Dated external security evidence for clients, insurers, and the OAIC.
Some Australian small businesses are already covered by the Privacy Act, including health service providers, AML/CTF reporting entities, and Commonwealth contractors. Many others still need to show clients, insurers, and partners that they take security seriously. AttackEdge gives you continuous, dated evidence about your external perimeter. It is not legal advice and does not by itself make a business compliant with the Privacy Act or any other framework.
The 2024 reforms, in order.
- Royal Assent
- The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. This is the first tranche of broader reforms to the Privacy Act 1988 (Cth).
- Statutory tort
- A new statutory tort for serious invasions of privacy commenced on 10 June 2025. Affected individuals can sue directly for serious mishandling of personal information.
- Civil penalties
- The OAIC can seek civil penalties of up to A$50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period (whichever is greater) for serious or repeated interferences with privacy.
- Reasonable steps standard
- Australian Privacy Principle (APP) 11 requires entities to take "reasonable steps" to protect personal information from misuse, loss, and unauthorised access. The OAIC has signalled this means active, technical measures, not just policies.
- Small business coverage
- Today, most businesses with annual turnover under A$3 million are exempt from the Privacy Act. The OAIC carves out specific categories that are already covered, including health service providers, AML/CTF reporting entities, businesses that trade in personal information, residential tenancy database operators, credit reporting bodies, and Commonwealth contractors. The exemption may narrow under future reform, but no change has commenced. Many small businesses voluntarily align with the Australian Privacy Principles to meet client, insurer, and partner expectations.
Four pieces of the “reasonable steps” picture.
These cover one technical measure each. The full obligation is broader.
Recurring scans of your domains, subdomains, and IPs. Anything new appearing on the public internet is detected and assessed. Static, annual penetration tests no longer count as reasonable for organisations holding personal data.
Every scan is timestamped and stored. If the OAIC or your insurer asks what you were doing to protect personal information, you produce a scan log with dates, scope, and findings.
Each finding is written for a business owner first, with a technical addendum for IT or your MSP. No CVSS dumps. The risk to personal data is named explicitly so a non-technical decision-maker understands.
Primary customer records, scan results, and report metadata are stored in Sydney. Overseas processing is limited to listed subprocessors and disclosed.
What we do not claim.
No external scanner makes you Privacy Act compliant on its own. AttackEdge covers one technical measure: continuous monitoring of what your business exposes to the public internet. The other controls (MFA, access governance, encryption at rest, secure development, incident response, staff training, breach notification process) sit outside our scope. We will tell you which honestly so you do not buy a tool that papers over a different gap.
If you need a defensible posture across the full Privacy Act obligation, talk to a privacy lawyer or specialist consultancy. We are happy to refer.
Honest answers.
Is my small business covered by the Privacy Act?
It depends. Today, businesses with annual turnover under A$3 million are generally exempt unless they handle health information, trade in personal information, are a contractor to the Commonwealth, or are otherwise carved out of the exemption. The Australian Government has committed to reforming this, and many small businesses are voluntarily aligning with the Australian Privacy Principles ahead of further legislative change.
What does "reasonable steps" actually mean?
The OAIC publishes guidance on this. In practice, it means having documented security controls that match the sensitivity of the data you hold, the size of your business, and the risk of harm if data were exposed. Continuous external monitoring of internet-facing assets is one piece of that, alongside MFA, access controls, staff training, and incident response.
Does AttackEdge make me Privacy Act compliant?
No single tool can. AttackEdge provides continuous, dated evidence that you are monitoring your external perimeter, which is one technical measure among several. Other measures (MFA, access governance, incident response, breach notification process, staff training) sit outside our scope.
What about Notifiable Data Breaches?
The Notifiable Data Breaches scheme has applied to most Privacy Act-bound entities since 2018. If you suffer an eligible data breach, you must notify affected individuals and the OAIC. AttackEdge helps reduce the likelihood of a breach by detecting exposures before they are weaponised, but the obligation to notify if one does occur remains yours.
Where is my AttackEdge data stored?
Primary scan results and account data are held in Fly.io Postgres in Sydney, Australia. Report artifacts are stored in Cloudflare R2. Subprocessors are listed openly on the security page along with what they do.
Start the dated evidence stream today.
One scan, a dated PDF, the same shape every cycle. Show clients, insurers, and the OAIC what you have in place on the external perimeter.