What Perth Businesses Need to Know About the Privacy Act
Plain English guidance on your obligations, what changed in 2024, and what your business should be doing about it.
Talk to DM1 TodayView Cyber SecurityWhat the Privacy Act Covers
The Privacy Act 1988 sets out how organisations must handle personal information about Australian individuals. It applies to most Australian businesses with annual turnover above the relevant threshold, and to all health service providers regardless of size.
The Privacy Act is built around 13 Australian Privacy Principles (APPs) covering how personal information is collected, used, stored, disclosed, and accessed. The notifiable data breach scheme requires affected individuals and the Office of the Australian Information Commissioner to be informed when a serious breach occurs.
Aligning to the Essential Eight cyber security baseline covers the technical posture expected when Privacy Act obligations apply. The baseline does not cover the policy and process side of compliance, but it does cover the security baseline that most APPs and the NDB scheme assume is in place.
What Changed In 2024
The Privacy and Other Legislation Amendment Act 2024 introduced substantive changes to the Privacy Act. Here is what Perth businesses should be aware of.
Higher penalties
Maximum penalties for serious or repeated interferences with privacy substantially increased. The largest of three thresholds applies, and they are no longer trivial.
Statutory tort
A new statutory tort for serious invasions of privacy gives individuals a direct right to sue. Coming into effect in stages.
Children's online privacy code
A new Children's Online Privacy Code is being developed. Businesses serving children online should expect new obligations.
Automated decisions
Transparency requirements around automated decision making, including AI driven decisions affecting individuals.
Security baseline expectations
OAIC guidance increasingly references the Australian Signals Directorate Essential Eight as the security baseline expected of organisations under APP 11.
Small business exemption review
The small business exemption (currently turnover under the threshold) is under review. Larger small businesses should expect to come into scope.
What DM1 Does About Privacy Act Compliance
DM1 supports the technical side of Privacy Act compliance. Legal and policy work is for your lawyer or compliance professional. Here is what we cover from the IT side.
Microsoft 365 environment configured against the cyber security baseline. MFA, Conditional Access, Defender, retention.
Posture assessed and aligned to the Australian Signals Directorate Essential Eight, the technical baseline referenced in OAIC guidance.
Retention policies
Microsoft Purview configured to keep data for the period relevant to your business and to delete it when retention expires.
Conditional Access policies restricting who can access what, from where, on what device.
Notifiable data breach response
Incident response posture configured so the technical side of an NDB notification is supported. Audit logs retained, investigation tools available.
Quarterly review
Posture stays current as the threat landscape changes and the regulatory environment evolves. Standard practice for managed clients.
Common Privacy Act Issues DM1 Sees
When DM1 onboards a new Perth business, the most common Privacy Act related gaps we find are technical, not policy.
No MFA
Multi factor authentication missing or only partially deployed. APP 11 expects reasonable security; missing MFA is hard to defend.
No retention policies
Personal information kept indefinitely with no documented retention. APP 11 expects information to be destroyed or de identified when no longer needed.
No audit logs
Microsoft 365 audit logging not configured or not retained. Investigating a suspected breach without audit logs is much harder.
Email open to spoofing
No SPF, DKIM, or DMARC. Attackers can impersonate the business and the resulting breach is hard to defend as reasonable security.
Related Privacy and Security Topics
Privacy Act compliance pairs with the notifiable data breach scheme and the Microsoft 365 security baseline DM1 builds for every Perth business.
Notifiable Data Breach
What the Privacy Act requires when personal information is exposed.
Read more →
Microsoft 365 Data Backup
Microsoft retains your data, but the responsibility for backup is yours.
Read more →
Microsoft Defender for Business
Endpoint security that detects ransomware, malware, and credential theft on Windows, Mac, and mobile devices.
Read more →
Microsoft Intune
Device management that enforces compliance and pushes settings to your fleet.
Read more →
Microsoft Entra ID
The cloud identity service controlling who signs in to your tenant and what they can access.
Read more →
Conditional Access
The policy engine that decides who can sign in, from where, and on which devices.
Read more →
Cyber Security Perth
DM1's overview of the security layers protecting your Microsoft 365 tenant.
Read more →
Essential Eight Perth
The eight Australian cyber security strategies every business should aim to implement.
Read more →
Microsoft 365 Perth
The full Microsoft 365 platform DM1 configures and manages for Perth businesses.
Read more →
Is Your Privacy Act Posture Up To Date?
DM1 reviews the technical side of Privacy Act compliance for Perth businesses. Get in touch for an assessment of your current posture.
Book a Privacy Act Assessment(08) 6202 6012