Does the Privacy Act Apply to Your Business?
The Australian Privacy Act 1988 applies to all Australian Government agencies and private sector organisations with an annual turnover of more than $3 million. However, it also applies to smaller businesses in specific circumstances — including those that provide health services, trade in personal information, are related to a larger organisation, or are contracted service providers to a Commonwealth contract.
Even if your business falls below the $3 million threshold, it is worth noting that the proposed reforms to the Privacy Act (which have been progressing through Parliament) may extend coverage to all businesses regardless of size. Regardless of legal obligation, the principles of good data handling are simply good business practice in an era where data breaches make headlines and destroy customer trust.
The IT Requirements Under the Privacy Act
The Privacy Act establishes 13 Australian Privacy Principles (APPs) that govern how organisations collect, use, store, and disclose personal information. Several of these have direct implications for your IT infrastructure and practices.
APP 11 — Security of Personal Information
This is the principle with the most significant IT implications. APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. What constitutes “reasonable steps” depends on the sensitivity of the information, the consequences of a breach, the size and resources of your organisation, and whether the information could be easily accessed by the public.
In practical IT terms, this means implementing and maintaining appropriate cybersecurity controls. At a minimum, this includes endpoint protection on all devices, encrypted storage and transmission of personal data, access controls limiting who can view personal information, strong authentication including multi-factor authentication, regular patching of systems and applications, secure configuration of networks and cloud services, and regular security assessments.
The Essential Eight framework from the ACSC provides an excellent baseline for meeting the “reasonable steps” requirement under APP 11. While the Essential Eight is not explicitly referenced in the Privacy Act, implementing it demonstrates a structured, industry-recognised approach to cybersecurity that would strongly support your compliance position.
APP 8 — Cross-Border Disclosure
If personal information is transferred to overseas recipients — including cloud services hosted outside Australia — you must take reasonable steps to ensure the overseas recipient handles the information in accordance with the APPs. This has direct implications for your choice of cloud providers, email services, and any SaaS platforms that process personal data. You should know where your data is stored and ensure your contracts with overseas providers include appropriate data protection obligations.
APP 1 — Open and Transparent Management
Your organisation must have a clearly expressed and up-to-date privacy policy that describes how you manage personal information. From an IT perspective, this means you need to know what personal information your systems collect and store, where it is stored, who has access, how long it is retained, and what happens when it is no longer needed (APP 11.2 requires destruction or de-identification of information that is no longer needed).
The Notifiable Data Breaches (NDB) Scheme
Since February 2018, the NDB scheme requires organisations covered by the Privacy Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. You must assess suspected breaches within 30 days and, if the threshold is met, notify the OAIC and affected individuals as soon as practicable.
The IT implications are significant. You need the technical capability to detect data breaches in the first place — which requires security monitoring and logging. You need the forensic capability to assess what data was accessed or exfiltrated. You need documented incident response procedures that your team can execute under pressure. And you need backup and recovery capabilities to restore systems and data after an incident.
Practical Steps for IT Compliance
Meeting your Privacy Act obligations from an IT perspective does not require massive investment, but it does require deliberate action.
Conduct a data audit. Identify what personal information your business collects, where it is stored (on-premises, cloud, third-party systems), who has access, and how it flows through your organisation. You cannot protect what you do not know you have.
Implement the Essential Eight. The ACSC’s Essential Eight framework provides a structured, prioritised approach to the cybersecurity controls that underpin Privacy Act compliance. Even achieving Maturity Level One significantly strengthens your security posture.
Encrypt sensitive data. Personal information should be encrypted both at rest (stored on disk) and in transit (transmitted over networks). Modern cloud platforms like Microsoft 365 provide encryption capabilities, but they need to be properly configured.
Implement access controls. Not every employee needs access to all personal information. Role-based access controls ensure that staff can only access the data they need for their specific role.
Prepare an incident response plan. Document what happens when a suspected data breach is detected. Who is responsible? What are the steps for containment, assessment, and notification? Practice the plan at least annually.
Related reading: insurance requirements | risk mitigation | threat awareness
Review third-party providers. Ensure your contracts with IT vendors, cloud providers, and SaaS platforms include appropriate data protection clauses, particularly for any providers that access or store personal information on your behalf.
Getting Help
Privacy Act compliance is an ongoing obligation, not a one-time project. As your business grows, your IT environment changes, and the regulatory landscape evolves, your compliance measures need to keep pace.
TechAssist provides managed IT services that include the cybersecurity controls, monitoring, and incident response capabilities Australian businesses need to meet their Privacy Act obligations. Contact us to discuss your compliance requirements.
