Skip to main content
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
APP 11 Reasonable Steps

APP 11 Reasonable Steps: What Businesses in Australia Should Actually Be Doing

APP 11 is not just about having a policy on paper. It is about taking reasonable steps to protect personal information and being able to show that your organisation has practical measures in place across people, processes, and systems.

Start Compliance Now View Pricing

General information only. This page is not legal advice.

What APP 11 really points toward

1
Active protection of personal information APP 11 is about taking reasonable steps, not passively assuming things are fine.
2
Technical and organisational measures Reasonable steps are broader than software settings alone.
3
Practical accountability People need to know what they are responsible for and what good handling looks like.
4
Evidence of ongoing effort Businesses are in a stronger position when they can show active training and compliance visibility over time.
Reasonable steps depend on your circumstances
Technical controls alone are not the full story
Training and accountability matter
Evidence helps support a stronger position
Plain English

What APP 11 means in practice

In plain English, APP 11 means your business should not just collect and hold personal information without taking practical steps to protect it. What is reasonable depends on your situation, including the type of information you hold, the risks you face, and the size and nature of your organisation.

1

Identify risk

Understand what information you hold, where it sits, and what could go wrong.

2

Put measures in place

Use practical controls across technology, people, and business processes.

3

Train and assign responsibility

Make sure people know what is expected and who is accountable for what.

4

Keep it active

Review, refresh, and keep evidence visible over time instead of treating compliance as a one-off event.

Common blind spots

Where businesses often fall short

πŸ“„

Relying on documents alone

Policies matter, but they do not prove that the organisation is actively maintaining practical compliance.

πŸ‘₯

Not training people properly

If staff and managers do not understand expectations, your compliance position weakens quickly.

🧭

Weak accountability

It is harder to show reasonable steps when nobody can clearly explain who was responsible for what.

πŸ•’

No ongoing visibility

Effort fades over time when there is no system for tracking current status, overdue actions, or recurring training.

What you should be able to show

  • That staff were trained appropriately for their role.
  • That managers and leadership had relevant obligations assigned.
  • That compliance activity remained visible and current over time.
  • That the organisation was taking practical steps, not relying on vague intention.

What is harder to defend

  • Generic awareness with no clear completion evidence.
  • Policies with no visible accountability behind them.
  • Old training records with no recertification or status tracking.
  • Compliance effort that only appears after a problem has already happened.
Self-Assessment

Would your reasonable steps hold up if the OAIC reviewed your practices?

Answer 10 questions to assess whether your organisation is meeting its APP 11 obligations and whether your evidence would be sufficient if tested.

Privacy Act Compliance Assessment

Are You Meeting Your Privacy Act Obligations?

The Privacy Act 1988 and APP 11 require organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. This assessment helps identify where your obligations may not be met.

Answer 10 questions to identify where your business may not be taking reasonable steps.

Step 1 of 3

Data & Handling

1. Does your business have a documented process for how personal information is collected, stored, and disposed of?

2. Have all staff who handle personal data completed cyber compliance obligations appropriate to their role?

3. Can you produce evidence of compliance if requested by an insurer, client, or regulator today?

Step 2 of 3

Processes & Evidence

4. Does your business have a documented data breach response plan that staff have been made aware of?

5. Are compliance certifications tracked with expiry dates and renewal processes?

6. Do managers and team leaders understand their oversight responsibilities for cyber compliance?

Step 3 of 3

Governance & Oversight

7. Has a director or senior leader reviewed the organisation's cyber compliance posture in the last 12 months?

8. Does your business differentiate compliance obligations by role (staff, managers, directors)?

9. Are third-party access and data sharing arrangements documented and reviewed?

10. Does your business review and update its compliance measures at least annually?

How Cleverer helps

Cleverer helps businesses operationalise the people-side of reasonable steps by assigning role-based training, tracking certification, maintaining recurring visibility, and making accountability easier to show when clients, insurers, leadership, or reviewers ask what the business actually did.

Practical outcomes

Why training and accountability matter under APP 11

βœ“

Training becomes visible

You can more easily show that people were trained and when they completed required pathways.

βœ“

Responsibilities are clearer

Different roles can be assigned different obligations rather than relying on one generic expectation for everyone.

βœ“

Ongoing effort is easier to explain

Recurring status, certification, and overdue visibility help support a more defensible ongoing compliance position.

Related compliance resources

Need a more practical way to support APP 11 reasonable steps?

Cleverer helps make the people-side of compliance visible through training, accountability, certification evidence, and recurring status tracking.

Start Compliance Now See Small Business Fit
FAQ

Common questions about APP 11 reasonable steps

Does APP 11 prescribe a fixed checklist?

No. Reasonable steps depend on context, including the nature of the information held, the risk environment, and the size and type of organisation.

Are technical controls enough on their own?

Usually not. Technical measures matter, but training, accountability, and organisational practices are also highly relevant to a practical compliance position.

Why does training matter for APP 11?

Because people still handle information, make decisions, and create risk. Untrained staff weaken the organisation’s overall security posture.

Can Cleverer itself make a business APP 11 compliant?

No single platform can do that on its own. Cleverer helps with the people-side and operational evidence side of compliance, which can support a stronger overall position.

Is this legal advice?

No. This page is general information only and should not be treated as legal advice.

Cleverer Logo
Privacy Policy Terms Contact
Β© 2026 Cleverer. Human-layer cyber compliance for Australian business.