Security in Teams: Are You Meeting Your Duty of Care?

← back to blog
Security in Teams

With Australia’s Privacy Act reforms now in force, protecting personal data is no longer optional, it’s a legal, ethical, and operational requirement.

If your team can’t show who accessed what, when, or why, you’re exposed. And it’s not just about stopping cyberattacks. Today, compliance hinges on what your internal teams do, and whether you can demonstrate that you’ve taken “reasonable steps” to protect the data in your care.

Below, we’ll break down what’s changed, why team behaviour matters more than ever, and how to build internal systems that support accountability and compliance.

What’s Changed Under the Privacy Act (2025 Update)

The 2025 Privacy Act reforms introduce a sharper regulatory edge, increasing the burden on businesses to proactively protect personal data. Key changes include:

  • A broader definition of personal information, now including technical data such as IP addresses and behavioural metadata.
  • Stricter consent and notice requirements, demanding greater transparency with individuals.
  • A new statutory tort for serious invasions of privacy, allowing individuals to sue for damages.
  • Stronger enforcement powers, with the Office of the Australian Information Commissioner (OAIC) able to impose higher fines and issue infringement notices more easily.
  • Mandatory privacy impact assessments for high-risk activities, particularly those involving sensitive or large-scale data handling.

Why Internal Team Practices Now Matter More Than Ever

Most data breaches aren’t caused by sophisticated external threats — they’re the result of internal mistakes, misuse, or unclear access controls. Regulators know this and are now focusing on what organisations are doing to prevent these common failures.

To meet your duty of care, you need more than just a strong firewall. You need to demonstrate due diligence inside your organisation. That means you need to know:

  • Who has access to personal data?
  • What training have they received?
  • Are their actions being logged and reviewed?
  • Can you prove that access is limited, appropriate, and monitored?

Understanding Duty of Care in a Digital Context

Under Australian law, all organisations have a duty of care… A responsibility to take “reasonable steps” to prevent foreseeable harm. In the context of data security, this means protecting individuals’ personal information from misuse, loss, unauthorised access, or disclosure.

Failure to meet this obligation can lead to:

  • Regulatory action or fines
  • Reputational damage
  • Loss of client trust
  • Legal liability from affected individuals

What Reasonable Steps Actually Look Like

So, what counts as “reasonable” in the eyes of regulators? While it will depend on your size and sector, there are clear expectations:

  • Mandatory access controls to control who can see or edit personal data. Role based access control is no longer sufficient.
  • Documented data handling procedures that are reviewed regularly
  • Ongoing staff training so everyone understands their responsibilities
  • System logging and audit trails to show who did what, and when
  • Privacy impact assessments for new systems or workflows
  • Clear incident response plans in case something goes wrong

In short: you need evidence, not just intent.

How to Build Internal Accountability

Internal accountability means having the right people, processes, and records in place. That might include:

  • Appointing data custodians or privacy officers
  • Defining roles and responsibilities so that minimum privileges can be granted.
  • Maintaining records of decisions, policies, and risk reviews
  • Establishing clear reporting lines and escalation procedures
  • Making sure staff understand what’s expected and what’s at stake

Importantly, the goal isn’t perfection, it’s to show you’ve made good-faith efforts to reduce risk and respond to issues effectively.

Where Combase Can Help

At Combase, we specialise in helping organisations implement secure, transparent, and audit-ready data management. Whether you’re starting from scratch or refining what’s already in place, our experience enables us to provide:

  • Advisory support to assess your current systems
  • Practical, tailored guidance that fits your team and sector
  • Tools and strategies to improve visibility and reduce risk
  • Real-world expertise to navigate compliance with confidence

So, whether you’re preparing for an audit or just want peace of mind as you align with today’s expectations, we’re here to help. Let’s assess where your team stands and work together to identify the next steps that will ensure you’re compliant, confident, and secure.

Reach out via email here to start the conversation – your future self with thank you for it.