Should We Do a Privacy Assessment?
Most businesses ask this question too late.
There’s a pattern we see regularly when working with small and medium-sized businesses across Australia. A team is building a new customer portal, rolling out a HR platform, or setting up a cloud-based CRM. Everyone’s focused on the go-live date. IT is configuring access, the project lead is finalising scope, and someone — usually late in the piece — asks: “Do we need to do anything about privacy?”
The answer is almost always yes. And the fact that it’s being asked at the end, rather than the beginning, is itself the problem.
What the Australian Privacy Principles Actually Require
Australia’s Privacy Act 1988 establishes 13 Australian Privacy Principles (APPs) that govern how organisations with an annual turnover above $3 million — and many below that threshold — must handle personal information. If your business collects, holds, uses, or discloses personal information, the APPs apply to you.
But compliance isn’t just about having a privacy policy on your website. The obligations run deeper than most businesses realise.
APP 1 requires you to have clearly expressed, up-to-date practices for managing personal information — not just a policy document, but actual implemented practices. Can you demonstrate that your staff know what personal information you hold, where it lives, and how it’s protected?
APP 3 governs collection — you should only collect personal information that’s reasonably necessary for your business functions. How often do forms, apps, or systems collect far more data than is actually needed, simply because no one stopped to question it?
APP 6 restricts secondary use and disclosure. If you collected an email address for a transaction, you generally can’t use it for marketing without consent. Many businesses inadvertently breach this through automated marketing workflows or CRM integrations set up years ago.
APP 11 requires that personal information is protected from misuse, interference, loss, and unauthorised access. This isn’t just a cybersecurity requirement — it encompasses access controls, staff training, third-party vendor management, and data retention practices.
APP 12 and 13 give individuals the right to access and correct their personal information. Do you have a process for handling those requests? Do your staff know what to do if one arrives?
The gap between “we have a privacy policy” and “we’re actually compliant” is often significant — and most businesses don’t know it exists.
The Overlooked Trigger: Privacy Impact Assessments
One of the most underutilised tools in the privacy compliance toolkit is the Privacy Impact Assessment (PIA). While not always legally mandatory, the Office of the Australian Information Commissioner (OAIC) strongly recommends conducting a PIA whenever you’re:
- Implementing a new system that collects or processes personal information
- Significantly changing how existing personal information is handled
- Introducing a new technology or platform with privacy implications
- Entering a new data-sharing arrangement with a third party
- Expanding into new markets or customer segments
A PIA isn’t a bureaucratic box-tick. Done properly, it’s a structured process that maps what data you’re collecting, identifies the privacy risks, and documents the controls you’re putting in place. It gives you a defensible record that you considered privacy obligations proactively — which matters significantly if a complaint or breach ever arises.
For Australian Government agencies, PIAs are effectively mandatory for high-risk projects. For private sector organisations, the case for doing them is compelling: the OAIC has made clear that demonstrating a privacy-by-design approach — built in from the start, not bolted on at the end — is increasingly the standard it expects of responsible organisations.
What “Getting It Wrong” Actually Looks Like
Privacy breaches rarely announce themselves with alarm bells. They look like:
- A long-standing employee still having access to customer records six months after leaving
- A SaaS platform your team adopted without IT review storing customer data on overseas servers with no data processing agreement in place
- A marketing automation tool syncing your CRM contacts to a US-based server, triggering cross-border disclosure obligations under APP 8
- A data breach notification obligation under the Notifiable Data Breaches (NDB) scheme that nobody knew existed until the breach happened
The NDB scheme is a particularly underappreciated obligation. If your business experiences an eligible data breach — one likely to result in serious harm to affected individuals — you’re required to notify both the OAIC and the affected individuals. Failure to notify can result in civil penalties. Many businesses discover this obligation for the first time during an incident response, which is precisely the wrong time.
The Case That Changed Everything
In October 2025, the Federal Court handed down Australia’s first ever civil penalty under the Privacy Act. Australian Clinical Labs (ACL) was ordered to pay $5.8 million following a data breach at its Medlab Pathology business in February 2022, which exposed the sensitive personal information of more than 223,000 individuals — including Medicare numbers, health records, and pathology results.
The breach itself was serious. But what made the case particularly significant was what happened after it was discovered. ACL had reasonable grounds to believe a notifiable data breach had occurred well before it formally notified the OAIC, and the court found the notification was delayed by approximately three weeks beyond when it could have been made. The NDB scheme requires notification “as soon as practicable.” Three weeks wasn’t it.
Privacy Commissioner Carly Kind described the outcome as “an important turning point in the enforcement of privacy law in Australia” and a “vivid reminder” that there will be consequences for serious failures to protect personal information.
The OAIC has since signalled that more proceedings are in the pipeline — with civil penalty actions against Medibank and Optus still on foot, and the regulator indicating further cases are waiting. Critically, under penalty provisions introduced in late 2022 and expanded in 2024, future penalties could be far higher: up to $50 million, three times the benefit derived from the conduct, or 30% of annual turnover — whichever is greatest.
ACL is a large pathology business. The principle, however, applies to every organisation that holds personal information. The enforcement era has arrived.
So, Should You Do a Privacy Assessment?
If any of the following apply to your business, the answer is yes — and probably sooner than you think:
- You’ve recently adopted new software, platforms, or cloud services
- You’re building or significantly changing a customer-facing system
- You handle sensitive categories of information (health, financial, identity documents)
- You haven’t reviewed your privacy practices in the last 12–18 months
- You’re unsure whether your current practices align with the APPs
- You’re entering a new contract involving data sharing with a third party
A privacy assessment doesn’t need to be a months-long project. For most SMBs, a focused review of your data flows, third-party arrangements, access controls, and staff awareness can be completed efficiently — and the value of knowing where you stand far outweighs the cost of finding out through a complaint or incident.
At Cyberfy, we help businesses understand their obligations under the Privacy Act and take practical steps to meet them. If you’re not sure where your business stands, that’s usually the right reason to start the conversation.
Disclaimer: This article is intended as general information only and does not constitute legal advice. If you have specific compliance concerns, we recommend consulting a qualified privacy or legal professional.