What Are “Reasonable Steps” Under the Privacy Act?
“Reasonable steps” are the practical actions your business takes to protect personal information — and the evidence you can produce to show those actions were real, current, and appropriate for your risk.
General information only. This page is not legal advice.
Reasonable steps are not vague intentions
What “reasonable steps” actually means
Under APP 11, covered organisations must take reasonable steps to protect the personal information they hold. That does not mean every business must do exactly the same thing. It means your protection measures should be appropriate to your circumstances, your data, your systems, your people, and the harm that could occur if information is misused or exposed.
In practical terms, reasonable steps are not just a cyber security setting. They are the combined technical, organisational, and governance actions your business can show it had in place before something went wrong.
Know what you hold
Understand what personal information your business collects, where it is stored, who can access it, and why it is retained.
Protect it properly
Use appropriate safeguards across access control, devices, systems, vendors, people, policies, and business processes.
Assign accountability
Make sure owners, managers, and staff understand what they are responsible for and what needs to be reviewed.
Keep evidence
Maintain a current, dated record of training, policies, reviews, decisions, tasks, and improvements.
Most businesses do not fail because they did nothing
They fail because the work is scattered, undocumented, stale, or impossible to prove when a regulator, insurer, auditor, or client asks for evidence.
Policies are not maintained
A policy that nobody owns, reviews, or follows is weak evidence of reasonable steps.
Training is incomplete
Training only helps if it is assigned, completed, refreshed, and connected to role-based responsibilities.
Oversight is invisible
If managers and directors cannot show review, escalation, and follow-through, governance becomes difficult to defend.
Evidence is created too late
Trying to reconstruct compliance after a breach, claim, or questionnaire is not the same as maintaining evidence over time.
What strengthens your position
- Current cyber security and privacy policies with assigned ownership.
- Role-based staff, manager, and director training records.
- Evidence of recurring reviews, overdue actions, and completed tasks.
- Incident, issue, vendor, and risk records maintained before they are needed.
- Clear records showing who did what, when, and why.
What weakens your defence
- Generic cyber awareness with no clear completion evidence.
- Policies copied from templates but never reviewed or adopted.
- Security tools with no governance, ownership, or documented oversight.
- Compliance activity spread across inboxes, spreadsheets, and shared folders.
- Evidence assembled only after something has gone wrong.
The question is not only “were you secure?”
When something goes wrong, the question becomes: what did your business have in place before the incident, and can you prove it?
That is why a checklist is not enough. A one-off assessment is not enough. A training certificate alone is not enough. You need a maintained compliance record that shows reasonable steps were active, assigned, reviewed, and evidenced over time.
Reasonable steps need a record
A business that can show dated decisions, assigned responsibilities, completed training, policy reviews, issue tracking, and evidence packs is in a stronger position than a business that simply says it believed it was doing the right thing.
How to prove reasonable steps
To prove reasonable steps, your business needs more than a policy library. It needs a practical way to connect obligations, roles, activity, evidence, and reporting.
Map obligations
Identify which Privacy Act, APP 11, SMB1001, client, insurer, or internal obligations apply to the business.
Assign responsibility
Make responsibilities visible across owners, directors, managers, staff, and service providers.
Capture evidence
Record training, reviews, attestations, policy actions, issues, decisions, and follow-up activity as they happen.
What reasonable steps can look like in a small or medium business
Access control
MFA, least privilege, joiner-mover-leaver reviews, and records showing access was reviewed.
Backup and recovery
Backups configured, monitored, and periodically tested with evidence of restore checks.
Training and awareness
Role-based training, completion tracking, refresher cycles, and clear reporting pathways.
Governance
Policies reviewed, risks escalated, decisions recorded, and overdue compliance tasks visible.
How Cleverer helps
Cleverer helps Australian businesses turn cyber security activity into a defensible compliance record. The platform connects obligations, training, policies, tasks, governance reviews, issue tracking, and evidence reporting so reasonable steps are not left as an unsupported claim.
You need the record before someone asks
Regulator review
If practices are reviewed, you need to show what was in place, when it was reviewed, and how responsibilities were managed.
Insurance claim
Insurers may ask for evidence of controls, training, governance, and ongoing maintenance before accepting a claim position.
Client questionnaire
Larger clients increasingly expect suppliers to show evidence of cyber controls, privacy practices, and governance maturity.
Can your business prove reasonable steps?
If your evidence is scattered across inboxes, old training records, policy folders, and assumptions, you do not have a defensible compliance position. You have a proof gap.
Common questions about reasonable steps under the Privacy Act
What are reasonable steps under the Privacy Act?
Reasonable steps are the practical actions an organisation takes to protect personal information. Under APP 11, those actions should be appropriate to the organisation’s circumstances, risks, and the personal information it holds.
Are technical cyber security controls enough?
Technical controls are important, but they are not the whole picture. Organisational measures such as policies, training, accountability, reviews, and evidence are also important to a defensible compliance position.
Does the Privacy Act require a specific checklist?
No. Reasonable steps depend on context. That is why businesses need to consider their size, operations, information handling, risk profile, and available safeguards.
How do you prove reasonable steps?
You prove reasonable steps by keeping current evidence of the controls, policies, training, decisions, reviews, and governance activity your business had in place before a problem occurred.
Can Cleverer guarantee Privacy Act compliance?
No. No platform can guarantee legal compliance by itself. Cleverer helps businesses maintain the governance, training, accountability, and evidence records that support a stronger cyber compliance position.
Is this legal advice?
No. This page provides general information only. You should seek legal advice for your specific circumstances.
