What is Privacy Act 1988 (Cth)?
Privacy Act 1988 (Cth)
Privacy Act + NDB scheme alignment.
Australian Privacy Principles mapping. Notifiable Data Breaches readiness. Cross-vertical.
Cross-vertical experience — financial services, accounting, legal, healthcare. The Privacy Act is the floor; sector frameworks sit alongside.
The problem
Most mid-market organisations have a privacy policy on the website and assume they are covered. The OAIC sees a different picture. Recent enforcement and the ongoing Privacy Act review have raised the floor: organisations now need documented APP-by-APP control mapping, a tested NDB notification playbook, and clear handling of cross-border data flows (APP 8) — particularly for cloud platforms, support providers and analytics tools that hold or process personal information overseas.
The hardest patterns we see
- APP 11 (security)Generic "we use industry-standard security" language with no documented control mapping.
- APP 8 (cross-border)Cloud and SaaS platforms hosted overseas without documented disclosure analysis or contractual safeguards.
- NDB scheme readinessNo tested 30-day assessment playbook; no documented decision criteria for "likely to result in serious harm".
- APP 1 (open management)Privacy policy on the website, but no internal privacy management plan or annual review.
Australian Privacy Principles to BISTEC delivery
Each of the 13 APPs paired with what we deliver. The Privacy Act is the floor; sector-specific frameworks (CPS 234, NDIS Quality & Safeguards, Law Society obligations) sit alongside it.
| APP | What it covers | What BISTEC delivers |
|---|---|---|
| APP 1 | Open and transparent management | Documented privacy management plan template; annual review cadence; integration with your ISMS |
| APP 2 | Anonymity and pseudonymity | Service desk and ticketing configuration to support pseudonymous access where required |
| APP 3 | Collection of solicited personal information | Form and intake-channel review; data-minimisation patterns |
| APP 4 | Unsolicited personal information | Documented intake handling; retention rules in M365 / SharePoint |
| APP 5 | Notification of collection | Notification templates embedded in onboarding and intake flows |
| APP 6 | Use and disclosure | Access-control architecture; documented purpose-limitation logic |
| APP 7 | Direct marketing | Marketing-platform integration; consent register |
| APP 8 | Cross-border disclosure | Cloud and SaaS hosting register; documented APP 8 analysis per third party; sub-processor location map |
| APP 9 | Government identifiers | Tax-file-number, Medicare and similar handling rules |
| APP 10 | Quality of personal information | Master-data hygiene; documented correction process |
| APP 11 | Security | ISO 27001-aligned controls; Essential Eight ML2 baseline; senior security operations; documented incident response |
| APP 12 | Access | Subject-access request workflow; documented response timelines |
| APP 13 | Correction | Documented correction workflow integrated with APP 12 |
NDB scheme readiness
We deliver an NDB scheme playbook that includes:
- 01
Eligible-breach assessment template
Documented decision criteria for "likely to result in serious harm".
- 02
30-day clock
Documented timeline from suspicion of a breach to OAIC notification.
- 03
Notification templates
For OAIC and affected individuals, reviewed against current OAIC guidance.
- 04
War-room runsheet
Named decision-makers (CEO/COO, CISO, Head of Risk, Head of Legal/General Counsel, communications lead).
- 05
Annual tabletop exercise
Documented minutes — built to satisfy regulator inspection.
Why BISTEC for Privacy Act work
- Sydney HQ. Senior security operations.
- Cross-vertical experience — financial services (paired with CPS 234), accounting firms (Xero/MYOB/practice systems), law firms (privileged document handling under post-incident scrutiny), healthcare (My Health Record, NDIS Quality & Safeguards alignment).
- ISO 27001 certified · Microsoft Solutions Partner · AWS Partner · Great Place to Work — Asia Top 30.
- Privacy Impact Assessment delivery as ad-hoc project work.
- Named lead, named delivery lead, no rotation onto larger accounts.
25-question diagnostic
Privacy Act Readiness Audit
A 25-question diagnostic across the 13 Australian Privacy Principles plus the NDB scheme. 30-minute completion. Outputs a prioritised gap list and a board-pack-ready summary. Free. Email-gated. Built from real cross-vertical engagements.
Frequently asked
The Privacy Act 1988 (Cth) is the Australian federal law that governs how organisations collect, use, hold, disclose and protect personal information. It applies to APP entities — Australian government agencies and most private-sector organisations with annual turnover above $3 million, plus health service providers and a small set of other categories regardless of turnover. It is administered by the Office of the Australian Information Commissioner (OAIC).
The Australian Privacy Principles (APP 1 to APP 13) are the 13 obligations at the core of the Privacy Act. They cover: open and transparent management of personal information (APP 1), anonymity (APP 2), collection (APP 3 to APP 5), use and disclosure (APP 6 to APP 9), data quality and security (APP 10 to APP 11), and access and correction (APP 12 to APP 13). APP 8 — cross-border disclosure — and APP 11 — security — are the two most-tested in incident response and OAIC determinations.
The NDB scheme, in force since 22 February 2018, requires APP entities to notify both the OAIC and affected individuals of an eligible data breach — defined as unauthorised access, disclosure or loss of personal information likely to result in serious harm. Notification is required as soon as practicable after the entity becomes aware of the breach, and an assessment must be completed within 30 days of suspicion.
You must notify the OAIC and affected individuals as soon as practicable after you become aware of an eligible data breach. If you suspect a breach but are not yet sure whether it qualifies as eligible, you have up to 30 days to complete a reasonable assessment. The 30-day clock starts at the point of suspicion, not confirmation. A documented assessment template is essential because OAIC scrutinises both the assessment timeline and the substance of the "likely to result in serious harm" determination.
Overseas hosting triggers APP 8 (cross-border disclosure). You must take reasonable steps to ensure the overseas recipient does not breach the APPs, or you remain accountable for their handling. In practice this means a documented APP 8 analysis per third-party processor, contractual safeguards, and a published list of overseas locations where personal information is stored. Most cloud platforms (Microsoft, AWS, Google) support AU-region storage; the gap is usually in SaaS analytics, support tooling and email.
Generally no — small business operators with turnover under $3 million are exempt from the Privacy Act. There are exceptions: health service providers (any turnover), credit-reporting bodies, organisations that trade in personal information, contracted Commonwealth service providers, and small businesses related to a larger APP entity. The current Privacy Act review may narrow or remove the small-business exemption — many small firms are preparing on the basis that the exemption may not last.
The Privacy Act is the floor. APRA-regulated entities also meet CPS 234 (which is more prescriptive about information-security capability and incident notification timing — 72 hours to APRA, alongside the NDB scheme). NDIS providers also meet the NDIS Quality & Safeguards Commission's requirements for participant data. Law firms also meet Law Society confidentiality and legal-professional-privilege obligations. In each case, the Privacy Act sits alongside, not instead of, the sector-specific framework.
Yes. We deliver Privacy Impact Assessments as ad-hoc project work — typically scoped at 4 to 8 weeks for a single high-risk project (a new SaaS deployment, a data-sharing arrangement, a marketing-tech rollout). PIAs include APP-by-APP analysis, risk register, mitigation plan and board summary.