Privacy Act compliance for Australian businesses starts with your actual IT environment, not legal wording alone. Data mapping, access control, retention settings, and breach readiness are practical controls regulators and clients both care about. If an audit happened tomorrow, could you clearly show where personal information lives and how it is protected?
Who the Privacy Act Applies To
The Privacy Act 1988 applies to Australian Government agencies and most private sector organisations with an annual turnover of more than $3 million. Certain categories of organisation are covered regardless of turnover: health service providers (including allied health, medical practices, and pharmacies), credit reporting bodies, organisations that buy or sell personal information, and contractors to the Australian Government.
From late 2024, proposed amendments to the Privacy Act significantly expanded obligations for businesses of all sizes — increasing the focus on data minimisation, consent, transparency, and individual rights. Businesses that previously sat below the $3 million threshold are increasingly subject to scrutiny, particularly if they handle health information, financial data, or information about children.
For practical purposes: if your Sydney business collects, stores, or processes personal information about clients, staff, or third parties — and most do — Privacy Act compliance is relevant to your operations.
The 13 Australian Privacy Principles
The Privacy Act is built around 13 Australian Privacy Principles (APPs), which cover how personal information must be handled across its full lifecycle. The principles most relevant to IT infrastructure and managed IT services are:
APP 1 — Open and transparent management. Organisations must have a clearly expressed privacy policy describing how personal information is managed. Staff need to know what the policy requires of them.
APP 6 — Use and disclosure. Personal information collected for one purpose cannot be used or disclosed for an unrelated purpose without consent. This has implications for how data is stored, who can access it, and what gets shared with third-party software and cloud services.
APP 11 — Security of personal information. Organisations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. This is the principle most directly supported by managed IT security controls.
APP 12 — Access to personal information. Individuals have the right to access their personal information. Organisations need systems that make it possible to locate and retrieve information held about a specific person.
What “Reasonable Steps” Means for IT Security
APP 11’s requirement to take “reasonable steps” to protect personal information is the bridge between privacy law and IT security. The Office of the Australian Information Commissioner (OAIC) has indicated that reasonable steps include:
- Technical controls — encryption of personal information at rest and in transit, access controls limiting who can view personal data, endpoint security preventing unauthorised access
- Organisational controls — staff training on privacy obligations, documented data handling procedures, incident response plans
- Physical controls — secure storage of physical documents containing personal information
The OAIC does not prescribe specific technologies. What constitutes “reasonable steps” depends on the sensitivity of the information held, the volume of data, the size of the organisation, and the cost and feasibility of available controls. A medical practice holding patient records has higher obligations than a small consultancy holding client contact details.
Critically: “reasonable steps” is assessed against what was available and known at the time of an incident — not what was convenient or affordable. A cyber incident that exposes personal information, where the organisation had not deployed basic controls like MFA, EDR, or patch management, is likely to be found non-compliant regardless of budget constraints.
Notifiable Data Breaches
The Notifiable Data Breaches (NDB) scheme, in force since 2018, requires organisations covered by the Privacy Act to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. Serious harm includes financial loss, identity theft, physical harm, serious humiliation, and damage to reputation or relationships.
Notification must happen “as soon as practicable” after an organisation becomes aware of a breach — typically within 30 days. Late notification, or failure to notify, is itself a breach of the Privacy Act and can attract significant penalties. Penalties for serious or repeated interferences with privacy were significantly increased in 2022, with maximum penalties for organisations raised to the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover.
Having an incident response plan is directly relevant to NDB compliance. An organisation that discovers a breach needs to assess its severity, determine whether notification is required, notify the OAIC and affected individuals, and contain and remediate the incident — all while under time pressure. Running this process for the first time during an actual incident is not a plan.
Cloud Services and Third-Party Privacy Obligations
Most Sydney businesses now rely on cloud services for email, document storage, CRM, accounting, and industry-specific platforms. Each of those services involves disclosing personal information to a third party. Under the Privacy Act, the organisation disclosing the information remains responsible for ensuring it is handled in accordance with the APPs — even when the actual handling is done by the cloud provider.
This means vendor due diligence is a privacy compliance requirement. Before adopting a cloud service that will handle personal information, organisations should confirm: where data is stored (Australian data residency matters for some regulatory contexts), what security controls the provider applies, what their data breach notification process is, and whether the contract includes appropriate privacy and data handling clauses.
Microsoft 365 with Australian data residency (Azure Australia East) is a common choice for Sydney businesses with Privacy Act obligations. It provides data sovereignty, strong access controls, audit logging, and retention policies that support compliance requirements. Managing Microsoft 365 correctly — including configuring access controls, retention labels, and security settings appropriately — is a managed IT function, not a default configuration.
Data Retention and Disposal
The Privacy Act requires that personal information no longer needed for the purpose it was collected must be destroyed or de-identified (APP 11.2). In practice, many Sydney businesses accumulate personal information indefinitely — old client records, employee files, email archives, backup data — without a documented retention and disposal policy.
A data retention policy defines how long different categories of information are kept, where they are stored, and how they are disposed of when no longer needed. Secure disposal of electronic data means overwriting or cryptographic erasure — not simply deleting files. For physical documents, cross-cut shredding or secure document destruction services. Devices being retired or repurposed must be wiped before reuse or disposal.
This is not just a legal obligation — it is good risk management. Data you do not hold cannot be breached. Minimising personal information holdings reduces both your compliance burden and your exposure in the event of an incident.
How Managed IT Supports Privacy Act Compliance
The technical controls required by APP 11 overlap significantly with the controls a well-structured managed IT plan delivers as standard.
Milnsbridge’s Growth plan at $99 per seat per month includes SentinelOne EDR on all managed endpoints, cloud-hosted email security, 24/7 monitoring across all managed devices, systematic patch management, Microsoft 365 management (including access controls and retention policies), cyber awareness training for staff, DNS filtering, and password management via Keeper. These controls directly address the technical requirements for reasonable steps under APP 11.
Available as separately quoted add-ons: Duo MFA enforcement, cloud backup ($149 per month per server, 500GB included), disaster recovery ($229 per month per server), and Essential Eight uplift assessment. For organisations with significant personal information holdings — healthcare, financial services, legal — the Essential Eight framework provides a recognised benchmark for security maturity that maps closely to the OAIC’s expectations for reasonable steps.
Milnsbridge holds a 4.9-star Google rating across 99 reviews and has supported Sydney businesses with managed IT and cyber security since 2002. We operate on 12-month agreements with a 10-seat minimum, serving organisations from 10 to 200 seats.
To discuss how your IT environment supports Privacy Act compliance, contact Milnsbridge. You can review our per-seat pricing, learn more about our managed IT services, or explore our cyber security services and how they map to your compliance obligations.
