The Privacy Act requires businesses that handle personal information to take “reasonable steps” to protect it. That phrase appears throughout the Australian Privacy Principles, and it is the standard the OAIC uses when assessing whether a business did enough after something goes wrong.
The problem is that most businesses have never defined what their reasonable steps actually are. They may have antivirus software, a firewall, and an IT provider. But when asked what they have done to reduce the risk of human error, train staff appropriately, and maintain evidence of those efforts, the answer is often unclear.
This is where the gap sits. Not in technology. In evidence.
Under Australian Privacy Principle 11 (APP 11), businesses must take steps that are reasonable in the circumstances to protect personal information from misuse, interference, loss, and unauthorised access.
The word “reasonable” is doing a lot of work in that sentence. It does not mean perfect. It does not mean every possible measure. It means the business did what a reasonable organisation in its position would do, given its size, the sensitivity of the information it holds, and the consequences of a failure.
That sounds flexible. And it is. But flexibility does not mean optional. It means the business needs to be able to explain what it did, why it was appropriate, and how it is maintained.
There are a few common assumptions that create risk.
“We have IT support, so we are covered.”
IT support manages infrastructure. It does not manage staff behaviour, role-based training, policy communication, or evidence of compliance. These are separate obligations.
“We did training last year.”
A one-off session twelve months ago does not demonstrate ongoing commitment. Compliance expectations are continuous. If training is not reinforced and updated, it loses its value as evidence.
“We have a cyber policy.”
A policy that sits in a shared drive and has not been read, acknowledged, or enforced is documentation without function. It does not reduce risk and it does not demonstrate reasonable steps.
“No one has complained, so we must be fine.”
The absence of a breach is not proof of compliance. It is the absence of a test. When the test comes, the business needs to show what was in place before the incident, not after.
When a data breach occurs, when a complaint is made to the OAIC, or when an insurer assesses a claim, the question is not “did you have good intentions?” The question is “what did you actually do?”
Reasonable steps is not a checklist you complete once. It is an ongoing standard that the business must be able to demonstrate through:
If the business cannot produce this evidence, it becomes very difficult to argue that reasonable steps were taken. The intent may have been there. The proof was not.
This is not abstract. There are practical consequences.
Regulatory action. The OAIC can investigate and take enforcement action where a business fails to meet its obligations. Reasonable steps is the benchmark.
Insurance exposure. Cyber insurers increasingly ask what controls were in place before the incident. If the business cannot show structured training and evidence, the claim may be reduced or denied.
Client and partner scrutiny. Larger organisations conducting due diligence on suppliers and partners are asking about compliance frameworks. If the answer is vague, it creates commercial risk.
Director and management accountability. If cyber risk is a material risk to the business, governance expectations apply. Directors and managers who cannot explain what the business is doing to manage that risk have a gap.
A mid-sized professional services firm experiences a data breach. A staff member opened a phishing email and entered credentials into a fake login page. Client records were accessed.
The business had antivirus software and a firewall. It had an IT provider managing its infrastructure. But when asked what training staff had received, the answer was a generic onboarding presentation eighteen months earlier. There was no record of completion. No reinforcement. No role-specific guidance for staff handling sensitive client data.
The OAIC assessment focused on whether reasonable steps had been taken to prevent the breach. The technology was noted, but the absence of structured, ongoing, role-appropriate training was identified as a gap. The business could not demonstrate that it had taken reasonable steps to address the human element of the risk.
This is not unusual. It is one of the most common gaps.
A business that can demonstrate reasonable steps does not need to be perfect. It needs to be structured.
That means:
This does not require a large budget or a dedicated compliance team. It requires a structured approach and a commitment to maintaining it.
Reasonable steps is not a phrase businesses can afford to treat as background noise. It is the standard they will be measured against if something goes wrong.
The businesses that handle this well are not the ones with the biggest budgets. They are the ones that can show what they did, why they did it, and that they kept doing it.
If you are not sure whether your business can demonstrate that right now, it is worth understanding what the gap looks like before someone else identifies it for you.
