Cyber Security and Data Privacy in Australia

Australia has a culture of implementing stringent cyber security measures for safeguarding organizational and national assets. The country has adopted several security standards like ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27003, ISO/IEC 27004 etc. In 2024, the Cyber Security Act was enacted as Australia’s first standalone cyber security legislation. In order to address data privacy issues, the country has adopted the best practices of ISO/IEC 27701 standard. Besides, the Privacy Act was introduced in 1988 to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations handle personal information.

The standards mentioned above have been described in our previous article entitled “Data Privacy Compliance - Global Standards and Legislations”. In this article, we describe, in brief, the salient features of Australia’s cyber security and data privacy legislations.

Cyber Security Act 2024

The 2023-2030 Australian Cyber Security Strategy was published on November 22, 2023. This strategy aims to transform Australia into a world leader in cyber security by 2030 with the help of six cyber shields. Each shield provides an additional layer of defence against cyber threats and places Australian citizens and businesses at its core. The six shields are as follows:

• Strong businesses and citizens – This will ensure that the citizens and businesses are protected from cyber threats, and can recover quickly following a cyber-attack.

• Safe technology – The citizens will be able to trust that their digital products and services are safe, secure, and fit for purpose.

• World-class threat sharing and blocking – This will ensure that the country has access to real-time threat data, and can block threats at scale.

• Protected critical infrastructure – Critical infrastructure and essential government systems will be able to withstand and bounce back from cyber-attacks.

• Sovereign capabilities – This will ensure that Australia has a flourishing cyber industry, enabled by a diverse and professional cyber workforce.

• Resilient region and global leadership – This will ensure that the region is more cyber resilient. Australia will continue to uphold international laws and norms, and shape global rules and standards in line with shared interests.

  
  

The Cyber Security Act 2024 implements initiatives from the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps and aiming to bring Australia in line with international best practices. The Act received Royal Assent and became Law on November 29, 2024. The Act mandates the following:

• minimum cyber security standards for smart devices;

• obligation for certain businesses to report incidents of ransomware and cyber extortion;

• Limited Use obligation for the National Cyber Security Coordinator (NCSC) to encourage industry engagement with the government following cyber incidents; and

• establishment of a Cyber Incident Review Board to conduct reviews of significant cyber incidents, and share lessons learned.

  
  

In order to give effect to some of the measures under the Cyber Security Act 2024, a set of Cyber Security Rules were registered on March 4, 2025. They are as follows:

• Cyber Security (Security Standards for Smart Devices) Rules 2025;

• Cyber Security (Ransomware Payment Reporting) Rules 2025; and

• Cyber Security (Cyber Incident Review Board) Rules 2025.

  
  

The rules-based model will allow the government to adapt the regulations to evolving technology, and respond to emerging cybersecurity threats by updating the standards as required. The Act also lays down measures that are aimed at better understanding of, informing about, and improving responses to, cybersecurity incidents.

Privacy Act 1988

The Privacy Act 1988 was enacted by the Australian Parliament at the end of 1988 and went into effect in 1989. It specifies how entities can collect, process, and use personal data from people in Australia. It also details people’s rights over their data and the penalties imposed for violating the sections of the Act. It includes 13 Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies. The APPs are as follows:

• Open and transparent management of personal information;

• Anonymity and pseudonymity;

• Collection of solicited personal information;

• Dealing with unsolicited personal information;

• Notification of the collection of personal information;

• Use or disclosure of personal information;

• Direct marketing;

• Cross-border disclosure of personal information;

• Adoption, use, or disclosure of government-related identifiers;

• Quality of personal information;

• Security of personal information;

• Access to personal information; and

• Correction of personal information.

  
  

The APPs are “technology neutral”, that is they can adapt and apply to existing and future technologies. Organizations have the freedom to customize the APPs to suit their data processing activities. The Privacy Act mandates that organizations must take measures to protect personal information from unauthorized access, modification, and disclosure. Besides, organizations must destroy personal data (or its identity) when it is no longer required.

There have been several amendments to the Privacy Act 1988. In 2000, the Act was amended to cover the private sector. In 2014, the APPs replaced the National Privacy Principles and Information Privacy Principles in the Act. It was further amended in 2017 and 2022 to increase the maximum penalties for data breaches, and provide for enhanced enforcement powers to the Office of the Australian Information Commissioner (OAIC).

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy, and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect, and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures, and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.