The first stage of reforms, set to be implemented within a year's time, will address this process of simplifying and streamlining the Privacy Act, while the second stage, which will include statutory course of action for data and privacy breaches, will be looked at in 12-18 months time.

"First and foremost there is not going to be any real immediate impact in terms of changes of investment in either IT infrastructure or security infrastructure," said Gartner security analyst Andrew Walls.

"Part one is going to take a good 12 months to get all the actual regulations set out, then there will have to be some sort of compliance period so we're several years out from things really hitting the ground and organisations having to show compliance.

"But at the same time businesses should be looking carefully at the recommendations and the potential impact they will have on their business processes, their business models, and the infrastructure that supports all of those activities," he said.

One area of IT that will feel the impact will be the Human Resources department, where employee data will no longer be exempted under the ALRC's recommendations.

"That may affect internal practices and how security controls are applied. I suspect many organisations will have to look very carefully at how they manage employee data and ask themselves - if we have to treat that as private data, what are the implications?" Walls said.

According to security vendor Marshal's lead technical consultant, Oscar Marquez, internal traffic is a leading cause of data leakage, and organisations need solutions that monitor the flow of sensitive information like documentation, e-mails, and mobile-to-e-mail data.

"In essence, the new amendments are about being able to report on and monitor e-mail and Web use, internally and externally, before taking the necessary steps to prevent misuse," Marquez said.

"IT managers do not need to implement new technology for technology's sake. Instead they need to firstly educate end-users, as many data breaches can happen accidentally, and secondly, to update their internal policies to be in line with the Privacy Act. Industries such as health and financial services, as well as large companies, need to pay particular attention to these amendments."

Marquez cited the example of an end user at a health company who accidentally sent an entire database of contacts to a doctor, who in turn shared this with a pharmaceutical company for financial gain.

"This black market of information is exactly what the Privacy Act aims to prevent. End-users need to know their confidential data will be secured and not sold," he said.