IT Business Compliance in Australia: Data Privacy, Employment and WHS Obligations

IT business compliance in Australia extends well beyond maintaining secure servers and patching software. For small and medium technology businesses — whether you're a software developer, managed services provider, IT consultancy, or SaaS company — the compliance picture spans privacy law, employment obligations, work health and safety for office and remote workers, consumer law, and all the ordinary tax and payroll obligations that come with running a business.

This checklist is designed to help IT SMBs take stock of every major obligation, identify gaps, and build compliance habits that protect the business and its clients.

---

Part 1: Privacy Act and Australian Privacy Principles

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) sit at the centre of privacy compliance for almost every IT business. If your business collects, holds, uses, or discloses personal information — and virtually every IT business does — the Privacy Act applies if your annual turnover is $3 million or more, or if you fall into one of the categories of organisations that are covered regardless of turnover.

Note: The Australian Government is currently progressing reforms to the Privacy Act that would extend coverage and strengthen obligations. Monitor the Office of the Australian Information Commissioner (OAIC) for updates.

Data Handling and Collection

• [ ] Your privacy policy is current, accurate, and published in an accessible location (website, app, etc.)
• [ ] Personal information is collected only for purposes that are clearly disclosed to individuals at the time of collection (APP 5)
• [ ] You collect only the personal information that is reasonably necessary for your purposes — not everything you could collect (APP 3)
• [ ] Individuals are given a meaningful choice about whether to provide personal information where this is reasonably practicable
• [ ] Sensitive information (health information, biometric data, racial or ethnic origin, etc.) is collected only with consent and handled with heightened care (APP 3)

Data Use and Disclosure

• [ ] Personal information is used only for the primary purpose for which it was collected, or for a related secondary purpose that individuals would reasonably expect (APP 6)
• [ ] Personal information is not sold to third parties for marketing purposes without explicit consent
• [ ] Third-party service providers who handle personal information on your behalf (cloud providers, subcontractors, analytics tools) are assessed for privacy practices and governed by appropriate contractual terms
• [ ] Cross-border data flows — sending personal information overseas — are assessed against APP 8 requirements. You must take reasonable steps to ensure overseas recipients handle the information in accordance with the APPs, or obtain consent

Data Security

• [ ] Personal information held by your business is protected by reasonable security measures (APP 11) — this includes both technical and organisational controls
• [ ] A data security risk assessment has been conducted and is kept current
• [ ] Access controls limit who can access personal information to those with a need to do so
• [ ] Personal information that is no longer needed is destroyed or de-identified (APP 11)
• [ ] Vendor security assessments are conducted for critical SaaS tools and cloud platforms that handle client or employee data

Access and Correction

• [ ] A process exists to handle individual requests to access their personal information within the required timeframe (APP 12)
• [ ] A process exists to correct personal information that is inaccurate or out of date upon request (APP 13)
• [ ] Requests are logged and responses documented

---

Part 2: Notifiable Data Breaches Scheme

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 applies to organisations covered by the Privacy Act. A failure to report an eligible data breach can result in significant regulatory action by the OAIC.

What Is an Eligible Data Breach?

An eligible data breach occurs when:

1. There is unauthorised access to, or disclosure of, personal information (or loss of personal information where unauthorised access or disclosure is likely); and
2. A reasonable person would conclude that the breach is likely to result in serious harm to any individual affected

Your Obligations

• [ ] You have a documented data breach response plan that covers detection, containment, assessment, notification, and review
• [ ] Staff know how to identify a potential data breach and who to report it to internally
• [ ] When a suspected data breach is identified, your business assesses within 30 days whether it is an eligible data breach — the clock starts when the entity first becomes aware that there are reasonable grounds to suspect a breach may have occurred
• [ ] If the breach is eligible, you notify the OAIC and affected individuals as soon as practicable
• [ ] Notifications to individuals include the required information: nature of the breach, information types involved, recommended steps individuals should take to protect themselves
• [ ] A breach register is maintained documenting all incidents assessed under the NDB scheme, including incidents that did not meet the notification threshold and the reasons why

---

Part 3: Employee vs Contractor Classification

IT businesses are heavy users of contractors — developers, designers, testers, consultants. This is perfectly legitimate, but misclassification of employees as independent contractors is one of the highest-risk areas for IT SMBs, with exposure spanning Fair Work Act back-pay liability, ATO PAYG withholding obligations, and superannuation.

See our companion article, Employee vs Contractor in IT: How Australian Tech Businesses Can Get Classification Right, for a full treatment of this topic. Key checklist items:

• [ ] Each worker relationship has been assessed using the multi-factor test — control, ability to subcontract, equipment provision, integration into business, risk allocation, and basis of payment
• [ ] Genuine contractors are operating under a written contract that accurately reflects the commercial arrangement
• [ ] Workers who are genuinely employees are not engaged under sham contractor arrangements
• [ ] Superannuation Guarantee obligations for contractors who are engaged principally for their labour are being met — these workers may be entitled to super regardless of their ABN status
• [ ] ATO PAYG withholding obligations for each engagement type are correctly applied
• [ ] The CFMMEU v Personnel Contracting Pty Ltd [2022] HCA 1 and ZG Operations Australia Pty Ltd v Jamsek [2022] HCA 2 decisions are understood — the written contract is the starting point for classification, but the whole relationship must be examined

---

Part 4: Employment Under the Professional Employees Award

Most professional IT employees are covered by the Professional Employees Award 2020, which covers professional engineers, scientists, and IT professionals engaged in roles requiring a degree or equivalent qualification.

• [ ] The Professional Employees Award has been assessed as the applicable award for your professional IT employees — or an enterprise agreement has been properly approved
• [ ] Employees are correctly classified under the award's levels (IT streams include software engineer, IT manager, and similar classifications)
• [ ] Annualised salary arrangements: The Award allows for annualised salaries — if you use these, the annualised salary must be high enough to cover all entitlements including any overtime and penalty rates that would otherwise be payable. A reconciliation must be conducted annually or when employment ends
• [ ] Pay rates are at or above current award minimum rates (updated 1 July each year following the Fair Work Commission's Annual Wage Review)
• [ ] Allowances and overtime are paid as required where employees are not covered by an adequate annualised salary arrangement
• [ ] Employment records are maintained for seven years
• [ ] Pay slips issued within one working day of each pay period
• [ ] Fair Work Information Statement and (where applicable) Casual Employment Information Statement provided to all new employees

---

Part 5: Work Health and Safety — Office and Remote Workers

WHS obligations apply equally to IT businesses. While the risk profile is different from a construction site, psychosocial hazards, ergonomics, and remote worker safety are all live obligations under the Work Health and Safety Act (or state equivalent).

Office Safety

• [ ] Ergonomic workstation assessments have been conducted for all workers with desk-based roles
• [ ] Emergency evacuation procedures are documented and communicated
• [ ] First aid facilities are adequate (kit, trained first aider if required by your size)
• [ ] Electrical safety (tagged and tested equipment) is maintained

Remote and Hybrid Workers

• [ ] Your WHS risk assessment covers workers working from home — your duty of care extends to their home workstation and work environment
• [ ] A remote work policy addresses workstation setup, expected hours, breaks, and how to report hazards or injuries
• [ ] Workers are provided with (or reimbursed for) adequate ergonomic equipment for their home workspace where required
• [ ] Incidents that occur while working from home are captured in your incident register

Psychosocial Hazards

• [ ] Psychosocial hazards have been identified (excessive workload, tight deadlines, lack of role clarity, isolation for remote workers, poor management practices, bullying, harassment)
• [ ] Controls are in place to manage identified psychosocial hazards — this is now an explicit regulatory obligation following changes to WHS regulations, not just good practice
• [ ] An anti-bullying and harassment policy is in place and communicated to all workers
• [ ] Workers know how to report concerns about psychosocial hazards
• [ ] Manager training on psychosocial risk management has been provided

Workers Compensation

• [ ] Workers compensation insurance is current and covers all employees (including remote workers)
• [ ] Injury management and return-to-work procedures are documented

---

Part 6: Australian Consumer Law — Software and Digital Services

The Australian Consumer Law (ACL), which forms Schedule 2 of the Competition and Consumer Act 2010, applies to IT businesses that supply goods or services to consumers. If your customers include individuals or small businesses, consumer guarantees almost certainly apply.

• [ ] Your software or digital service is fit for purpose and operates with acceptable quality — ACL consumer guarantees cannot be excluded by contract terms
• [ ] If your software causes a major failure (does not do what it is supposed to do), consumers have the right to a refund, replacement, or compensation — your contracts and refund policies reflect this reality
• [ ] Subscription software: where a service is not provided with due care and skill, consumers may have remedies even if your terms say otherwise
• [ ] Your terms of service do not attempt to exclude ACL consumer guarantees in a way that would mislead consumers about their legal rights (this is itself a separate ACL breach)
• [ ] Your sales and marketing representations about product capabilities are accurate — misleading or deceptive conduct under the ACL is a strict liability area with significant penalties

---

Part 7: Security of Critical Infrastructure Act

The Security of Critical Infrastructure Act 2018 (Cth) imposes obligations on operators of critical infrastructure assets, including data storage or processing assets used by government or designated sectors. Most small IT businesses will not be covered, but if you provide data hosting, cloud services, or managed services to government clients or clients in designated sectors (energy, water, banking, healthcare, etc.), your position should be assessed.

• [ ] You have assessed whether your business operates a critical infrastructure asset under the SOCI Act
• [ ] If covered: you are registered with the relevant regulatory authority
• [ ] If covered: incident reporting obligations under the SOCI Act have been mapped and are understood

---

Part 8: Tax, BAS, Payroll, and ATO Obligations

• [ ] ABN is current and ABR details are accurate
• [ ] GST registration is current if turnover exceeds $75,000
• [ ] BAS is lodged on time (monthly or quarterly as registered)
• [ ] PAYG withholding is correctly calculated and remitted
• [ ] STP Phase 2 is configured in payroll software
• [ ] Taxable Payments Annual Report (TPAR): IT businesses that engage contractors for IT services may be required to lodge a TPAR with the ATO — check current ATO guidance for your specific situation
• [ ] Superannuation is paid at 12% of ordinary time earnings from 1 July 2025
• [ ] Payday super readiness: from 1 July 2026, super must be paid on payday. Review payroll systems now if you currently pay quarterly
• [ ] R&D Tax Incentive claims (if applicable) are supported by contemporaneous records — AusIndustry and ATO joint program requires robust documentation of eligible R&D activities
• [ ] Export Market Development Grants (EMDG) assessed if your business markets software or IT services internationally

---

How Often Should You Review This Checklist?

When a security incident occurs: Immediately activate your data breach response plan and begin the 30-day assessment clock

When engaging a new worker: Classify the engagement (employee vs contractor), confirm award coverage, set up payroll and super correctly

Quarterly: Super contributions (until June 2026), BAS, privacy policy accuracy review

Annually: Award rate updates (1 July), annualised salary reconciliation (if applicable), workers comp premium, TPAR lodgement, full data security risk assessment, privacy policy review, SOCI Act coverage assessment if serving new government or critical sector clients

When the business changes: New services, new clients in sensitive sectors, new jurisdictions — re-assess privacy, SOCI, and consumer law exposure

---

One Dashboard for Every Obligation

IT businesses often build impressive systems to manage their clients' compliance — and then manage their own with a spreadsheet. The obligations are real, they span multiple regulators, and the consequences of getting them wrong (a data breach notification to the OAIC, a Fair Work back-pay claim, an ATO PAYG audit) are significant.

Reguladar is designed for exactly this situation. It gives IT business owners and operators a single compliance dashboard showing every obligation relevant to their specific business — with due dates, owner assignment, and reminders before anything falls through the cracks.

Start your free Reguladar account and build your IT compliance dashboard today →

This checklist is general information only. Obligations vary by business size, client type, and service model. Seek professional or legal advice for your specific situation.

---

Related articles:

• Employee vs Contractor in IT: How Australian Tech Businesses Can Get Classification Right
• Notifiable Data Breaches: A Practical Guide for Small Australian Businesses
• Psychosocial Hazards at Work: New Obligations and How to Meet Them