The government has indicated support for changes suggested by the Australian Law Reform Commission (ALRC), but not until late 2010, which includes harsher penalties for infringement, said Weedon.

"At the moment the only penalty is a compensation that should be paid to the person who has had their privacy infringed, plus an adverse determination. But what the ALRC has recommended is to increase the penalties for severe breaches of the Privacy Act to civil penalties - which is a particularly scary issue for directors of companies," she said.

The reforms include abolishing the small business exemption so that the Privacy Act applies to all companies, even if their turnover is less than $3 million, as well as introducing greater responsibilities on companies, said Weedon.

"One of the major things that will be introduced is a data breach notification system which will require organisations to notify the privacy office (Office of the Privacy Commissioner) of any breaches of the Privacy Act that they've engaged in so it's like a self-reporting system," she said.

Weedon said the downturn had meant that businesses were dedicating less resources to comply with privacy laws and a lack of understanding surrounded the legislation.

"There is a lot of extra technology floating around and it's easy for businesses to transfer information with the click of a button. Previously it would have to be photocopied and sent over, or something like that. I think that not too many businesses have the Privacy Act at the front of their mind, so compliance with it, given that they don't know what it entails, is pretty difficult," she said.

- Sarah Sharples