Last reviewed 10 May 2026. This post is general information, not legal advice. If you need to know whether the Privacy Act applies to your specific business, talk to a lawyer or contact the Office of the Australian Information Commissioner (OAIC).
What the OAIC says today
The OAIC's current public position is that most Australian small businesses are not covered by the Privacy Act. Section 6D of the Act exempts businesses with an annual turnover of A$3 million or less, with a list of named exceptions. The OAIC publishes guidance pages explaining the exemption and the carve-outs. None of that has been removed.
The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. The first tranche of changes commenced through 2025, including a statutory tort for serious invasions of privacy and updated civil penalty arrangements for the entities already in scope. None of those changes removed the small business exemption.
A second tranche of reforms has been discussed by the Attorney-General's department, and the small business exemption has been listed as one of the items under review. As of the date at the top of this page, no bill removing the exemption has been introduced or commenced. If that changes, this page will be updated.
The carve-outs that already apply
The small business exemption has named exceptions in section 6D. A small business that fits any of these categories is covered by the Privacy Act regardless of its turnover. The list, as published by the OAIC, includes:
Health service providers. Medical and allied-health practices, dentists, physiotherapists, chiropractors, optometrists, psychologists, gyms and weight-loss clinics that hold health information, complementary therapists, child-care centres, private schools and tertiary education providers, where they hold health information.
Businesses that trade in personal information.If you buy or sell lists of personal information, the exemption does not apply. This catches some affiliate operators, list brokers, and data resellers. Loyalty programs and ordinary customer email lists are not the same thing as "trading" in the Act's sense, but the line is not always obvious.
Contractors to the Commonwealth. A small business providing services to a federal government agency under contract is typically required to be covered for that contract.
Reporting entities under the AML/CTF Act. Designated services such as financial services, gambling, bullion, digital currency exchange, and certain professional services that hold AML/CTF reporting obligations.
Credit reporting bodies and credit providers dealing with consumer credit information.
Residential tenancy database operators.
Operators of a private sector health insurance fund.
Even outside that list, Privacy Act coverage is not the only reason small businesses end up needing privacy practices in place. Cyber insurance questionnaires, larger customers' procurement reviews, and partner due-diligence checks all ask the same kinds of questions the Act would ask.
APP 11: what "reasonable steps" tends to mean
For businesses that are covered (whether through turnover, a carve-out above, or future reform) Australian Privacy Principle 11 requires the entity to take "reasonable steps" to protect personal information from misuse, loss, unauthorised access, modification, and disclosure. The OAIC publishes guidance on what reasonable steps can look like. It does not publish a single mandatory checklist, because what is reasonable for a four-person bookkeeping firm is different from what is reasonable for a state government agency.
Across the OAIC's guidance, regulator decisions, and market expectations from insurers and large customers, a common pattern shows up. Reasonable steps tend to include active technical measures, not just a written policy. That means real controls (multi-factor authentication, access governance, recurring vulnerability assessment of internet-facing services, incident response that has been rehearsed) and dated evidence those controls were running on the relevant dates.
A privacy policy that lives in a Google Doc, on its own, is not what the OAIC means by reasonable steps. It is part of the picture, not the whole picture.
Where external monitoring fits
External attack-surface monitoring covers one slice of the technical-measures list. It looks at what your business has exposed on the public internet (web, DNS, email authentication, TLS, common application weaknesses) and reports on what is wrong, with dated evidence of when the check ran.
That fits into a few different conversations. Cyber insurance questionnaires often ask whether you run recurring vulnerability assessment. A larger customer's procurement team may ask the same. Where your business is covered by the Privacy Act (today, or after possible reform) APP 11 reasonable-steps evidence sits alongside other internal controls.
AttackEdge is the part of the picture we build. We run recurring external scans on whatever your business has on the public internet, with a dated log of what we found and when. That covers the "external vulnerability assessment" slice and creates a piece of the evidence trail you can hand to an insurer, a procurement team, or (if it ever applies to you) an OAIC investigator. The rest, including MFA, access controls, staff training, breach response, and the actual policy work, sits with you and whoever does your IT.
Two practical things this quarter
First, work out which side of the small business exemption you actually sit on today. If you handle health information of any kind, contract to the Commonwealth, hold AML/CTF obligations, or fit one of the other carve-outs, you are already covered. The OAIC pages on the small business exemption are the starting point.
Second, get a baseline of what your external surface looks like. Read the Privacy Act page on this site for the longer version of how external monitoring fits into APP 11 and what data residency looks like, or just run a free check on your domain and see what is there.
AttackEdge gives dated external monitoring evidence. It does not by itself make a business compliant with the Privacy Act or any specific framework, and it does not replace legal advice on whether the Act applies to you.