The laws that shape what organisations must do, what individuals can and can't do, and how Australian-specific frameworks (OAIC, NDB, Essential Eight) fit together. Memorable exam territory โ the Australian-specific content is where you can clearly outperform generic answers.
Privacy Act 1988 and its Australian Privacy Principles (APPs) govern how organisations handle personal information. The Notifiable Data Breaches (NDB) scheme requires notification of eligible breaches to the OAIC and affected individuals. The Cybercrime Act 2001 criminalises unauthorised access, modification, and impairment of data and systems. The ACSC Essential Eight is the baseline cyber hygiene framework. These are the laws and frameworks examiners expect you to name.
17.1 Why Law Matters in a Technical Course
Technical decisions have legal consequences. If your system leaks customer data, there's a law about notifying. If you run a red-team exercise, there's a law about authorisation. If you store minors' data, there are special rules. A security professional who doesn't know the relevant law will eventually give advice that looks technically correct but creates legal risk.
Examiners know this, which is why the Australian legal framework shows up in exam questions. A technically strong answer that names the specific Australian law or agency involved outscores an equally-technical answer that stays generic. This chapter gives you the specific names to use.
EXAM HABIT: When any question involves data protection, breach response, ethical hacking, or surveillance โ pause and ask yourself "what Australian law applies here?" If you can name it (Privacy Act / Cybercrime Act / Telecommunications Act), say so. Even a half-sentence reference lifts the answer.
17.2 The Privacy Act 1988 and the APPs
The Privacy Act 1988 (Cth) is the main federal law governing how personal information is handled in Australia. It applies to Australian government agencies and most private-sector organisations with annual turnover over $3 million (plus health service providers and others regardless of turnover).
Its core content is the 13 Australian Privacy Principles (APPs) โ schedule 1 of the Act. You don't need to memorise all 13 for this course, but you should know the shape of what they cover:
APP #
Topic
In plain terms
APP 1
Open and transparent management
Must have a privacy policy; be upfront about practices
APP 3
Collection of solicited info
Only collect what's reasonably necessary for your function
APP 5
Notification of collection
Tell people you're collecting their info and why
APP 6
Use and disclosure
Only use for the purpose collected, unless an exception applies
APP 8
Cross-border disclosure
Special rules for sending data overseas
APP 11
Security of personal info
Must take reasonable steps to protect it
APP 12
Access to personal info
Individuals can request their data
APP 13
Correction
Individuals can request corrections
The two that show up most often in security discussions are APP 11 (you must secure the data) and APP 6 (you can only use it for what you told people you'd use it for). APP 11 is what turns inadequate security from a bad look into a legal issue.
WHY APP 11 IS CENTRAL: "Reasonable steps" isn't defined precisely โ it scales with the sensitivity of the data and the size of the organisation. For a small cafe's customer list, "reasonable steps" is basic โ strong passwords, backups. For a health service provider holding medical records, "reasonable steps" is much more โ encryption, access controls, monitoring, staff training, breach response. Failure to take reasonable steps is one of the things that can turn a breach into a regulatory action. (In exam terms: the standard is proportional to the sensitivity and scale.)
What counts as "personal information"?
The Act defines it broadly: any information or opinion about an identified or reasonably identifiable individual. Names, emails, phone numbers obvious โ but so are device IDs, IP addresses in some contexts, and combinations of data that together identify someone (a postcode + DOB + gender can be enough for 80%+ of Australians).
Sensitive information is a subset with stricter rules: health data, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, biometric data. Needs explicit consent to collect in most cases.
17.3 The Notifiable Data Breaches (NDB) Scheme
The NDB scheme sits inside the Privacy Act, added in 2018. It's the most frequently cited part of the Act in security incidents and is worth understanding in detail.
When does the NDB scheme apply?
It applies when an eligible data breach occurs at an entity covered by the Privacy Act. An eligible breach has three features:
Unauthorised access, unauthorised disclosure, or loss of personal information
Likely to result in serious harm to one or more affected individuals
The entity hasn't been able to prevent that harm through remedial action
"Serious harm" is interpreted broadly โ not just financial. Reputational damage, emotional distress, identity theft, physical threat, discrimination all count. The OAIC publishes guidance on how to assess.
What must be done?
Step
Timing
Content
1. Suspect a breach
Immediately
Begin assessment within 30 days to decide if it's "eligible"
2. Contain where possible
Immediately
Try to prevent or reduce the harm (remediation can stop it being "eligible")
3. Notify the OAIC
As soon as practicable after assessment
Submit a statement describing the breach
4. Notify affected individuals
As soon as practicable
Tell them what happened, what data, what to do
Penalties for non-compliance have increased significantly after the 2022 breaches. Maximum penalties for serious or repeated breaches now sit in the tens of millions of dollars for corporations under recent Privacy Act amendments โ a substantial deterrent.
Optus (Sept 2022) and Medibank (Oct 2022): Both breaches triggered extensive NDB processes. Optus exposed approximately 9.8 million customer records; Medibank, approximately 9.7 million. Both notified the OAIC and affected individuals, leading to class actions and regulatory investigations. The scale of these breaches directly drove the 2022 increase to Privacy Act penalties โ this is the law catching up with the damage. (Cross-reference: Ch 10 covers the attacks themselves; Ch 15 covers the IR process.)
EXAM-QUALITY PHRASING: "Under the Notifiable Data Breaches scheme (Privacy Act 1988), organisations experiencing an eligible data breach โ one likely to result in serious harm โ must notify the OAIC and affected individuals as soon as practicable. Recent amendments have significantly increased penalties for serious or repeated breaches. Legal obligations therefore run in parallel with the technical incident response." One sentence, three correctly named entities, directly ties law to practice.
17.4 The Cybercrime Act 2001
The Cybercrime Act 2001 (Cth) criminalises attacks on computer systems. Its key offences fall into three categories, all derived from Part 10.7 of the Criminal Code Act:
Offence category
Examples
Max penalty (typical serious form)
Unauthorised access
Logging into someone else's account without permission; bypassing login to view data
DDoS, ransomware, system sabotage, disrupting electronic communication
Up to 10 years for serious offences
The key word is unauthorised. If you have the owner's explicit permission, you're not committing these offences โ which is why penetration testing is legal as long as you have a written authorisation scope.
TRAP: "I was just curious" / "I didn't actually cause harm" โ not a defence. The offence is the unauthorised access itself, regardless of what you did afterward. Students who test a friend's password, log into a school gradebook "to see if it works," or poke at public websites risk breaching this Act even if no damage results. Curiosity is not consent.
Related laws worth naming
Telecommunications (Interception and Access) Act 1979 โ governs lawful interception of communications. Makes unauthorised interception of network traffic a crime (relevant to MITM discussions).
Security of Critical Infrastructure Act 2018 โ imposes cyber security obligations on operators of critical infrastructure (energy, water, health, communications, etc.). Includes mandatory reporting of cyber incidents.
My Health Records Act 2012 โ governs the national health records system. Strict rules on access and notification; penalties for unauthorised access up to imprisonment.
Copyright Act 1968 โ relevant when discussing anti-piracy measures, software licensing, and some cybersecurity research areas.
Surveillance Devices Act 2004 (Cth) and state equivalents โ govern recording devices, often relevant in workplace monitoring discussions.
17.5 The OAIC โ The Regulator
The Office of the Australian Information Commissioner (OAIC) is the regulator enforcing the Privacy Act. It's not a police force; it investigates complaints, runs the NDB register, issues guidance, and can take regulatory action (enforceable undertakings, civil penalty proceedings) against organisations that breach the Act.
The OAIC's roles:
Receive NDB notifications and publish statistical reports
Handle privacy complaints from individuals
Investigate serious or systemic privacy breaches
Issue guidance on reasonable security practices
Enforce penalties for non-compliance
Knowing the OAIC exists and what it does is the difference between a generic answer and a specifically-Australian answer. When an exam asks "what happens after a major data breach at an Australian company?", you should be able to say "the organisation must notify the OAIC under the NDB scheme."
17.6 The ACSC and the Essential Eight
The Australian Cyber Security Centre (ACSC) is part of the Australian Signals Directorate (ASD) and is the government's main cyber defence body. It publishes guidance, runs cyber.gov.au, operates ReportCyber for incident reporting, and issues advisories about current threats.
Its most practical output for this course is the Essential Eight โ a baseline set of mitigation strategies. It's what government agencies are expected to implement and what the ACSC recommends for private organisations too.
#
Strategy
What it does
1
Application control
Only approved applications can run (defeats most malware)
2
Patch applications
Fix vulnerabilities in apps (browsers, Office, etc.) quickly
3
Configure Microsoft Office macro settings
Block macros from the internet โ major malware delivery vector
4
User application hardening
Disable risky features in browsers and Office
5
Restrict administrative privileges
Least privilege for admins โ big reduction in breach impact
6
Patch operating systems
Keep Windows/macOS/Linux up to date
7
Multi-factor authentication
MFA especially for remote access and privileged accounts
8
Regular backups
Tested, offline/immutable, to recover from ransomware
Each strategy has maturity levels (0โ3) describing how thoroughly it's implemented. Agencies are typically expected to reach Maturity Level 2 or 3 depending on sensitivity.
WHY THE ESSENTIAL EIGHT IS EXAM-FRIENDLY: It's concrete, it's Australian, and it maps directly onto the controls you've learned elsewhere in this course. Almost every design question in Chapter 16 ended up naming things from this list: MFA, patching, backups, least privilege. You can cite "ACSC's Essential Eight" when justifying controls โ it grounds your answer in Australian practice. (Cross-reference: Ch 16 design scenarios repeatedly invoke E8 controls.)
17.7 Ethics โ Beyond the Law
Legal and ethical are not the same. Lots of things are legal but ethically questionable. Lots of things are ethical but against some laws. Good security professionals think about both.
The ethical duties of a security professional
Duty
In practice
Authorisation
Only test or access systems you have explicit written permission to test
Proportionality
Don't cause more disruption than necessary for the defensive purpose
Confidentiality
Don't disclose client data learned during security work, even informally
Responsible disclosure
When you find a vulnerability, tell the vendor first (give them time to fix) before going public
Honesty
Don't exaggerate threats to sell services; don't hide findings to avoid embarrassment
Competence
Don't take work you're not qualified for โ real systems, real people
Respect for privacy
Handle personal data encountered during work with care and minimum necessary access
Classic ethics scenarios
You discover a vulnerability in your school's website. What do you do?
Ethical path: tell IT or a trusted teacher privately. Don't exploit it. Don't publish it. Don't "test how bad it is" by actually attacking. Even if you meant well, exploitation without permission is a Cybercrime Act offence.
You're a penetration tester and find the client is running an illegal operation.
Ethical path: stop testing. Consult legal advice. Obligations vary by jurisdiction but never proceed as if this isn't a problem. The contract may require disclosure; some crimes have mandatory reporting.
An employer asks you to monitor employees' personal emails.
Ethical path: raise it. In Australia, such monitoring may breach the Privacy Act, Surveillance Devices Act, or workplace relations laws depending on context. Document the request in writing; seek legal advice.
You know a popular app has a serious security flaw but the vendor ignores your report.
Ethical path: responsible disclosure protocols give the vendor time to fix (typically 90 days) before public disclosure. If they ignore you, coordinated disclosure (with media or CERT) is a last resort โ not a first one.
TRAP โ the "I'm helping them" defence: Hackers sometimes claim they broke in "to show the company their flaw." Courts and ethics bodies consistently reject this โ authorisation has to come before the action, not as a post-hoc justification. This is true even if no damage resulted and the intention was genuinely helpful.
17.8 Applying Law and Ethics to Exam Scenarios
Template for "what must the organisation do?" questions
Identify relevant Australian law (usually Privacy Act 1988 + NDB; sometimes Cybercrime Act)
Name the regulator (OAIC for privacy matters)
State the practical obligations โ assess, contain, notify, cooperate
Mention timing (ASAP after assessment, 30-day assessment window)
Reference best practice frameworks where relevant (ACSC Essential Eight)
Template for "is this ethical / legal?" questions
Split the two โ legal and ethical may not align
Identify the core issue (authorisation, privacy, proportionality, disclosure)
Give the reasoning on each side
State a conclusion, acknowledging grey areas
Suggest the ethical path forward
EXAM-QUALITY PHRASING โ a fully-formed answer to "An Australian retailer has been breached. What are their legal obligations?":
"Under the Privacy Act 1988 and the Notifiable Data Breaches scheme, the retailer must first assess within 30 days whether the breach is 'eligible' โ likely to result in serious harm to individuals. If so, they must notify the OAIC and affected individuals as soon as practicable, including what data was involved and steps individuals should take. They must also take reasonable steps under APP 11 to have prevented this breach and to prevent recurrence. If the attack itself was a cybercrime, they may also be expected to report it to the ACSC via ReportCyber, and cooperate with any investigation under the Cybercrime Act 2001. Recent Privacy Act amendments mean failure to comply carries significantly increased penalties."
Notice how many correctly-named Australian entities and frameworks are referenced. That's a high-scoring answer structure.
17.9 Quiz Time
A small Sydney design studio (12 staff, $2M annual turnover) suffers a ransomware attack encrypting client files but not exfiltrating data. Do they need to notify under the NDB scheme?
Two threshold questions: 1. Does the Privacy Act apply to them? Small businesses with annual turnover under $3M are generally exempt from the Privacy Act unless they handle health info, trade in personal info, or qualify under other exceptions. A design studio with $2M turnover is probably not covered โ so the NDB scheme may not apply. 2. If it did apply โ is this eligible? The breach would need to be likely to cause serious harm. If data was only encrypted (not exfiltrated) and they restored from backups, there may be no serious harm to individuals. Legal advice should still confirm this. Practical reality: even if not legally required, notifying clients voluntarily is often the right ethical and business choice โ trust matters. Also worth reporting the incident to the ACSC via ReportCyber regardless. (In exam terms: the legal bar and the ethical bar can differ, and small businesses often sit below the formal legal threshold but not below ethical obligations.)
A student figures out they can view other students' grades by changing the URL in the school's gradebook portal. They tell their friend "to prove it works." Legal position?
This is a likely offence under the Cybercrime Act 2001 โ specifically unauthorised access to restricted data. The student had no authorisation to view other students' records, and URL manipulation to access data intended to be restricted is well-established as unauthorised access. The "I was just curious" or "I didn't harm anything" defences don't apply โ the offence is the access itself.
Ethically, the correct path was to report the flaw privately to IT/school administration, not to exploit it or demonstrate it to others. If minors' data is involved, the school may also have Privacy Act obligations (depending on entity type). The student's behaviour may also breach the school's acceptable-use policy. (In exam terms: good intent does not substitute for authorisation. The line between "finding a flaw" and "exploiting a flaw" is exactly the line drawn by the Cybercrime Act.)
Name three specific Australian frameworks or bodies a security professional should know, and say what each does.
Privacy Act 1988 & the Australian Privacy Principles (APPs) โ governs how personal information must be handled; APP 11 requires reasonable security steps. Enforced by the OAIC.
Notifiable Data Breaches (NDB) scheme โ part of the Privacy Act; requires notification of eligible data breaches to the OAIC and affected individuals.
ACSC Essential Eight โ published by the Australian Cyber Security Centre (part of the ASD); baseline cyber hygiene strategies including MFA, patching, application control, and backups. The de facto standard for Australian organisations.
Bonus: Cybercrime Act 2001 criminalises unauthorised access/modification/impairment; OAIC is the regulator for privacy; ACSC runs cyber.gov.au and ReportCyber. Naming specifics is what lifts the answer from generic to Australian-grade.
Explain, using APP 11, why inadequate security is a legal problem and not just a technical one.
APP 11 requires entities covered by the Privacy Act to take reasonable steps to protect the personal information they hold. "Reasonable" scales with sensitivity and size โ health data held by a large organisation demands more than a customer email list at a small cafe. If a breach occurs and the organisation hadn't taken reasonable steps โ e.g., no MFA on admin accounts, no patching, no monitoring โ the OAIC may find they breached APP 11 independently of any other law. This can lead to enforceable undertakings, regulatory action, and civil penalties. So inadequate security doesn't just cause breaches โ it turns breaches into legal liability. (In exam terms: APP 11 bridges technical adequacy and legal adequacy. The standard of "reasonable" is proportional to context.)