Privacy Act 1988 and Your Website's Security Obligations

This article provides general educational information about the Privacy Act 1988 and website security. It is not legal advice. Privacy obligations depend on your specific circumstances. Consult a privacy lawyer or the OAIC (oaic.gov.au) for guidance on your situation.

If your Australian website collects personal information — a name, an email address, a phone number, a payment detail — you almost certainly have obligations under the Privacy Act 1988 (Cth). Those obligations include taking "reasonable steps" to protect that information from unauthorised access.

What constitutes "reasonable steps" for website security? SSL certificates are one of them — and an expired or improperly configured SSL certificate is a documented gap in your Privacy Act compliance posture.

Who Does the Privacy Act Apply To?

The Privacy Act applies to:

• Australian Government agencies
• Private sector organisations with an annual turnover of more than $3 million
• Small businesses with an annual turnover of $3 million or less if they trade in personal information, provide health services, are related to a larger entity that's covered, or are otherwise prescribed by the regulations

The $3 million threshold exempts many very small businesses, but there are important exceptions. If your business:

• Has a health component (physiotherapy, pharmacy, allied health, psychology)
• Sells or buys mailing lists or other personal data
• Operates loyalty programs that track customer behaviour
• Is a contractor to a Commonwealth agency

...you may be covered regardless of turnover.

And even if you're currently below the threshold, the Australian Government has proposed removing the small business exemption in future reform stages — businesses near the threshold should monitor developments at oaic.gov.au.

If you're unsure whether the Privacy Act applies to your business, the OAIC (Office of the Australian Information Commissioner) provides guidance at oaic.gov.au, and a privacy lawyer can advise on your specific situation.

The Australian Privacy Principles

The Privacy Act is implemented through the 13 Australian Privacy Principles (APPs). For website security, the relevant principles are:

APP 1 — Open and transparent management of personal information Your privacy policy must describe how you manage personal information. This should include how you protect it during transmission.

APP 5 — Notification of collection You must tell individuals what personal information you're collecting and how you'll use it, before or at the time of collection.

APP 11 — Security of personal information This is the core security obligation. It requires that you:

"Take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure." (Paraphrased — see the full text of APP 11 at legislation.gov.au)

"Reasonable steps" is not precisely defined — it's interpreted based on the sensitivity of the information, the volume collected, and the current state of security practice.

What "Reasonable Steps" Means for Website Security

The OAIC has published guidance that informs what's expected. In the context of websites that collect personal information, reasonable steps include:

Encryption in transit Transmitting personal information over HTTPS (using SSL/TLS encryption) is explicitly mentioned in OAIC guidance as a reasonable step. Transmitting personal information over HTTP — without encryption — is not a reasonable step for any business collecting more than minimal information.

This means: if your website collects email addresses, names, phone numbers, or any other personal information via a form, that page must be served over HTTPS with a valid SSL certificate.

Encryption at rest For stored personal information, encryption at rest is considered a reasonable step, particularly for sensitive information (health data, financial data, government identifiers).

Access controls Appropriate access controls on systems that store personal information.

Staff training and policies Procedures for identifying and responding to privacy incidents.

Regular review of security measures This is often overlooked. APP 11 implies that security measures are not set-and-forget — they should be reviewed periodically to ensure they remain adequate given evolving threats and business changes.

The Notifiable Data Breaches Scheme

Since 2018, the Privacy Act has included mandatory data breach notification requirements under the Notifiable Data Breaches (NDB) scheme.

If your business experiences an "eligible data breach" — a breach that is likely to result in serious harm to individuals whose personal information was exposed — you must notify both the OAIC and affected individuals.

A misconfigured or expired SSL certificate that results in personal information being transmitted without encryption — and that information is subsequently intercepted — could be an eligible data breach. The legal analysis depends on the specific circumstances, but the risk is real.

The NDB scheme creates a compliance cost for breaches. OAIC investigations of reportable breaches are time-consuming and potentially costly. Ongoing security controls, documented appropriately, reduce both the probability of a breach and the regulatory risk if one occurs.

The 2024 Privacy Reforms

Australia is in the process of significant Privacy Act reform. The Privacy and Other Legislation Amendment Act 2024 made a range of changes, and further amendments are expected.

Key changes relevant to website security:

Strengthened security obligations: The reforms are expected to strengthen the security-of-personal-information obligation, moving from "reasonable steps" toward more defined requirements similar to international standards.

Higher penalties: Maximum penalties for serious and repeated interferences with privacy were significantly increased by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 — up to $50 million for corporations, or three times the value of benefit obtained, or 30% of adjusted turnover (whichever is greater).

New enforcement tools: The OAIC has enhanced enforcement powers, including infringement notices for civil penalty provisions.

Children's privacy: Stronger protections for children's personal information, relevant for any website that may be accessed by under-18s.

Practical Compliance Steps for Website Operators

1. Audit what personal information you collect List every form, every analytics tool, every third-party integration on your website. What personal information does each one collect? Where does it go?

2. Ensure all pages collecting personal information use HTTPS This includes contact forms, newsletter signups, account registration, checkout pages, and any page with user authentication.

3. Maintain a valid SSL certificate with monitoring An expired SSL certificate that results in personal information being transmitted unencrypted is a documented compliance gap. Monitoring with automated alerts ensures this doesn't happen.

4. Check your TLS configuration TLS 1.0 and 1.1 have known vulnerabilities. Transmitting personal information over these deprecated protocol versions may not constitute "reasonable steps" by current standards.

5. Update your privacy policy Describe how you protect personal information in transit. If you use encryption (HTTPS) and SSL certificates, document this in your privacy policy.

6. Establish an incident response plan What happens if your SSL certificate expires and personal information is transmitted unencrypted? Who is notified? How quickly is it remediated? Does it need to be reported to the OAIC?

7. Review your security measures annually APP 11's reasonable steps requirement includes periodic review. Document when you last reviewed your website's security posture.

The Bottom Line

The Privacy Act doesn't specifically say "you must have an SSL certificate." But if you collect personal information via your website and you're transmitting it without encryption — or with an expired certificate that breaks the encryption — you are very likely not taking reasonable steps to protect that information.

The cost of SSL monitoring ($0 for the free tier, $9.99/month for Pro) is trivial against the risk of a data breach notification process, OAIC investigation, or civil penalty action.

CertGuard monitors your SSL certificate and alerts you before it expires, providing a documented security control for your Privacy Act obligations.