Understanding the Australian Privacy Act for Document Sharing

The Australian Privacy Act 1988 is the legal framework that governs how organisations handle personal information — and for businesses that share sensitive documents externally (accountants, lawyers, financial advisors, real estate agents, M&A practices), it's the single most important compliance regime to actually understand, not just acknowledge.

Who the Act applies to

The default rule is that organisations with annual turnover above $3 million are covered. But there's a long list of exceptions where smaller entities are also in scope: health service providers, credit reporting bodies, businesses that buy or sell personal information, employee-association handlers, residential tenancy databases, and anyone handling tax file numbers. In professional services, the practical reality is that almost everyone is in scope — even three-partner advisory firms.

The 2024 review of the Privacy Act, currently progressing through Parliament, will likely remove the $3 million turnover exemption altogether. If you've been operating on the assumption that you're too small to worry about it, that assumption has a short shelf life.

The 13 Australian Privacy Principles, in order of who-cares-most

The Act is structured around 13 Australian Privacy Principles (APPs). For document sharing specifically, five matter most:

• APP 1 — Open and transparent management. You need a clearly published privacy policy describing what you collect, why, and how it's protected. Most professional services firms have one; many haven't updated it since the firm started.
• APP 6 — Use or disclosure. Personal information can only be used for the purpose it was collected, with narrow exceptions. Sharing a client's bank statements with a third party advisor without consent — even a referred advisor — typically isn't covered by the original consent.
• APP 8 — Cross-border disclosure. If you disclose information to a recipient outside Australia (including offshore cloud storage), you must take reasonable steps to ensure the recipient protects it under standards substantially similar to the APPs. This catches a surprising number of Australian businesses using US cloud services without realising the implication.
• APP 11 — Security of personal information. The "reasonable steps" obligation. The single most enforced APP, and the one that most often shows up in OAIC determinations.
• APP 12 — Access by the individual. Data subjects have the right to see what you hold about them. Disorganised filing makes responding to access requests genuinely difficult and expensive.

What "reasonable steps" actually means in 2026

APP 11 is deliberately principle-based rather than prescriptive — what's reasonable depends on the sensitivity of the information, the volume held, and the realistic cost of safeguards. The OAIC's most recent guidance (updated 2024) explicitly lists technology that is "reasonably available" as a factor. The bar has moved: in 2018, emailing a PDF of client tax records might have been defensible. In 2026, with encrypted, audit-traceable, Australian-resident data rooms available at SMB pricing, a tribunal would likely take a much dimmer view of the same conduct.

The OAIC's published expectations for "reasonable steps" include, at a minimum: encrypted storage of information at rest and in transit; access controls scoped to the people who genuinely need access; activity logging that survives deletion of the underlying record; staff training on handling sensitive information; written procedures for handling a notifiable data breach; and a regular review of these controls. None of this is exotic; all of it has to actually be in place when a regulator asks.

The cross-border trap (and why it matters more than people think)

APP 8 catches a lot of Australian businesses off guard. Almost every consumer cloud service — Google Drive, Dropbox, Box, OneDrive on US tenants, every major SaaS product — stores or replicates customer data outside Australia. When you upload a client's personal information, you are making a cross-border disclosure. The "reasonable steps" requirement means assessing the recipient jurisdiction's privacy law, the cloud provider's contractual commitments, and your own documented justification for using offshore infrastructure.

The practical alternative is to use Australian-resident infrastructure end-to-end. ShareAndGo stores everything in Sydney on GCP australia-southeast1, with no US edge caching for content. APP 8 simply doesn't trigger because there is no cross-border disclosure to assess. For professional services firms with TFN, ABN, BSB, or health-related client information, this collapses an entire compliance domain.

Mandatory data breach notification

Since 2018, the Notifiable Data Breaches (NDB) scheme requires you to notify the OAIC and affected individuals when a data breach is "likely to result in serious harm." You have 30 days from awareness to notify. Penalties for failure can reach $50 million for bodies corporate under the 2022 amendments, or three times the benefit obtained from the conduct, or 30% of the entity's adjusted turnover — whichever is highest.

The OAIC's quarterly Notifiable Data Breaches Report consistently shows "human error" as the leading cause of notifiable breaches — typically email misaddressing, oversharing of cloud folders, or stale access permissions after an employee leaves. Almost all of these are eliminated by structured data rooms with explicit per-recipient permissions and automatic access expiry.

Five common mistakes Australian firms make

• Treating cloud storage as a data room. A shared Drive folder is not a data room. No NDA gating, no audit trail that survives a delete, no view-only enforcement, no Australian residency by default.
• Outdated privacy policies. A 2019 privacy policy referring to physical filing rooms tells the OAIC you haven't reviewed your obligations in years. Update annually.
• Assuming consent persists. Original consent for a tax return doesn't extend to sharing the same documents with a financial planner six months later. Get fresh consent for each new purpose.
• No incident response plan. The 30-day notification window evaporates fast. Have a written playbook ready before you need it.
• "We're too small to be a target." The OAIC's reports show small and mid-sized businesses are over-represented in breach statistics, precisely because controls are weaker.

Practical baseline for professional services firms

If you handle client personal information regularly, the minimum defensible posture in 2026 looks like this:

• Australian-resident document storage for client records (no US/EU cloud for sensitive content).
• Per-recipient sharing controls with audit logging on every access.
• NDA or confidentiality acknowledgement before external recipients see sensitive material.
• Time-limited access — links expire automatically rather than relying on manual revocation.
• Annual privacy policy review and a documented breach response plan.

ShareAndGo was built specifically for this. Sydney-resident, audit-traceable, NDA-gateable, expiry-by-default. APP 11 satisfied by architecture, not by hopeful policy. For accounting firms and for legal practices we've documented the specific workflows; /use-cases/tax-audit walks through an ATO-facing example end-to-end.

None of this is legal advice. Get a privacy lawyer to review your specific posture, especially before the next round of Privacy Act amendments lands.