Back to Blog
Compliance2 December 2025

Understanding the Australian Privacy Act for Document Sharing

The Privacy Act sets strict rules for how personal information is handled. We break down what it means for Australian businesses sharing sensitive documents.

The Australian Privacy Act 1988 sets the legal framework for how organisations handle personal information. For businesses that routinely share sensitive documents — accountants, lawyers, financial advisors, real estate agents — understanding the core obligations is essential.

Who the Act applies to

Most organisations with an annual turnover of more than $3 million are covered by the Act. But there's a long list of exceptions where smaller entities are also in scope — health service providers, credit reporting bodies, businesses that buy or sell personal information, and anyone handling tax file numbers. If in doubt, assume you're covered.

The 13 Australian Privacy Principles

The Act is structured around 13 Australian Privacy Principles (APPs). The ones most relevant to document sharing are:

  • APP 1 — Open and transparent management. You need a clear privacy policy describing what you collect and why.
  • APP 6 — Use or disclosure. Personal information can only be used for the purpose it was collected, with limited exceptions.
  • APP 8 — Cross-border disclosure. If you're sending information overseas (including to a US-based cloud provider), you must take reasonable steps to ensure the recipient protects it.
  • APP 11 — Security of personal information. You must take reasonable steps to protect the information you hold. This is the big one for document sharing.
  • APP 12 — Access by the individual. Data subjects have the right to see what you hold about them.

What "reasonable steps" actually means

APP 11 is deliberately vague. The OAIC's guidance clarifies that "reasonable" depends on the sensitivity of the information, the risks involved, and the cost of implementation. In practice, for a professional services firm handling client financial data, "reasonable" means at minimum: encrypted storage, access controls, audit logging, and breach notification procedures.

The cross-border trap

APP 8 catches a lot of Australian businesses off guard. If you're using a US-based cloud service for client documents, and that service stores data overseas, you're making a cross-border disclosure. You need either the data subject's consent, or to ensure the recipient is bound by a substantially similar privacy regime. This is why Australian data residency matters.

Mandatory breach notification

Since 2018, the Notifiable Data Breaches (NDB) scheme requires you to notify the OAIC and affected individuals if a breach is likely to result in serious harm. Fines for non-compliance can reach $50 million for bodies corporate. We've covered the practical playbook in a separate article.