Compliance crosswalk · AU Privacy + NDB
Australian Privacy Act 1988 + NDB scheme - email + domain controls, mapped to Wiredepth
Framework version: 13 Australian Privacy Principles; NDB scheme effective February 22, 2018; 2024 Privacy Act review tranche-1 reforms in progress
Who this is for. APP (Australian Privacy Principles) entities: Australian Government agencies, all private-sector + not-for-profit organisations with an annual turnover above AUD 3 million, all health-service providers, credit reporters, employers handling tax-file numbers, and others under specific provisions. The Office of the Australian Information Commissioner (OAIC) regulates.
Where email + domain controls fit. Mostly under APP 11 - Security of personal information, which requires reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. The OAIC's 2018+ APP 11 guidance is explicit that sender-authentication (DMARC, DKIM, SPF) + transport encryption are baseline expectations for organisations communicating personal information by email.
NDB scheme.The Notifiable Data Breaches scheme (Part IIIC of the Act) requires APP entities to notify the OAIC + affected individuals when an "eligible data breach" is likely to result in serious harm. Assessment must complete within 30 days of becoming aware of the suspected breach. Penalties for serious / repeated interferences with privacy rose dramatically in the 2022 amendments: up to AUD 50M (or higher) for serious or repeated interferences.
Clause-by-clause mapping
Each row maps a specific AU Privacy + NDBrequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
APP 1 - Open + transparent management Reporting | An APP entity must manage personal information in an open + transparent way, including by having a clearly expressed + up-to-date privacy policy. | Public-facing per-domain security posture (scorecard PDF, /badge/<domain>) is the technical-controls evidence supporting the privacy-policy statements about how personal information is protected in transit. |
APP 6 - Use or disclosure Inventory | An APP entity must only use or disclose personal information for the primary purpose for which it was collected unless an exception applies. Includes use by third-party email senders. | Vendor consolidation audit identifies every authorised third-party email sender. Per-vendor purpose documentation is the APP 6 evidence the OAIC expects to see in an assessment. |
APP 8 - Cross-border disclosure Inventory | Before disclosing personal information overseas, an APP entity must take reasonable steps to ensure the overseas recipient does not breach the APPs. | Most authorised email-sending vendors (SendGrid, Mailgun, Postmark, Mailchimp) are US-headquartered. Vendor inventory + per-vendor jurisdiction lookup feeds the APP 8 cross-border disclosure assessment. |
APP 11.1 - Security of personal information Authentication | An APP entity must take such steps as are reasonable in the circumstances to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. The OAIC has identified DMARC, DKIM, SPF, and transport encryption as baseline reasonable steps. | DMARC + DKIM + SPF analysers + TLS + MTA-STS checks cover the baseline OAIC expects. Per-domain scorecard + continuous monitoring is the run-rate evidence APP 11 assessments rely on. |
APP 11.2 - Destruction or de-identification Inventory | An APP entity must take reasonable steps to destroy or de-identify personal information no longer needed for any purpose. Includes vendor de-authorisation when a relationship ends. | De-authorisation guides at /docs/deauthorize cover the technical offboarding (SPF / DKIM / CNAME removal) for the most common email vendors. The audit-log entry trail provides the evidence the de-authorisation actually happened. |
NDB - Eligible data breach assessment (s.26WK) Reporting | Where an APP entity has reasonable grounds to suspect an eligible data breach has occurred, it must conduct an assessment within 30 days to determine whether the breach is likely to result in serious harm. Notification to the OAIC + affected individuals follows where suspected harm is confirmed. | Incident-readiness workpaper documents the assessment timeline + decision tree in the NDB-expected format. Tamper-evident audit log provides the chronology for the post-event assessment. |
NDB - Notification statement (s.26WL) Reporting | When notifying the OAIC + affected individuals, the entity must include the kind of personal information concerned, the recommendations for affected individuals, and the entity's contact details. The notification must be as soon as practicable. | Workpaper template includes the OAIC statement format. Audit-log chain provides the evidence trail an OAIC investigation will use to verify the notification timeline. |
Privacy Act 2022 amendments - Serious or repeated interference Monitoring | Penalties for serious or repeated interference with privacy rose dramatically in December 2022. Demonstrable + documented reasonable steps under APP 11 become a more critical defence. | Continuous monitoring + tamper-evident audit log establish the documented + demonstrable security posture an OAIC assessment relies on when distinguishing serious from inadvertent interference. |
Privacy Act review (Tranche-1 reforms in progress) Reporting | The 2024+ tranche-1 reforms expand individual rights, codify "fair and reasonable" handling, and tighten the small-business exemption. Implementation in progress as of 2026. | Existing Wiredepth evidence surfaces (workpapers, audit log, vendor inventory) cover the technical-controls element of the reforms. Subscribe to /roadmap for tooling updates tracking the reform timeline. |
What auditors actually look at
An OAIC investigator reviewing the email + domain surface would typically request:
- The privacy management plan + records of reasonable steps under APP 11
- Per-domain DMARC / DKIM / SPF / TLS posture sampled across the investigation window
- Vendor register of authorised email senders with APP 8 cross-border assessment records
- NDB assessment records for any suspected eligible data breach in the investigation window
- OAIC + individual notification records (where reportable)
Generate a AU Privacy + NDB-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a AU Privacy + NDB README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.