The game has changed. On June 1, 2025, the Privacy Act reforms took effect — and if you're an Australian business storing customer data in Microsoft 365, you need to understand what this means for you.
What Changed?
The most significant change: the $3M annual turnover exemption was removed.
Previously, small businesses with annual turnover under $3M were exempt from most Privacy Act obligations. That exemption is gone. Now, if you handle personal information in the course of business, you're covered — regardless of your size or revenue.
- You store customer emails, phone numbers, or addresses in M365
- You're a professional services firm (legal, accounting, medical, financial planning)
- You're in real estate, recruitment, education, or any client-facing business
- Basically: if you have client data in Microsoft 365, you're now covered
What Are Your New Obligations?
1. Mandatory Breach Notification
If you experience a data breach involving personal information, you must:
- Detect the breach within a reasonable timeframe (typically 30 days)
- Notify the OAIC (Office of the Australian Information Commissioner)
- Notify affected individuals whose personal information was compromised
- Provide written evidence of what data was accessed or disclosed
Here's the problem: most SMBs we assess can't do any of this.
Why? Because they don't have:
- Audit logging enabled (no way to detect unauthorized access)
- Data mapping (don't know where personal info actually lives)
- Access controls configured properly (can't limit who sees what)
- Backup and recovery (can't prove what was compromised)
2. "Reasonable Steps" to Protect Data
You must take "reasonable steps" to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure.
What counts as "reasonable"? The OAIC looks at:
- The sensitivity of the data (client files vs newsletter signups)
- The harm that could result from a breach
- Your business size and resources
- The cost of implementing security measures
3. Privacy Policy Requirements
You need a clear, up-to-date privacy policy that explains:
- What personal information you collect
- Why you collect it and how you use it
- Who you share it with (if anyone)
- How people can access or correct their information
- How you handle complaints
Having a generic privacy policy template from 2018 doesn't cut it anymore. It needs to accurately reflect your actual M365 data handling practices.
What Happens If You Don't Comply?
The penalties got steeper:
- Serious or repeated breaches: Up to $2.5 million in fines
- Failure to notify: Additional penalties on top of breach fines
- Civil claims: Individuals can now sue for damages
- Reputational damage: OAIC publishes breach reports publicly
What You Need to Do Now
Step 1: Know Where Your Data Lives
Map where personal information is stored in your M365 environment:
- Exchange Online (emails with client correspondence)
- SharePoint/OneDrive (client files, contracts, forms)
- Teams (chat history, shared files)
- Forms (lead gen forms, intake forms)
Step 2: Implement Basic Security Controls
The minimum you need:
- Multi-factor authentication (MFA) on all accounts, especially admins
- Audit logging enabled so you can detect unauthorized access
- External sharing configured properly (not "Anyone with the link")
- Regular access reviews to remove ex-employees and unused accounts
- Backup solution for M365 data (native retention isn't enough)
Step 3: Document Your Controls
If the OAIC investigates a breach, they'll ask: "What steps did you take to protect this data?"
You need documentation showing:
- When MFA was enabled and for which accounts
- Your sharing and access policies
- When you last reviewed user access
- Your backup and recovery procedures
- Staff training on data handling
Step 4: Update Your Privacy Policy
Make sure your privacy policy reflects your actual M365 environment:
- Where data is stored (Australia? US? EU?)
- Who has access (staff, contractors, third parties)
- How long you retain it
- How people can request access or deletion
How CyberChex Can Help
Privacy Act compliance is a whole-of-business obligation, but a large share of breach risk lives in your Microsoft 365 environment — weak MFA, over-shared data, and gaps in breach detection and logging. Our M365 security assessment gives you an evidence-based picture of those controls so you can strengthen the technical side of breach readiness.
- Up to 30 security checks across identity, data sharing, email and audit logging (depth depends on your Microsoft 365 licence)
- Breach-readiness signals: MFA coverage, admin exposure, external sharing and logging gaps
- Professional report with prioritised, plain-English recommendations
- CyberChex Score + Microsoft Secure Score so you can track improvement over time
Understand Your M365 Breach Exposure
Get a clear picture of your Microsoft 365 security posture and where to act first.
Book M365 Assessment - From $499 + GSTThe Bottom Line
The Privacy Act 2025 reforms aren't optional. If you handle personal information in M365, you now have clear legal obligations — and penalties for non-compliance.
The good news? Most of what you need is already built into M365. You just need to configure it properly and document it.
Start now. Don't wait for a breach notification to discover your gaps.