To stay compliant with the Australian Privacy Act, it's important to keep a record of all assets and suppliers that handle personal information. But which ones should you track? This article will guide you through the types of assets and suppliers your organisation should record to ensure privacy compliance and protect personal data.
Please keep in mind that this article is general in nature only. Professional advice should be sought on specific matters, and with lawyers under Costs Agreement and to which Legal Professional Privilege (LPP) applies.
1. Software & Applications
Any software or application used to process, store, or manage personal data should be recorded. This includes:
Customer Relationship Management (CRM) tools
Email marketing platforms
Accounting and payroll software
Data analytics tools
Cloud-based applications
Why record it?
These systems often hold sensitive customer, employee, or financial data, and it's crucial to monitor how this information is handled and secured.
2. Hardware & Infrastructure
Record any physical devices or infrastructure that process or store personal information. Examples include:
Servers (on-premise or cloud-based)
Laptops, desktops, and mobile devices
Backup storage systems
Network equipment (routers, firewalls)
Why record it?
Hardware and infrastructure can be vulnerable to breaches or misuse. By tracking these assets, you ensure they are regularly updated, secured, and compliant with the Privacy Act.
3. Cloud Services & Data Storage Providers
Any cloud service provider or data storage facility that stores personal information on your behalf must be recorded. Examples include:
Cloud hosting providers (e.g., AWS, Azure, Google Cloud)
Third-party data centres
File storage solutions (e.g., Dropbox, Google Drive)
Why record it?
Data stored in the cloud or by third-party providers remains your responsibility. Recording these suppliers helps ensure you’re aware of where data is stored, whether it complies with local data protection laws, and if it’s adequately secured.
4. Third-Party Suppliers & Service Providers
Any external company or vendor that processes or accesses personal information on your behalf should be recorded. These can include:
Payroll service providers
Outsourced IT support
Marketing agencies
HR software providers
Call centres and customer service providers
Why record it?
The Privacy Act holds your organisation accountable for how third-party suppliers handle personal data. By recording these relationships, you can ensure contracts include proper data protection clauses and monitor their compliance with privacy requirements.
5. Subprocessors
Subprocessors are vendors that your suppliers may use to further process personal data. Even though they are contracted by your supplier, you should still be aware of their involvement. Examples include:
Third-party hosting services used by your supplier
Payment gateways your suppliers rely on
Why record it?
Subprocessors indirectly handle your data, and it’s important to ensure they comply with the same privacy and security standards as your direct suppliers.
6. Data Processors & Analytics Platforms
Any platform or provider that processes or analyses personal information must be recorded, such as:
Data processing companies
Analytics and business intelligence platforms (e.g., Google Analytics)
AI or machine learning platforms that analyse personal data
Why record it?
Processing personal data can expose your organisation to risks. Recording these assets helps you understand the privacy implications and ensure the data is used responsibly.
7. Security Tools & Systems
Record any tools or systems that are used to secure personal information or detect security incidents. These might include:
Antivirus and malware protection software
Data encryption tools
Intrusion detection systems
Security monitoring platforms
Why record it?
Security tools are vital for protecting personal data, and tracking them ensures they are effective and up to date, helping you comply with the Privacy Act's requirements for securing information.
8. Internal Systems & Databases
Keep a record of any internal databases or systems where personal information is stored, including:
Internal HR systems
Customer databases
Inventory management systems
Why record it?
Internal systems often hold large amounts of sensitive information. Recording them allows you to regularly assess their security and compliance.
To comply with the Australian Privacy Act, you should record any asset or supplier that processes, stores, or accesses personal information. By tracking software, hardware, cloud services, third-party providers, and security tools, you ensure your organisation remains accountable for how data is handled and safeguarded. This not only helps with legal compliance but also strengthens your overall data protection strategy.