Your business runs on technology. Email, cloud storage, contractor apps, payment systems, AI tools, and the laptop sitting on your kitchen table if you work from home. Every one of those touchpoints is a risk that a written IT policy is meant to manage. By 2026, “we’ll sort it out if something happens” is no longer a defensible position, especially with the Privacy and Other Legislation Amendment Act 2024 now in force and penalties up to $50 million on the table for serious breaches.
Here are the 10 essential IT policies Australian small businesses should have in place, what each one should actually say, and sample clauses you can copy into your templates.
- The Privacy Act small business exemption still applies, but it’s narrowing. Businesses with turnover under $3 million are currently exempt from most Privacy Act obligations, but the government has signalled the exemption will be removed in the next reform tranche. Plan now.
- Penalties have jumped to $50 million or 30% of turnover. The 2024 amendments brought Australian privacy penalties into line with GDPR. Even if you’re exempt today, start treating it like you’re not.
- There’s now a statutory right to sue for serious privacy invasions. In force from 10 June 2025, and it may apply to small businesses regardless of the $3M threshold. Your IT policies are your first line of defence.
- By 11 December 2026, you must disclose automated decision-making. If your business uses AI to make decisions that affect customers or employees, your privacy policy needs to explain it.
- 10 core policies cover most small businesses. IT Policy, Privacy Policy, Acceptable Use, Cybersecurity, Data Breach, AI Use, BYOD, Social Media, WFH, and Incident Response. Sample clauses and templates below.
What are IT policies, and why do they matter in 2026?
IT policies are written rules that describe how your business uses and protects technology. They tell your team what’s allowed on company devices, how to handle customer data, what to do if a laptop is stolen, and who to call if you suspect a breach. Good policies do two jobs at once. They tell employees what’s expected, and they show regulators you took “reasonable steps” to protect the information you hold.
The 2026 landscape has three shifts that make these policies more important than they were when most small business templates were written.
First, the cost of a breach has climbed. The Australian Cyber Security Centre reports the average cybercrime report cost for small business reached around $46,000 in FY2023-24. Second, the Privacy Act reforms have landed, with more coming. The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024, and the government has said the small business exemption is under review for the next tranche. Third, AI has moved from novelty to default. Staff are pasting customer data into ChatGPT, Claude, and Gemini every day without a policy telling them where the line is.
How do the 2024 Privacy Act changes affect small businesses?
This is where the old advice about IT policies gets dangerous. Plenty of blog posts still say “you’re only covered by the Privacy Act if you turn over more than $3 million.” That’s still technically true, but it misses three important updates you need to plan for.
The $3 million exemption is still in place, for now
The small business exemption in the Privacy Act 1988 (Cth) still applies to businesses with an annual turnover of $3 million or less. That covers around 95% of Australian businesses. If you sit under the threshold and don’t fall into a specific excluded category (like health service providers, residential tenancy databases, or businesses that trade in personal information), most Privacy Act obligations don’t directly apply to you yet.
The 2024 amendments tightened what does apply
Where the Privacy Act does apply, it now requires “technical and organisational measures” for data security under Australian Privacy Principle 11, not just “reasonable steps.” That change raises the bar for what counts as good enough. It also introduced new criminal offences for doxxing (the malicious release of someone’s personal information), came into force from 11 December 2024, and created a statutory tort of serious invasions of privacy that commenced on 10 June 2025.
The statutory tort is the one most small businesses have missed. It’s a standalone cause of action that sits outside the main Privacy Act framework, and legal commentators have flagged that it may apply to small businesses even if the rest of the Act doesn’t. If your employee accidentally leaks a customer’s address and a stalker uses it, the customer may be able to sue you directly under the tort. Penalties under the main Act have also jumped to up to $50 million, 3 times the benefit gained, or 30% of adjusted turnover (whichever is greater).
The exemption is on borrowed time
The Attorney-General’s Privacy Act Review Report recommended scrapping the small business exemption entirely, and the government has agreed in principle. The next tranche of reforms is expected to remove it. When that happens, every Australian business collecting personal information (your customer list, your email database, your booking system) will need a compliant privacy policy, data-handling processes, and a data breach response plan. Businesses that start now will have templates, staff training, and systems in place. Businesses that wait will be scrambling.
Automated decision-making disclosures are coming in December 2026
By 11 December 2026, businesses covered by the Privacy Act must update their privacy policies to disclose when they use automated decision-making that significantly affects someone’s rights or interests. If you use AI to screen job applicants, score credit risk, approve refunds, or decide who gets a quote, that needs to be in your privacy policy. This applies to APP entities, so for now only businesses over the $3M threshold, but it’s another reason to start treating AI governance seriously.
The practical advice from Lawpath’s legal team is consistent across consultations: act as if the exemption is already gone. Update your Privacy Policy, put the core IT policies in place, and document your data-handling procedures. The cost of doing it early is low. The cost of doing it reactively, after a breach or a reform announcement, is significantly higher.
Which IT policies does every small business need?
For most Australian small businesses, 10 policies cover the territory. Not every business needs every policy on day one, but this is the stack to build toward. The first four are non-negotiable. The rest are triggered by what your business actually does.
Get a free legal document when you sign up to Lawpath
1. IT Policy (the master document)
The IT Policy is the umbrella document for how your business uses technology. It sets expectations for computer, internet, email, social media, and phone use. It also confirms that the business owns the equipment, has the right to monitor use, and can take disciplinary action if the policy is breached.
Sample clause:
“The Company’s IT resources (including computers, mobile devices, email, and internet access) are provided for business purposes. Limited personal use is permitted where it does not interfere with work duties, consume excessive bandwidth, or breach this policy. The Company reserves the right to monitor all use of its IT resources and may take disciplinary action, up to and including termination, for breaches of this policy.”
2. Privacy Policy (legally required for most businesses)
A Privacy Policy explains how you collect, use, store, and share customer information. It’s legally required if you’re covered by the Privacy Act. Even if your business falls under the $3 million exemption today, you should still have one. Consumer trust, platform terms (Google, Meta, Apple), and many B2B contracts require it. If you sell to or handle data from EU customers, you also need a GDPR Privacy Policy.
Sample clause:
“We collect personal information that you provide directly (such as name, email, and payment details) and information we receive automatically when you use our website (such as IP address, device type, and browsing behaviour). We use this information to provide our services, process transactions, communicate with you, and comply with our legal obligations. We do not sell your personal information. For full details on how we handle your data, including your right to request access or correction, see our full Privacy Policy at [URL].”
3. Acceptable Use Policy
An Acceptable Use Policy drills deeper than the IT Policy into what staff can and can’t do. It’s where you set rules around personal email use on business accounts, software installation, external storage devices, and accessing inappropriate content. It’s especially important if your business monitors employee communications, because it puts staff on notice.
Sample clause:
“Employees must not install software on Company devices without prior written approval from [IT Lead / Operations Manager]. Personal file-sharing tools (such as personal Dropbox, Google Drive, or iCloud accounts) must not be used to store, share, or back up Company data. Company email accounts must not be used to sign up to personal services, online shopping, or social media accounts.”
4. Cybersecurity Policy
A Cybersecurity Policy sets the technical standards. Password requirements, multi-factor authentication, device encryption, backup schedules, and how to report suspicious activity. The Australian Signals Directorate’s Essential Eight framework is the accepted starting point for small business cyber baseline, and your policy should at least reference the controls you’ve implemented.
Sample clause:
“All employees must use strong, unique passwords of at least 12 characters for Company systems, and must enable multi-factor authentication (MFA) where available. Passwords must not be shared, reused across systems, or stored in plain text. Laptops and mobile devices used for work must have device encryption enabled and auto-lock after 5 minutes of inactivity. Lost or stolen devices must be reported to [IT Lead] immediately so access can be revoked and data wiped remotely.”
5. Data Breach Policy
A Data Breach Policy is your emergency response plan. Under the Notifiable Data Breaches (NDB) scheme, if you’re covered by the Privacy Act and experience a breach likely to cause serious harm, you must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC). The clock starts ticking the moment you become aware, and a documented plan is the difference between a clean response and a chaotic one.
Sample clause:
“If any employee suspects a data breach, they must notify [Incident Lead] within 2 hours of becoming aware. The Incident Lead will: (a) contain the breach by revoking access, isolating affected systems, or forcing password resets as needed; (b) preserve evidence, including logs, emails, and device states; (c) assess the scope of affected data and whether the breach is likely to cause serious harm; (d) if the breach meets the threshold, notify the OAIC and affected individuals within 30 days; and (e) document lessons learned and update controls.”
6. AI Use Policy (the new essential for 2026)
An AI Use Policy is the policy most small businesses don’t have yet, and the one causing the most consultations at Lawpath in 2026. Staff are using ChatGPT, Claude, Gemini, and Copilot every day. Without a policy, they’re pasting customer data, client strategies, and confidential documents into third-party tools that may store or train on that data.
Sample clause:
“Employees must not input Company confidential information, customer personal data, or unreleased financial information into public generative AI tools (including ChatGPT, Claude, Gemini, Copilot, or similar services). Approved enterprise AI tools with Data Processing Agreements may be used in accordance with the separate list maintained by [IT Lead]. All AI-generated content used in customer-facing work must be reviewed by a human before publication, and must not be presented as the original work of a human where accuracy, authorship, or authority matters.”
7. Bring Your Own Device (BYOD) Policy
A BYOD Policy is essential if staff use personal laptops or phones for work. It sets minimum security standards (passcodes, OS updates, antivirus), rules around storing company data on personal devices, and the Company’s right to wipe work data remotely if the device is lost or the employee leaves. This is a mandatory policy for any business with contractors who bring their own tools.
Sample clause:
“Employees using personal devices for Company work must: (a) protect the device with a passcode or biometric lock; (b) keep the operating system and security software up to date; (c) store Company data only in approved cloud applications, not in personal storage; (d) install the Company’s Mobile Device Management (MDM) profile, which grants the Company the right to remotely wipe Company data if the device is lost or employment ends; and (e) report lost or stolen devices to [IT Lead] within 24 hours.”
8. Social Media Policy
A Social Media Policy sets ground rules for how staff represent the business online, what they can share publicly, and what happens when personal social media intersects with work. With around 90% of Australian small and medium businesses using Facebook or Instagram to reach customers, this is no longer optional for brand-facing businesses.
Sample clause:
“Employees must not post Company confidential information, customer details, unreleased products, or internal financial information on any public or private social media account. Employees who identify themselves as associated with the Company in personal social media profiles must include a disclaimer that views expressed are personal and do not represent the Company. Harassment, discrimination, or disparagement of colleagues, customers, or competitors through social media is a breach of this policy and may result in disciplinary action.”
9. Working From Home / Flexible Work Policy
A Working From Home Policy covers the IT and security expectations for staff who work remotely. It’s separate from (and sits alongside) a Flexible Working Policy, which covers the broader employment-law side under the 2023 flexible work reforms. For IT purposes, the policy should cover secure internet requirements, what equipment the Company provides, storage and handling of confidential information, and what’s expected when the remote arrangement ends.
Sample clause:
“Employees working from home must use a secured home internet connection (WPA2 or WPA3 encryption), work only on Company-issued or approved devices, and must not use public Wi-Fi for Company work without an active VPN connection. Confidential physical documents must be stored in a lockable space and cannot be left visible during video calls. All Company equipment must be returned within 5 business days of the end of employment.”
10. Incident Response Procedure
Distinct from a Data Breach Policy (which deals with privacy incidents), an Incident Response Procedure covers operational IT issues: ransomware, service outages, malware infections, or a compromised account that hasn’t yet resulted in data exposure. It’s the runbook your team follows when something goes wrong.
Sample clause:
“Incidents are categorised as P1 (business-critical, affecting customer service or multiple staff, 1 hour response target), P2 (serious, affecting an individual staff member or a single function, 4 hour response), or P3 (minor, next business day). The first-response steps for a suspected compromise are: (a) disconnect the affected device from the network; (b) do not turn the device off, to preserve memory; (c) notify [IT Lead] and [Operations Manager]; (d) do not communicate about the incident externally until authorised.”
Get a free Privacy Policy when you sign up to Lawpath today.
What we see in Lawpath consultations
Three patterns come up again and again in Lawpath’s advisory consultations on IT policy and privacy work. Sharing them here because they’re the gaps other guides miss.
The AI-feature afterthought
A recurring consultation pattern in 2026 is businesses that have added an AI feature to their product or workflow without updating their Privacy Policy to match. One recent brief from a Queensland B2B SaaS platform showed the gap clearly: the product had an “optional AI feature sending aggregated operational data to a third-party API,” but the existing Privacy Policy and Terms of Service didn’t mention it. Our lawyers flagged that this created Privacy Act 1988 and Australian Consumer Law exposure, because the data flow wasn’t disclosed and the operational data could contain personal information. The fix was relatively quick once identified, but the risk had been sitting live for months.
The “we’ll get templates when we launch” trap
Lawpath’s startup briefs show a consistent sequence: founders launch, start collecting customer data, realise at month three or four they need Terms & Conditions and a Privacy Policy, and then scramble to draft them while the business is already live. Our advisors routinely recommend flipping the order: draft the Privacy Policy before launch, even in a simple form, and update as the product evolves. The draft doesn’t need to be perfect. It needs to exist, be linked from the website footer, and accurately describe what you’re doing.
The “one giant policy” problem
Some businesses try to combine every IT-related rule into a single 40-page policy document. The consultations tell us this consistently fails in practice. Staff don’t read it, managers can’t point to the relevant clause during disciplinary conversations, and updates become painful. The advice from our legal team is to keep policies modular. Shorter, scoped documents (IT Policy, AI Use Policy, BYOD Policy) are easier to update, easier for staff to follow, and easier to point to when something goes wrong.
How do I actually roll out IT policies in my business?
Writing policies is the easy part. Making them stick is where most small businesses fall over. Here’s the sequence that works.
Step 1: Map your real risks
List every system your business uses (email, accounting software, CRM, cloud storage, payment gateway, AI tools). List what data lives where (customer records, employee files, financial records, IP). Identify who has access, from where, and on what device. This exercise usually takes 30 minutes and surfaces gaps you didn’t know you had.
Step 2: Start with the four non-negotiables
IT Policy, Privacy Policy, Cybersecurity Policy, and Data Breach Policy. Don’t try to draft all 10 at once. Get the first four in place, circulate them, and get staff to acknowledge them in writing. Then add the rest as needed.
Step 3: Tailor, don’t copy
Templates get you 80% of the way. The remaining 20% is where generic policies fail. Your policies should name the actual systems you use, the actual roles responsible (not “IT” if you don’t have an IT team, but “the Office Manager”), and the actual workflows your team follows. If your Data Breach Policy says “notify the IT Team” and you don’t have one, staff will freeze when something happens.
Step 4: Run a 15-minute onboarding session
Don’t email policies and hope for the best. Walk the team through the key expectations: what AI tools are approved, who to call for a suspected breach, what happens if they lose a laptop. Get them to sign or digitally acknowledge that they’ve read and understood the policies. This matters both for culture and for legal defensibility.
Step 5: Review annually or after a major change
Set a calendar reminder for 12 months from the signing date. Also trigger a review when you adopt a major new system (a new CRM, an AI tool, a new payment gateway), onboard a contractor with access to customer data, or experience any incident. The Privacy Act reforms are coming in stages. Annual reviews catch the changes while they’re small.
What are the common IT policy mistakes to avoid?
Writing policies you won’t enforce. A policy that bans something management ignores is worse than no policy at all. If the rule is “no personal email on work computers,” make sure that’s what you actually expect. Otherwise, soften the clause to reflect reality (“limited personal email use is permitted, provided it does not interfere with work”).
Naming people instead of roles. If your Data Breach Policy names “Jenny” as the incident lead and Jenny leaves, the policy is out of date the next day. Name roles (“the Operations Manager” or “the IT Lead”) and maintain a separate contact list.
Forgetting to cover contractors. Contractors, freelancers, and agencies often have access to the same systems as employees but aren’t covered by the Acceptable Use Policy or AI Use Policy. If your policies apply only to “employees,” contractors can argue they don’t apply to them. Extend coverage in your contractor agreements or policy scope.
Copying a US or UK template. Privacy frameworks differ substantially across jurisdictions. A GDPR-based privacy policy isn’t the same as a Privacy Act 1988 one, and a US-based IT policy may reference laws that don’t exist in Australia. Use Australian-specific templates, and review any imported template against Australian requirements.
Treating “small business exemption” as permission to ignore the Privacy Act. The exemption is narrowing, penalties are rising, and the statutory tort may apply to small businesses regardless. Treat the exemption as a compliance deadline that’s already in the calendar, not a permanent safe harbour.
Frequently asked questions
What is an IT policy for a small business?
An IT policy is a written document that sets out how your business and its staff use technology. It covers what’s allowed on company devices, how customer data is protected, password and access rules, and consequences for misuse. It protects both the business and employees by removing ambiguity about expectations.
Do small businesses need a Privacy Policy under Australian law?
Businesses with an annual turnover of more than $3 million, health service providers, and businesses that trade in personal information are required by the Privacy Act 1988 (Cth) to have a compliant Privacy Policy. Below the threshold, it’s not strictly mandatory, but most platforms (Google, Meta, Apple) and many B2B customers require one, and the government has signalled the small business exemption will be removed in upcoming reforms.
What’s the difference between a Cybersecurity Policy and a Data Breach Policy?
A Cybersecurity Policy is preventive. It sets the technical standards (passwords, MFA, encryption, backups) to reduce the chance of a breach happening. A Data Breach Policy is responsive. It’s the step-by-step plan your team follows when a breach is suspected or confirmed, including who notifies the OAIC and when. Most businesses need both.
Is an AI Use Policy really necessary for a small business?
Yes, and increasingly urgently. Staff in most Australian small businesses are already using ChatGPT, Claude, Gemini, or Copilot. Without a policy, they may be pasting customer data, confidential strategy, or unreleased information into tools that train on input or store it indefinitely. The AI Use Policy is also your basis for requiring human review of AI-generated customer communications, which the ACCC has flagged as an area of concern.
Can I fire an employee for breaching an IT policy?
Only if the breach is serious enough to justify termination, the policy was clearly communicated, and the process follows fair-work principles. A single minor breach is usually a performance issue, not a dismissal matter. Serious breaches (theft of data, deliberate malware introduction, harassment via work email) may justify summary dismissal. If in doubt, get employment-law advice before acting. An unfair dismissal claim is one of the more common consequences of a rushed termination.
What’s the Notifiable Data Breaches (NDB) scheme?
The NDB scheme sits within the Privacy Act and requires businesses covered by the Act to notify affected individuals and the OAIC when they experience an “eligible data breach” (one likely to cause serious harm). The notification must happen as soon as practicable, and always within 30 days of the business becoming aware. Failure to notify can attract the new civil penalties of up to $50 million.
How often should I update my IT policies?
Annually at minimum, or whenever a significant change happens: a new system, a new type of data collected, a legislative change (like the 2024 Privacy Act amendments), or an incident. The privacy reform tranches through 2025 and 2026 will likely trigger multiple rounds of policy updates for most businesses.
Where can I get free support for small business cyber resilience?
The Australian Government runs a free Small Business Cyber Resilience Service, delivered through IDCARE, which provides one-on-one support to help small businesses build cyber resilience and recover from incidents. It’s a genuinely useful service that most small businesses don’t know exists. The ASD’s Essential Eight framework is the other accepted baseline for small business cyber controls.
How Lawpath can help
Lawpath has customisable templates for all 10 policies above, and you can create them directly from the legal document library. Your first policy is free on most plans. If you want a lawyer to review your policy stack against the 2024 Privacy Act changes, you can book a consultation through a Lawpath legal plan. The team sees these matters daily and can usually spot the gaps in 20 minutes.
Last reviewed: April 2026. Reviewed by Lawpath’s legal team against the Privacy and Other Legislation Amendment Act 2024, the Australian Privacy Principles, and the Notifiable Data Breaches scheme as in force at the date of review.
