What Perth Businesses Need to Know About the Privacy Act
Plain English guidance on your obligations, what changed in 2024 and 2025, and how to protect your clients — and your business
Does the Privacy Act Apply to Your Business?
The Privacy Act 1988 sets out how organisations must collect, store, use and disclose personal information — names, email addresses, phone numbers, health records, financial data, employment records. Many Perth business owners assume it only applies to large organisations. The turnover threshold is one trigger, but it is not the only one.
Important: The information on this page is general in nature and is intended to help business owners understand their obligations at a high level. It is not legal advice. If you have specific concerns about your compliance obligations, DM1 recommends speaking with a qualified lawyer.
Which category are you in?
A
Annual turnover over $3 million
The Privacy Act applies to you regardless of your industry. You are required to comply with all 13 Australian Privacy Principles.
B
Healthcare, legal, financial services, or real estate
The Act applies to you regardless of your annual turnover. These sectors have additional obligations on top of the standard APPs.
C
Small business — none of the above
You may be exempt from some provisions, but you are not exempt from the Notifiable Data Breaches Scheme if you hold health information, or from obligations that arise by contract. Many suppliers and government clients require privacy compliance regardless of your size.
The 13 Privacy Principles — What They Actually Mean
There are 13 Australian Privacy Principles (APPs) in the Act. Rather than list all 13, here is what they require grouped into four practical themes — because that is how they will affect your day-to-day operations.
1 — Collecting information
You must only collect personal information that you actually need for your business. You must tell people what you are collecting, why you are collecting it, and who you might share it with. Collecting data ‘just in case it is useful’ is not compliant.
2 — Using information
You can only use personal information for the purpose you collected it for. If you want to use it for something else — for example, sending marketing emails to a client you dealt with for a service matter — you need separate consent.
3 — Keeping it secure
You must take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. You must have a plan for what to do if something goes wrong. And when you no longer need it, you must destroy or de-identify it.
4 — Giving people control
Individuals have the right to know what information you hold about them, to request corrections, and in some circumstances to request that their information be deleted. You must have a process for handling these requests.
If Something Goes Wrong — the Notifiable Data Breaches Scheme
The Notifiable Data Breaches (NDB) Scheme requires eligible organisations to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm.
What triggers a notification obligation?
Unauthorised access to personal information such as a hacker accessing your systems. Accidental disclosure — for example, an email sent to the wrong person containing client records. Loss of a device containing unencrypted personal information. Ransomware that encrypts files containing personal information. A former staff member retaining access to client data after leaving.
What you need to be able to demonstrate
You became aware of the breach and assessed it within 30 days. You identified who was affected and what data was involved. You notified the OAIC and affected individuals as soon as practicable. You had reasonable security measures in place at the time. You have a documented response process — even a basic one.
The 30-day clock starts when you become aware that a breach may have occurred — not when you confirm it. Many businesses are caught out because they delayed investigation. If you are unsure whether something is a notifiable breach, you must still assess it within 30 days and document that assessment.
What Changed in 2024 — and What Came Into Effect in June 2025
The Privacy and Other Legislation Amendment Act 2024 introduced the most significant changes to Australian privacy law in over a decade. If you have not reviewed your practices since 2023, these changes are relevant to you.
Penalty increase — now in effect
The maximum penalty per incident for serious or repeated privacy breaches increased to $62,600 for individuals and significantly higher for organisations. The OAIC can pursue these through the Federal Court. The previous limits, which many businesses relied on as a form of de facto immunity, no longer apply.
Right to sue — now in effect since June 2025
Since June 2025, individuals have had the right to take legal action directly against organisations for serious invasions of privacy — without going through the OAIC first. A serious invasion of privacy includes misuse of sensitive information, failure to secure data that results in harm, and targeted use of personal information the individual did not consent to.
What this means in practice: The gap between “we have never had a breach” and “we are compliant” is now much more visible — and much more costly to ignore. Being able to demonstrate that you took reasonable steps to protect personal information is your primary defence. The size of your business is not a mitigating factor.
Your Industry May Have Additional Obligations
On top of the Privacy Act, several industries in Western Australia are subject to additional legislation with specific requirements around how personal and client information must be managed, retained, and protected.
Healthcare
Health information is sensitive information under the Act and subject to stricter rules. Records for adult patients must be retained for a minimum of seven years. Records created when a patient was a minor must be retained until the patient turns 25. Clinical staff accessing patient records must be identifiable — shared logins are not compliant. Breach notification obligations apply regardless of organisation size.
Privacy Act 1988, My Health Records Act 2012
Legal Services
Client matter files must be retained for a minimum of seven years after the matter closes, longer in some circumstances. Trust account data has specific obligations under the Legal Profession Uniform Law. Staff and former staff access to client files must be tightly controlled. File destruction must be documented — you cannot simply delete files without a record of what was destroyed and when.
Privacy Act 1988, Law Society of WA practice standards
Financial Services
Financial records must be retained for a minimum of five years. Anti-money laundering obligations apply where your business provides designated services. Identity verification records have specific retention requirements. Adviser obligations include maintaining records of client instructions and advice in a retrievable form.
Privacy Act 1988, Corporations Act 2001, AML/CTF Act 2006
Real Estate
Trust account data obligations apply under the WA Act. Client identification documents, tenancy records, and sale records have specific retention requirements. Tenant personal information — including financial information and references — must be secured and not retained beyond its required period. Access to property management software containing tenant data must be role-controlled.
Privacy Act 1988, Real Estate and Business Agents Act 1978 (WA)
What Does ‘Reasonable Steps’ Actually Mean?
The Privacy Act requires you to take reasonable steps to protect personal information. The OAIC does not define this as a fixed checklist — it is assessed against what was reasonable for a business of your size, in your industry, given the type of information you hold.
Technical measures
Multi-factor authentication on all systems holding personal information. Role-based access — staff can only see what they need for their job. Formal offboarding — access removed the day a staff member leaves. Encrypted storage for sensitive records. Audit logging so you can demonstrate who accessed what. Up-to-date endpoint protection on all business devices.
Process and governance
A privacy policy that accurately describes how you handle information. Staff who understand what personal information they handle and why. A documented process for what to do if a breach occurs. A retention and destruction schedule for personal information. Contracts with suppliers who handle your client data on your behalf.
You do not need to be perfect. You need to be able to show that you took it seriously and acted proportionately to the risk.
How DM1 Helps You Meet These Obligations
DM1 does not provide legal advice. What DM1 does is set up and manage the technical side of your Microsoft 365 environment in a way that directly supports the reasonable steps standard — and gives you the audit trail to demonstrate it.
What DM1 sets up
Multi-factor authentication enforced for every user via Conditional Access. Role-based access controls — staff see only what they need. Unified audit logging in Microsoft Purview — every file access and email action recorded. Retention policies — documents held for required periods, then automatically managed. Intune device management — enforces encryption, screen lock, and remote wipe on all devices. Microsoft Defender for Business — endpoint protection across all computers.
What DM1 manages ongoing
Staff onboarding — new accounts set up with correct access, never over-permissioned. Staff offboarding — access removed and accounts disabled on the day staff leave. Security alerts monitored and responded to. Licence auditing — no orphaned licences left on departed staff. Regular review of who has access to what. Documentation of your configuration that supports your privacy compliance position.
Microsoft 365 Business Premium includes Microsoft Purview — a compliance and governance platform covering audit logging, retention policies, data classification, and eDiscovery. DM1 configures and manages Purview as part of every Business Premium deployment. Learn more about Business Premium →
What DM1 Finds During New Client Onboarding
When a new client moves to DM1, our standard onboarding process includes a full review of the existing Microsoft 365 configuration. These are three examples of what that process found — issues the previous IT provider had not identified or addressed.
Discovered during DM1 new client onboarding
No second login step on any account — for a healthcare practice handling patient records daily
When a Perth healthcare business moved to DM1, our standard new client checks found that not a single staff account had a second login step enabled. The business was handling patient records daily. Their previous IT provider had never raised it. DM1 had it activated across the entire business within the same day as the onboarding check.
Discovered during DM1 new client onboarding
A legal firm’s shared login — no way to demonstrate who accessed client files
When a Perth legal firm moved to DM1, our standard checks found that three staff members were sharing a single Microsoft 365 login for the firm’s document management system. There was no audit trail showing which person had accessed or modified which client file. DM1 created individual accounts and configured role-based access to the document library.
Discovered during DM1 new client onboarding
Client identification documents stored in a shared email inbox with no access controls
When a Perth financial services business moved to DM1, our standard checks found that copies of client identification documents — passports, driver’s licences — were stored in a shared email inbox accessible by all staff with no retention policy. Documents from clients who had ceased trading were still sitting in the inbox, some dating back seven years. DM1 migrated them to a controlled SharePoint library with restricted access.
Not Sure Whether Your Business Is Compliant?
DM1 can review your Microsoft 365 configuration against the Privacy Act reasonable steps standard and tell you exactly where the gaps are. No jargon. No sales pitch. Just a clear picture of where you stand.
Call (08) 6202 6012 or use the button above to get started