforms change this. By bringing accountants into scope as reporting entities, the reforms simultaneously bring them into scope under the Privacy Act. This is not a theoretical future change - the legislation has passed and commencement is 1 July 2026.
The privacy risk profile of accounting is significant. Practices routinely handle tax file numbers, identity documents, financial records, business ownership structures, trust deeds, and in some cases information about individuals' personal circumstances. Much of this is collected face to face or via email, with limited transparency about how it will be used, stored, or shared.
The OAIC has also flagged that its expectations apply broadly. Its updated guidance for AML/CTF reporting entities makes clear that collection must be limited to what is reasonably necessary, that full copies of identity documents should not be retained, and that practices must be transparent with clients about what they collect and why.
Key obligations under the Australian Privacy Principles
APP 1 – Privacy Policy
Your practice must have a clear, accurate, and accessible privacy policy explaining what personal information you collect, why, how it is used, and how individuals can access or correct it.
APP 3 and 5 – Collection and Notification
Only collect personal information that is reasonably necessary. Notify clients at or before collection about the purposes of collection and how their information will be handled. Client onboarding and engagement letters are a specific risk point here.
APP 6 – Use and Disclosure
Personal information must generally only be used for the purpose for which it was collected. Using client information for marketing, cross-selling, or sharing with referral partners without consent can breach this principle.
APP 7 – Direct Marketing
Personal information cannot be used for direct marketing without consent or a compliant opt-out mechanism. The OAIC can issue infringement notices for certain direct marketing breaches.
APP 11 – Security
Practices must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. This includes securing practice management systems, email, and document storage.
APP 12 and 13 – Access
Individuals must be able to access and correct their personal information. Penalty notices can apply for failures to comply.
What accounting practices should do now
Privacy compliance requires a structured approach across three timeframes. Immediate actions address critical gaps, medium-term work builds governance capability, and strategic initiatives embed privacy into how your practice operates.
Immediate (0-3 months)
Fix critical privacy gaps now
Medium term (3-12 months)
Build governance and processes
Strategic (12-18 months)
Embed long-term privacy strategy
Immediate: 0 to 3 months
- Determine whether your practice provides designated services and will become a reporting entity.
- Draft or update your privacy policy to reflect how you handle personal information.
- Review client onboarding processes and engagement letters for APP 5 collection notices.
- Stop using client information for marketing or referrals without documented consent.
- Implement basic security hygiene, including removing dormant system accounts and implementing stronger authentication.
Medium term: 3 to 12 months
- Appoint a privacy lead within the practice.
- Document a privacy management plan.
- Conduct data mapping across practice management systems, document storage, and email.
- Define retention periods for client files, identity documents, and engagement records.
- Review vendor and outsourcing contracts for privacy coverage.
- Deliver annual privacy training with accounting-specific scenarios.
Strategic: 12 to 18 months
- Integrate privacy processes with your AML/CTF program rather than treating them as separate workstreams.
- Conduct privacy impact assessments for higher-risk activities, particularly client onboarding and entity structuring.
- Integrate privacy risk into partner meeting reporting and risk registers.
- Review professional indemnity and cyber insurance coverage.
- Consider privacy capability as a genuine differentiator for clients in regulated sectors.
Practical checklist
Use this as an accountability tool. Assign an owner in your team to each item and track progress against it.
How Savira can help
Savira works with Australian accounting practices to conduct privacy risk reviews aligned to the Privacy Act and APPs, update privacy policies and collection notices for the new regulatory environment, redesign client onboarding and engagement processes to meet collection and notification requirements, deliver practical scenario-based staff training tailored to accounting, implement privacy management frameworks suitable for partner-level reporting, and support incident response and regulator engagement.
Whether you are a sole practitioner, a mid-tier firm, or a national network, Savira can help you move from uncertainty to structured, defensible privacy compliance. , or building tools for the sector, Savira can help you move from reactive compliance to structured, defensible governance, and help your agency align it's customer due diligence processes with Australian Privacy Principle requirements, so you collect what you need without over-collecting.
Staying current with privacy reform
This guide was last updated 29 March 2026 to reflect the OAIC's updated privacy guidance for AML/CTF reporting entities and the 1 July 2026 commencement date for Tranche 2. Australian privacy law continues to evolve. Register to stay across regulatory changes affecting accounting practices.