Why Every Australian Industry Needs Data on Australian Soil

Healthcare providers handle some of the most sensitive personal information in Australia. Under the My Health Records Act 2012, all data within the My Health Records system — including backups — must never be processed, held, taken, or handled outside of Australia (Section 77). This is one of the strictest data residency mandates in Australian law, with zero exceptions for identifiable data.

Beyond My Health Records, general practice, dental, and allied health data falls under the Privacy Act 1988 and specifically the handling of "health information," which is classified as sensitive information under APP 3. Health service providers have always been covered by the Privacy Act regardless of turnover — the small business exemption has never applied to health services.

The Australian Dental Association (ADA) mandates that dental records be securely stored and protected from unauthorised access. Computer systems must be password-protected, screen visibility limited to staff, and security software kept current. Under APP 8, cross-border disclosure of health information requires the disclosing entity to take reasonable steps to ensure the overseas recipient complies with the APPs — a much harder bar to clear than simply hosting in-country.

Childcare centres handle children's personal information, family details, medical histories, photos, and CCTV footage — data that demands the highest protection standards. The National Quality Framework (NQF) was updated from 1 January 2026 with enhanced child safety requirements in Quality Areas 2 and 7.

Changes to Regulation 168 now require services to have explicit policies for the taking, use, storage, and destruction of images and videos of children, obtaining parental authorisation, and governing use of optical surveillance devices like CCTV. Personal device use by staff while working directly with children is banned or restricted across all states from September 2025.

The OAIC has published an exposure draft of the Privacy (Children's Online Privacy) Code 2026, which imposes strict requirements on how children's personal information is collected and handled. The final Code must be completed by 10 December 2026. A National Early Childhood Worker Register launched nationally from 27 February 2026, centralising worker screening data.

Construction businesses — including electricians, plumbers, and builders — handle worker safety records, licence information, induction certificates, and client personal data. Australian builders must retain construction documents for 6 to 10 years covering statutory warranty periods (6 years for major defects), ATO records (5 years), Fair Work obligations (7 years), and NCC compliance evidence.

State-based long service portability schemes (e.g., NSW Long Service Corporation) require employers to keep books and records for at least six years after the last service entry, including worker names, addresses, dates of birth, and service periods. Queensland's QBCC Amendment Act 2025 introduces electronic processes for managing builders' licences, approvals, and WHS obligations from 2026.

Cloud-based document management with Australian data residency is now a tender requirement for many commercial construction projects. For firms handling worker personal information (TFNs via payroll, White Card records, medical fitness certificates), the Privacy Act applies — and once the small business exemption is removed, every sole-trader sparky and plumber will need to comply.

Australian telecommunications providers operate under some of the most prescriptive data obligations in the country. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 requires carriers and ISPs to retain specific telecommunications metadata for a minimum of two years. This includes subscriber information, call date/time/duration, device location data, IP addresses, and email sender/recipient details.

Retained data must be encrypted and protected from unauthorised interference or access. The Australian Privacy Principles apply to all data retained under the Act, imposing obligations on service providers to ensure quality, security, and proper handling of personal information.

The OAIC has direct oversight of telecommunications carriers' handling of data collected under the data retention scheme. Carriers and carriage service providers that use communications infrastructure in Australia are subject to these obligations, as well as the broader Telecommunications Act 1997 provisions on protecting communications.

Australian educational institutions collect extensive personal information about students, families, and staff. Private schools and RTOs are covered by the Privacy Act 1988 (government schools fall under state/territory privacy legislation). Higher education providers must comply with privacy requirements set out by the Department of Education and TEQSA (Tertiary Education Quality and Standards Agency).

In 2026, new guidelines focus on managing the full lifecycle of children's data in schools: intentional use of social media, minimising sharing of personal information, and obtaining proper consent. The Safer Technologies 4 Schools (ST4S) framework, developed by Education Services Australia, aims to unify digital privacy standards across states and territories.

Research has highlighted that most Australian universities and schools lack adequate cybersecurity protection, and student data is widely collected through learning management systems, assessment platforms, and third-party EdTech tools — often without sufficient scrutiny of where that data is processed and stored.

Law firms handle privileged client communications, case files, and highly sensitive personal information. Under the Australian Solicitors' Conduct Rules, solicitors have a fundamental obligation to maintain client confidentiality. Cloud storage of client files raises direct questions about jurisdiction — if the cloud provider is a US entity, privileged communications could theoretically be compelled under the CLOUD Act without going through Australian courts.

From 10 December 2026, mandatory automated decision-making transparency obligations take effect. Law firms using AI tools for document review, case assessment, or client triage must disclose what automated systems they deploy, what decisions those systems make, and what personal information they process.

Under APP 8, cross-border disclosure of personal information requires firms to take reasonable steps to ensure the overseas recipient complies with the APPs. For law firms, this extends to cloud storage — if your practice management system stores data on US-owned servers, you bear the compliance burden of demonstrating that the US entity will treat data in accordance with Australian privacy law.

Tax practitioners handle Tax File Numbers (TFNs), financial statements, and deeply sensitive client information. The Privacy (Tax File Number) Rule 2015 governs how TFN information is collected, used, stored, and disclosed. The Tax Practitioners Board (TPB) requires agents to keep proper client records and maintain confidentiality of client information.

From 1 July 2026, accounting firms become classified as "Tranche 2 entities" under AML/CTF reforms. This independently brings them under Privacy Act obligations, with records required to be kept for at least 7 years to evidence compliance. This affects over 100,000 businesses.

The TPB's 2026 exposure draft on AI use makes clear that tax practitioners must obtain explicit client permission before disclosing information to any third-party AI platform. Inputting client data into an external AI tool counts as disclosure — and if that AI tool runs on US-owned infrastructure, you're making a cross-border disclosure under APP 8.

Real estate agents collect identity documents, financial statements, employment details, and rental histories from tenants. From 1 July 2026, real estate agents come under the Privacy Act through AML/CTF reforms, regardless of their turnover.

The OAIC launched a compliance sweep in January 2026, conducting targeted reviews of real estate agents' privacy policies. Agencies using AI tools for tenant screening or automated application processing must disclose this by 10 December 2026 under the new ADM transparency obligations. AI-powered decisions on tenancy applications must clearly disclose what personal data is used and which decisions are made entirely by AI.

Privacy breaches now carry penalties of up to $660,000 for non-compliance and up to $66,000 for non-compliant privacy policies under the new infringement notice regime.

The Aged Care Act 2024 and the Aged Care Rules 2025 now govern data handling in the sector. The Act imposes three critical obligations: use personal information solely for providing aged care, do not disclose without written consent (except when necessary for care), and safeguard information with reasonable security measures.

Aged care providers handle health information, care plans, medication records, and financial details of vulnerable Australians. The sector achieved only 87% compliance with information management and privacy standards in 2026, indicating systemic challenges with data protection.

The Aged Care Quality and Safety Commission oversees compliance and can impose sanctions on providers who fail to meet standards. Privacy Act obligations apply fully to aged care providers — these are health service providers and have never been exempt.

Australian retail and hospitality businesses increasingly collect customer data through loyalty programs, online ordering, booking platforms, and POS systems. Currently, businesses under $3M turnover are exempt from the Privacy Act — but this exemption is expected to be removed by December 2026. An estimated 2.5 million businesses will need to comply.

Over 80% of Australian retail leaders consider loyalty strategies important over the next 12-18 months. These programs collect purchase histories, dietary preferences, contact details, and payment information. Under the APPs, businesses must publish an up-to-date privacy policy explaining what data is collected, why, how long it's kept, who it's shared with, and how customers can access or correct their data.

As third-party cookies phase out, first-party data from loyalty programs and in-store interactions becomes the primary source for personalisation. This makes Australian-hosted data storage not just a compliance issue but a competitive asset — customers increasingly value knowing their data stays local.

Financial services operate under the strictest regulatory scrutiny in Australia. APRA CPS 234 requires APRA-regulated entities to maintain information security capabilities commensurate with the threats they face. This extends to third-party service providers — including cloud and backend infrastructure. APRA expects entities to assess and manage risks associated with outsourcing to foreign jurisdictions.

FinTech companies building lending platforms, payment systems, or insurance products handle financial data, identity documents, credit histories, and transaction records. Under the Privacy Act, credit reporting information has specific protections under Part IIIA, with strict rules on access, use, and disclosure.

Enterprise clients and government agencies increasingly require 100% Australian jurisdictional control in RFPs. A US-owned backend is a disqualifying factor for many government and enterprise procurement processes in the financial sector.

The Whole-of-Government Cloud Computing Policy (issued December 2025, effective 1 July 2026) mandates cloud-first for all new federal digital and ICT initiatives. Agencies must use infrastructure hosted in certified, sovereignty-compliant facilities. The DTA Hosting Certification Framework sets the standards for government data hosting.

GovTech contractors building applications for government agencies must align with the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM). For sensitive government data, infrastructure must be assessed under the Infosec Registered Assessors Program (IRAP).

IRAP is not a certification — it's a risk-based assessment framework run by the ACSC. WattleDB's infrastructure is designed from the ground up to align with ISM controls, making the path to a successful IRAP assessment at PROTECTED level substantially shorter.