Privacy Laws Affecting Security Operations in Australia

Security operations and privacy law are on a collision course. Every day, Australian security companies collect, store, and transmit personal information — from CCTV footage and incident reports to client itineraries and operator personnel files. The nature of the work demands it. But Australian privacy legislation imposes strict obligations on how that information is handled, and the consequences of getting it wrong have never been more serious.

This article examines how Australia's privacy framework applies to security companies, the specific legal boundaries around surveillance and monitoring, data handling obligations, and how to build privacy compliance into your day-to-day operations.

How the Privacy Act Applies to Security Companies

The Privacy Act 1988 (Cth) is the cornerstone of Australian privacy law. It regulates the handling of personal information by Australian Government agencies and private sector organisations. For security companies, the Act's application depends on several factors, most notably annual turnover.

Generally, the Privacy Act applies to private sector organisations with an annual turnover of more than $3 million. However, there are important exceptions that bring smaller security businesses within scope:

• Health service providers: If your security company provides any health-related services — such as first aid or medical response — you may be classified as a health service provider, triggering Privacy Act coverage regardless of turnover.
• Trading in personal information: If your business collects or discloses personal information for a benefit, service, or advantage, you may be covered.
• Related entities: If your security business is related to an entity with turnover exceeding $3 million, the Act applies.
• Contractual requirements: Many large clients — particularly government agencies and corporations — contractually require their security providers to comply with the Privacy Act and the Australian Privacy Principles (APPs), regardless of turnover.

The APPs, contained in Schedule 1 of the Privacy Act, set out 13 principles governing the collection, use, disclosure, storage, and destruction of personal information. For security companies, the most operationally relevant principles include:

• APP 3 — Collection: Personal information must only be collected where it is reasonably necessary for the entity's functions or activities. Collection must be by lawful and fair means, and directly from the individual where practicable.
• APP 5 — Notification: When collecting personal information, you must notify the individual about the purpose of collection, who it may be disclosed to, and how they can access or correct it.
• APP 6 — Use and disclosure: Personal information must only be used or disclosed for the purpose for which it was collected, unless an exception applies (such as where the individual has consented or where use is required by law).
• APP 11 — Security: You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

The Privacy Act is currently undergoing significant reform. The Attorney-General's Department has been progressing amendments following the Privacy Act Review, and security businesses should monitor developments closely. Proposed changes include expanding coverage to all businesses (removing the $3 million threshold), introducing a statutory tort for serious invasions of privacy, and strengthening enforcement powers.

US Privacy Comparison

Unlike Australia, the United States does not have a single comprehensive federal privacy law equivalent to the Privacy Act. Instead, US privacy regulation is a patchwork of federal sector-specific laws and state-level legislation. Security companies operating in the US must navigate regulations including the California Consumer Privacy Act (CCPA) and its successor the CPRA, the Virginia Consumer Data Protection Act (VCDPA), and similar laws enacted in Colorado, Connecticut, and other states. At the federal level, laws such as HIPAA (health data), the Gramm-Leach-Bliley Act (financial data), and the Electronic Communications Privacy Act (ECPA) may apply depending on the nature of the data collected. For US-based security companies, the absence of a single federal framework makes state-by-state compliance essential — a challenge that parallels Australia's state-based approach to many aspects of security regulation.

Surveillance and Monitoring: Legal Boundaries

Surveillance is central to many security operations, but it is also one of the most legally sensitive activities a security company can undertake. In addition to the Privacy Act, state and territory surveillance legislation imposes strict rules on when and how surveillance can be conducted.

CCTV and visual surveillance. The use of CCTV cameras in public and commercial spaces is generally lawful, provided appropriate signage is displayed and the footage is used for legitimate security purposes. However, recording in areas where individuals have a reasonable expectation of privacy — such as bathrooms, changing rooms, or private offices — is prohibited in all jurisdictions.

Audio surveillance and recording. This is where the law becomes more complex. Each state and territory has its own listening device or surveillance device legislation:

• NSW: The Surveillance Devices Act 2007 requires all parties to consent to a recording of a private conversation (all-party consent).
• Victoria: The Surveillance Devices Act 1999 also requires all-party consent for recording private conversations.
• Queensland: The Invasion of Privacy Act 1971 requires only one party to consent (one-party consent), meaning a participant in a conversation can lawfully record it.
• Other jurisdictions: Rules vary, and security businesses must check the specific legislation in each state or territory where they operate.

US surveillance law comparison. The United States has a similar split between one-party and all-party consent states. Federal law under the Wiretap Act (18 U.S.C. 2511) requires one-party consent for recording conversations. However, approximately 11 US states — including California, Florida, Illinois, and Massachusetts — are "two-party" (all-party) consent states. Security operators working across US state lines must be equally aware of these jurisdictional differences when conducting surveillance or using recording equipment.

For close protection and executive protection operators, these laws have direct practical implications. Recording a client meeting, intercepting communications, or using a body-worn camera with audio capability without proper authorisation can constitute a criminal offence. Operators must be briefed on the specific surveillance laws applicable to each assignment.

GPS and location tracking. Tracking the location of operators or vehicles is common in security operations. Under surveillance device legislation in most jurisdictions, using a tracking device to determine someone's location without their knowledge or consent is an offence. Operators must be informed that their location is being tracked, and consent should be documented — typically through employment contracts or subcontractor agreements.

Client Data Handling and Storage Obligations

Security companies hold some of the most sensitive personal information imaginable. Client itineraries, home addresses, family details, medical conditions, threat profiles, and financial information are routinely collected as part of executive protection and close protection engagements. The obligations around handling this data are significant.

Data minimisation. Collect only the personal information that is genuinely necessary for the assignment. It can be tempting to gather extensive background information "just in case," but collecting more data than you need increases your risk profile and your regulatory exposure.

Access controls. Not every member of your team needs access to all client information. Implement role-based access controls so that operators see only the information relevant to their assignment. Administrative staff, subcontractors, and support personnel should have access limited to their functional requirements.

Secure storage. Personal information must be stored securely, whether in physical or digital form. For digital records, this means encryption at rest and in transit, strong authentication, and regular security audits. For physical records, it means locked storage with restricted access. Cloud storage must comply with Australian data sovereignty requirements — meaning data should be stored on servers located in Australia unless the client has explicitly consented to offshore storage.

Data retention and destruction. The Privacy Act requires that personal information be destroyed or de-identified once it is no longer needed for the purpose for which it was collected. Security companies should establish clear data retention schedules and ensure that client files, CCTV footage, incident reports, and operator records are disposed of securely when the retention period expires.

Data breach notification. Under the Notifiable Data Breaches (NDB) scheme, organisations covered by the Privacy Act must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm. Security companies must have a data breach response plan in place and be prepared to act quickly if a breach occurs.

Privacy-Compliant Mission Management With EP-CP

Managing privacy obligations across multiple clients, assignments, and operators is a significant operational challenge. The more data you handle, the greater the risk — and the greater the need for a system that enforces compliance by design.

EP-CP, Australia's command platform for executive protection and close protection, is built with privacy and data security at its core. The platform provides role-based access controls that ensure operators and staff see only the information relevant to their role and assignment. Client data is encrypted and stored on Australian servers, supporting compliance with data sovereignty requirements.

Mission planning within EP-CP allows you to manage sensitive client information — itineraries, threat assessments, contact details — in a secure, auditable environment. When a mission is complete, retention policies can be applied to ensure data is managed in accordance with your obligations under the Privacy Act.

For security businesses that take privacy compliance seriously, EP-CP provides the infrastructure to operationalise your privacy policies — not just write them down, but embed them into every mission, every assignment, and every interaction with client data. In an industry built on trust, that level of rigour is a genuine competitive advantage.