Skip to main content
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Book a Demo
Log in
Cleverer Logo
Regulatory Assessment

What Do Regulators Check Under the Privacy Act?

When the OAIC investigates an organisation — following a breach, complaint, or own-motion inquiry — it assesses whether the organisation took reasonable steps to protect personal information. This assessment is retrospective: it evaluates what was in place at the time of the incident, not what was implemented afterward. Understanding what regulators look for is the first step toward defensibility.

Start Compliance Now View Pricing
How the OAIC assesses compliance
1
What was in place The OAIC assesses the measures that existed before the incident — not what was planned or promised.
2
What was proportionate Reasonable steps are assessed relative to the sensitivity and volume of data held and the harm a breach could cause.
3
What was practicable Steps that were available, affordable, and reasonable for the organisation to implement but were not taken count against you.
The Assessment

What Most Businesses Do Not Realise About Regulatory Scrutiny

Many businesses assume that regulatory investigation only follows a major breach. In practice, the OAIC can investigate following a single individual’s complaint, a notifiable data breach report, or its own initiative. The investigation assesses your entire compliance posture, not just the incident.

What businesses assume

  • Only large breaches attract regulatory attention
  • Having a policy document is sufficient
  • The regulator assesses what you do after the incident
  • Technical security measures satisfy Privacy Act requirements
  • Small businesses are not investigated

What the OAIC actually assesses

  • A single complaint can trigger an investigation
  • Policies must be implemented, communicated, and evidenced
  • The assessment focuses on what was in place before the incident
  • People-side compliance is assessed alongside technical measures
  • The OAIC has investigated organisations of all sizes

The Specific Areas Regulators Assess

The OAIC’s assessment of reasonable steps under APP 11 covers the full scope of an organisation’s data protection measures — not just technical infrastructure.

!

Staff awareness

Did staff who handle personal information understand their obligations? Was compliance assigned, tracked, and documented — or merely assumed?

?

Governance oversight

Was there director or senior-level oversight of the organisation’s cyber compliance posture? Was this oversight documented with dates and actions?

Breach preparedness

Did a documented breach response plan exist? Were staff aware of it? Could the organisation demonstrate it was operational, not just written?

×

Proportionality

Were the steps taken proportionate to the sensitivity of the data held? More sensitive data — health, financial, identity — demands stronger steps.

Self-Assessment

Would your compliance posture withstand OAIC scrutiny?

Answer 10 questions to assess whether your business has the documented evidence of reasonable steps that regulators expect to see.

Privacy Act Compliance Assessment

Are You Meeting Your Privacy Act Obligations?

The Privacy Act 1988 and APP 11 require organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. This assessment helps identify where your obligations may not be met.

Answer 10 questions to identify where your business may not be taking reasonable steps.

Step 1 of 3

Data & Handling

1. Does your business have a documented process for how personal information is collected, stored, and disposed of?

2. Have all staff who handle personal data completed cyber compliance obligations appropriate to their role?

3. Can you produce evidence of compliance if requested by an insurer, client, or regulator today?

Step 2 of 3

Processes & Evidence

4. Does your business have a documented data breach response plan that staff have been made aware of?

5. Are compliance certifications tracked with expiry dates and renewal processes?

6. Do managers and team leaders understand their oversight responsibilities for cyber compliance?

Step 3 of 3

Governance & Oversight

7. Has a director or senior leader reviewed the organisation's cyber compliance posture in the last 12 months?

8. Does your business differentiate compliance obligations by role (staff, managers, directors)?

9. Are third-party access and data sharing arrangements documented and reviewed?

10. Does your business review and update its compliance measures at least annually?

Outcomes of Regulatory Investigation

The consequences of an OAIC investigation extend beyond the immediate finding. They affect insurance, client relationships, and the organisation’s commercial position.

Determination of non-compliance

The OAIC can formally determine that your organisation failed to take reasonable steps under APP 11. This finding is public and creates a permanent record.

Enforceable undertakings

The OAIC can require your organisation to implement specific compliance measures within defined timeframes, with ongoing reporting obligations.

Civil penalty proceedings

For serious or repeated failures, the OAIC can seek civil penalties through the Federal Court. Penalties for organisations can be substantial.

Evidence

What Defensible Compliance Looks Like to a Regulator

Documented measures

  • Written policies that are implemented, not just filed
  • Staff compliance records with dates and completion
  • Role-based obligation assignment
  • Breach response plan with communication evidence

Active maintenance

  • Recertification tracked and managed
  • Annual reviews conducted and documented
  • Updates implemented when circumstances change
  • Governance review within the preceding 12 months

Retrievable evidence

  • Compliance reports available on demand
  • Certifications verifiable by third parties
  • Complete records, not fragments or assumptions
  • Timestamped evidence of ongoing activity

If your business was reviewed today, would you be confident in your position?

Related compliance resources

Be ready to prove it.

Compliance obligations do not wait for a breach. Insurers, regulators, and clients expect documented evidence of reasonable steps — not a promise that you are working on it. The cost of being unable to demonstrate compliance is measured in liability, not intent.

Get Started Book a Call
Cleverer Logo
Privacy Policy Terms Contact
© 2026 Cleverer. Human-layer cyber compliance for Australian business.