On 10 December 2025, the regulatory environment for Australian businesses tightened further. The Online Safety Amendment (Social Media Minimum Age) Act 2024 commenced its minimum age obligation on that date, while the Privacy and Other Legislation Amendment Act 2024 has applied progressively since December 2024, including a statutory tort for serious invasions of privacy in force since 10 June 2025. Together, these reforms impose strict obligations on how organisations handle personal information. While the headlines focus on the social media ban, the practical lesson for Small and Medium Enterprises (SMEs) is data minimisation. If you collect driver’s licences, passports, or birth certificates to verify identity, you now face increased liability.

Many business owners believe that retaining customer records indefinitely is good administration. It is not. In the event of a cyber incident, every unnecessary record you hold increases the damage. We frequently provide legal advice for data breach containment, and the most severe cases almost always involve the theft of legacy data that the business no longer needed. The law requires you to demonstrate how you collect, store, and delete this information.

The Liability of Hoarding Data

Historically, businesses operated on a “collect everything” model. Real estate agents kept rental applications from ten years ago. Recruiters archived CVs and passport scans of unsuccessful candidates. This practice is now a toxic asset. The amended Privacy Act introduces tougher enforcement: a tiered civil penalty regime and OAIC infringement notices commenced in December 2024, alongside the new statutory tort. If a breach occurs and the Commissioner finds you held sensitive data without a valid current purpose, the regulatory consequences will be severe.

One qualification applies. The Privacy Act generally does not bind businesses with an annual turnover of $3 million or less, unless an exception applies, such as private health service providers or businesses that trade in personal information. The statutory tort carries no such exemption. A small business outside the Privacy Act can still be sued for a serious invasion of privacy.

The principle is simple: you cannot lose what you do not have. Reducing the volume of data you hold is the most effective way to reduce your risk profile. As a cybersecurity lawyer Melbourne businesses rely on, I advise clients to treat personal data like hazardous material. Store only what is strictly required and dispose of it immediately after use.

In October 2025, the Federal Court ordered Australian Clinical Labs to pay $5.8 million over the Medlab Pathology data breach, the first civil penalty under the Privacy Act. The case concerned failures to secure personal information and to assess and notify the breach promptly, rather than data retention as such, but it shows how closely the courts now scrutinise data governance. The penalty was imposed on the company, and the judgment criticised the conduct of senior management. You can read more about the implications for boards and senior management in our previous analysis.

Age Assurance Without Surveillance

The new laws create a paradox. Age-restricted social media platforms must verify that users are 16 or older, yet they must not hoard the data used to prove it, and they cannot compel users to provide government identification as the only method. That obligation sits with the designated platforms, not with SMEs generally. The same principle applies, however, to any business that checks identity for tenancy applications, recruitment, customer due diligence, or age-restricted sales. This is where zero-document storage becomes the operational standard. Technologies exist that allow you to verify an ID against a government database (like the Document Verification Service) and receive a “match” or “no match” result. You record the result. You do not record the image of the driver’s licence.

Industry experts argue that age assurance must not become data collection under a different guise. Some verification providers are adopting zero-knowledge proofs, where the verifying party never sees or stores the underlying document; Google has announced this approach for age verification through Google Wallet. For an SME, this means shifting from asking customers to “email a scan of your ID” to using a secure portal that verifies the user without retaining the artefact.

Legal Advice for Data Breach Prevention

Preventing a breach is a legal duty, not just an IT task. The Privacy Act requires you to take reasonable steps to protect the information you hold, and the 2024 amendments make explicit that reasonable steps include technical and organisational measures. A separate obligation, Australian Privacy Principle 11.2, requires you to destroy or de-identify personal information once it is no longer needed. If you suffer a breach and it is revealed you were holding thousands of expired identity documents, your defence weakens significantly.

When seeking legal advice for data breach prevention, consider the following:

  • Retention Policies: Do you have an automated system that deletes customer data after a set period (for example, five years for most tax records under ATO rules, seven years for company financial records and employee records, and immediately for failed ID checks)?
  • Vendor Contracts: Do your software providers store your customer data indefinitely? You remain responsible for information they hold on your behalf. The Australian Clinical Labs judgment confirms that outsourcing security does not discharge your obligations.
  • Insurance Compliance: Cyber insurers increasingly ask for evidence of data destruction processes. Poor retention practices can complicate claims and weaken your position after an incident.

Meta’s $50 million payment program, agreed with the OAIC through an enforceable undertaking in December 2024 and given without any admission of liability, demonstrates the cost of privacy disputes even where no contravention is found. While the scale differs, the legal principles regarding consent and data handling apply to Australian SMEs. We discuss this in our article on lessons from the Meta settlement.

Meeting Data Minimisation Legal Requirements Australia

The term “data minimisation” is not a suggestion; it is a compliance requirement. The Office of the Australian Information Commissioner (OAIC) expects entities to destroy or de-identify personal information once it is no longer needed for a permitted purpose. The obligation itself is not new. APP 11.2 has applied since 2014. What has changed is enforcement. Data minimisation legal requirements Australia wide now carry tiered penalties, infringement notices, and a demonstrated judicial willingness to impose them.

Encryption alone is not a complete answer. Simply encrypting a massive, unnecessary database is insufficient. If the encryption key is stolen, the data is exposed. Deletion is the only permanent security measure.

Practical Steps for Executives

Business owners should take three immediate actions:

  1. Audit your data estate. Identify where you store identity documents. Check email inboxes, downloads folders, and legacy servers.
  2. Stop collecting raw documents. Switch to identity verification providers that offer zero-storage solutions.
  3. Update your Privacy Policy. Clearly state that you do not retain identity documents after verification. This builds trust and sets a binding standard for your staff.

The Online Safety Amendment (Social Media Minimum Age) Act 2024 also signals a shift in how we view digital consent. For a broader look at how the ban impacts tech companies and compliance, review our breakdown of the under-16 social media ban.

Commercial Reality

Data is a liability. The cost of storing it is low, but the cost of losing it is existential. The new legislation forces a commercial decision: invest in proper deletion protocols now, or pay for remediation and legal defence later. If you are unsure whether your current data practices meet the new threshold, or if you need to restructure your privacy framework to limit liability, we can assist.

Contact our Melbourne office to arrange a consultation regarding your data governance and privacy obligations.

Avatar photo
About Blaine HattieBlaine Hattie is a Principal in Commercial Transactions at Sutton Laurence King Lawyers. He advises businesses on transactions and finance with a special interest in technology, cybersecurity, digital media, defamation, and artificial intelligence.

Book an appointment with one of our Lawyers to discuss your specific needs.

Book a Consultation

A Note on the Information We Share

Reading this information does not create a lawyer-client relationship between you and SLK Lawyers. This only occurs with a formal written agreement. Content is current at publication and applies to Victorian law unless stated otherwise. It is general information only and not a substitute for specific legal advice. Strict time limits apply to legal claims. You should seek immediate legal advice on your specific situation to ensure your rights are protected.