Regulation / Australia

PRIVACY ACT 1988

APP 11 — Security

The Australian Privacy Principles require reasonable steps to protect personal information from misuse, loss, and unauthorised access. APP 11 is the security obligation — and the one most often referenced in OAIC determinations.

Book a Compliance ReviewContact Us
Obligations

WHAT APP 11 REQUIRES

No. 01

Reasonable security steps

APP 11.1 requires entities to take steps reasonable in the circumstances to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

No. 02

Destruction or de-identification

APP 11.2 requires entities to destroy or de-identify personal information once it is no longer needed for any purpose for which it was collected, unless retention is required by law.

No. 03

Information governance

Documented information handling policies, staff training, role-based access, and incident-response plans are typical 'reasonable steps' the OAIC expects to see.

No. 04

Risk-based controls

Controls should match the sensitivity of the data and the harm a breach could cause. Health and financial data attract higher expectations than low-sensitivity records.

Approach

HOW WE MEET APP 11

Data residency in Australia

Personal information stored on sovereign Australian infrastructure removes a material risk vector — foreign access requests, jurisdictional uncertainty, and unclear privacy regimes.

Encryption and access control

At-rest and in-transit encryption with documented key management. Role-based access, MFA enforcement, and audit trails the OAIC expects to find when investigating an incident.

Retention and destruction

Documented retention schedules with automated destruction or de-identification at end-of-life. Evidence trails so APP 11.2 obligations are demonstrably met.

Aligned to other frameworks

APP 11 controls map neatly to the ACSC Essential Eight, ISO 27001, and APRA CPS 234. We design once and meet many obligations at the same time.

Related

RELATED REGULATIONS

72-hour notification

Notifiable Data Breaches

Mandatory reporting of breaches likely to result in serious harm.

Comparable protection

International Transfers

Transferring data overseas requires ensuring recipient privacy protections.

Risk profile

Overseas Data Risks

Foreign jurisdiction, latency, vendor lock-in, and compliance gaps.

READY FOR A PRIVACY REVIEW?

We map your environment to APP 11 controls and surface the gaps.

Booking LinkContact Us
← Back to data sovereignty