Skip to main content

    EOFY 2026: the $20,000 instant asset write-off ends 30 June. (23 days remaining) Read the tradie EOFY checklist →

    SiteKiln — Your rights on site. In plain English.
    SiteKiln

    SiteKiln gives you plain-English information, not legal advice. If you need advice specific to your situation, talk to a qualified professional.

    Privacy Act & the APPs for Builders

    5 min read·Reviewed June 2026
    By Scott JonesFirst published 6 June 2026Updated 7 June 2026
    Running the Business
    Australia-wide

    How this site is funded →

    Guidance, not advice. General information on how the Privacy Act applies to small building businesses — not legal advice. Current as at May 2026; reforms are in train, so confirm the latest position with the OAIC.‍‌‌‌‌​‌​‌​​​‌​‌‌​​​‌​‌​​​​​​​​‍

    Most small builders aren't directly bound by the Privacy Act yet — but reforms are expanding it, and the practices it asks for (a privacy policy, consent for marketing and photos, basic security) are becoming baseline. Here's where it stands and what to do now.

    When the Privacy Act applies now

    The Privacy Act 1988 and the Australian Privacy Principles (APPs) currently bind your business if any of these is true:

    • your annual turnover is over $3 million (that's all income from all sources, not profit);
    • you're a contractor under a Commonwealth contract (covered for the personal information you handle on it);
    • you fall into a specific category (you provide health services, trade in personal information, are related to a covered entity, are an AML reporting entity, and so on); or
    • you've opted in.

    If none applies and your turnover is at or under $3 million, you're currently within the small-business exemption.

    The reforms — what's law and what's announced

    This is the part to be careful with:

    • POLA 2024 is law. The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It strengthened the APP 11 security obligation (explicit technical and organisational measures), created a statutory tort for serious invasions of privacy, expanded the OAIC's enforcement and penalty powers, and added an automated-decision-making disclosure requirement for privacy policies (effective from December 2026).
    • Removing the small-business exemption is announced, not law. The Attorney-General's review recommended removing it so all businesses handling personal information comply with the APPs, and the government has signalled in-principle support — but it sits in a second tranche expected in 2026-27, with no firm commencement date as at May 2026. Treat it as a direction of travel, not a current obligation.
    • Separately, AML reforms from 1 July 2026 pull some businesses under the Act regardless — though that mostly affects specific sectors, not typical builders.

    Customer data and site photos

    If you're covered (and as good practice if you're not), the APPs apply to personal information, which includes photos that identify people:

    • Customer data — names, addresses, contacts, project notes and billing are personal information; collect only what's reasonably necessary and keep it secure.
    • Site photos and video — images that identify an individual are personal information; if they reveal something like ethnicity or religion they're sensitive information, which needs a higher standard and usually consent. For ordinary progress photos where people are incidental, the watchword is transparency — tell customers why you photograph, how images are used, how long they're kept and who they're shared with.

    Information collected to deliver a job can only be used for something else — like marketing — where the customer would reasonably expect it or has consented. So use contact details for marketing only on that basis and always offer an easy opt-out; and if you want to use project photos in advertising (website, socials, brochures) where owners, family or workers are identifiable, get written consent describing the intended uses. The OAIC's line is that using an image for a different purpose than originally described will probably need consent unless the person would reasonably expect it (see Social Media for Tradies and Building Your Reputation).

    The core APP obligations (if covered)

    A privacy policy (APP 1 — and there are now penalties for not having an adequate one); collection limited to what's necessary, with notice (APPs 3 and 5); use restricted to the original or a reasonably expected purpose, with care before sending data offshore via overseas cloud (APPs 6 and 8); and security plus access and correction (APPs 11-13). These sit alongside the Notifiable Data Breaches scheme, which requires covered entities to report serious breaches to the OAIC and affected individuals.

    Practical steps now (be APP-ready even if exempt)

    Map your data (what you collect, where it's stored, who can access it), draft a short plain-English privacy policy for your website and contract pack, tighten consent for marketing and photo use with an easy opt-out, and improve security — device locks, strong passwords, MFA, reputable cloud, need-to-know access (see Cyber Security for Tradies and Backing Up Your Business). Given the direction of reform and rising OAIC enforcement, a business that runs on customer contacts and job photos is well advised to be APP-ready even while technically exempt.

    Common mistakes

    • Assuming the reforms are already law (the exemption removal isn't — yet).
    • Using project photos of identifiable people in ads without written consent.
    • Marketing to customers with no opt-out and no reasonable expectation.
    • No privacy policy once you tip over $3m turnover or win a Commonwealth contract.

    Know someone who needs this?

    How this site is funded →

    Was this guide useful?

    Didn't find what you were looking for?

    Spotted something wrong or out of date? Email us at hello@kilnguides.co.uk.

    In crisis? Lifeline 13 11 14 ·

    How this site is funded →

    What to do next

    Important disclaimer

    SiteKiln provides general guidance only. Nothing on this site — including our guides, tools, templates and document hub — is legal, tax, financial or professional advice.

    Every situation is different. Laws, regulations and industry standards change. You should always check with a qualified professional before making decisions based on what you read here.

    We do our best to keep information accurate and up to date, but we cannot guarantee it is complete, correct or current. SiteKiln accepts no liability for actions taken based on the content of this site.