The Privacy Act 1988 gets treated as background noise by a lot of Australian business owners — something the compliance team or the lawyers worry about. That is a mistake for any business that holds client, patient, or employee data, which is to say almost every business. The Act's security obligations are not abstract; they are the standard a regulator, an insurer, or a court will hold you to after something goes wrong.
01The obligation that matters most: APP 11
Australian Privacy Principle 11 requires an organisation to take “reasonable steps” to protect the personal information it holds from misuse, interference, loss, and unauthorised access. The deliberately vague phrase “reasonable steps” is not an accident — it means the standard is judged case by case, and it is judged after an incident, when a regulator is looking at exactly what you had in place. “We assumed our IT provider had it covered” is not a defence; it is often the finding.
02The Notifiable Data Breaches scheme starts the clock early
The NDB scheme requires you to notify the Office of the Australian Information Commissioner, and the individuals affected, when a data breach is likely to result in serious harm. The clock most businesses misunderstand: the obligation to assess begins the moment you become aware of circumstances that suggest a breach may have occurred, not the moment you have confirmed exactly what happened. You have 30 days to complete that assessment — which, in practice, means you need an incident response process ready before the day you need it, not after.
03Where sector obligations stack on top
Legal practices carry professional privilege obligations alongside the Privacy Act. Medical and allied health providers add AHPRA obligations and the My Health Records Act. Financial and accounting firms carry APRA CPS 234 and AML/CTF Act duties on top. None of these replace the Privacy Act baseline — they layer additional, named duties over it. If you operate in a regulated vertical, “we comply with the Privacy Act” is necessary but not sufficient.
04How a technical incident becomes a compliance failure
The pattern we see most often: a business suffers an intrusion, contains it reasonably well on the technical side, and then handles the regulatory side badly — late notification, an incomplete understanding of what data was actually accessed, no documented assessment process. The technical incident is often survivable. The compliance failure on top of it is what turns into serious, prolonged exposure: regulatory scrutiny, loss of client trust, and in some sectors, professional registration risk.
05What “reasonable steps” looks like in practice
In our experience, the businesses that satisfy APP 11 comfortably share a short list of controls: enforced multi-factor authentication, monitored endpoint protection, tested backups, a documented and rehearsed incident-response plan, and a written record of the security decisions made and why. That written record matters as much as the controls themselves — it is what turns “we took reasonable steps” from an assertion into evidence.
If you operate in a regulated industry and have never mapped your specific obligations to your actual controls, that gap is worth closing before a regulator — or an attacker — closes it for you.
Where this leaves you
Knowing the risk is not the same as knowing your own exposure.
The Cyber Readiness Assessment gives you a written, prioritised answer in ten business days — credited toward your first year if you go further with us.