If your business handles personal information — names, emails, phone numbers, health records, financial data — you have obligations under the Australian Privacy Act 1988. The good news is that Microsoft 365 has tools that help you meet most of them. The bad news is that most businesses haven't turned them on.

Here's a practical guide to using what's already in your M365 licence.

Know what data you have

The Privacy Act requires you to know what personal information you hold, where it is, and who has access to it.

Microsoft Purview Content Explorer (available on E5 or as an add-on) scans your M365 environment and shows you where sensitive data exists — email, SharePoint, OneDrive, Teams.

If you don't have Content Explorer, start manually. Identify which SharePoint sites, mailboxes, and Teams channels handle personal information. Document it.

Classify and label sensitive data

Use Microsoft Purview sensitivity labels to classify documents and emails. Create labels like 'Personal Information', 'Confidential', and 'Internal Only'.

Labels can enforce protection — prevent forwarding, restrict who can open the document, encrypt the content. This means even if a file ends up in the wrong hands, they can't read it.

Start with manual labelling (users choose the label) and move to auto-labelling once you've tuned the rules.

Prevent data leaks

Set up DLP policies to detect and block personal information being shared externally. Microsoft Purview includes templates for Australian regulations that detect Tax File Numbers, Medicare numbers, and other PII.

Apply DLP to email, SharePoint, OneDrive, and Teams. Start in monitor-only mode, then switch to blocking once you're confident in the accuracy.

Retention and deletion

The Privacy Act requires you to destroy personal information when it's no longer needed. Don't keep everything forever.

Use Microsoft Purview retention policies to automatically delete content after a defined period. Set different retention periods for different types of content — financial records might need 7 years, general correspondence might only need 2.

Make sure your retention policies cover email, SharePoint, OneDrive, and Teams.

Breach notification

If personal information is compromised, you must notify the OAIC and affected individuals under the Notifiable Data Breaches scheme.

Microsoft 365 helps you detect breaches through sign-in logs, DLP alerts, and Defender alerts. Have a response plan documented: who investigates, who decides whether to notify, and how you contact affected people.

Set up alerts in Defender and Entra ID so you know immediately if something suspicious happens.

Access controls

The Privacy Act requires you to protect personal information from unauthorised access. In M365 terms, this means:

• MFA on all accounts.

• Conditional Access to control where and how people sign in.

• SharePoint permissions reviewed regularly — not everyone needs access to everything.

• Intune to manage devices and enforce encryption.

• Admin access restricted to people who actually need it.

We help Australian businesses configure their Microsoft 365 environment for Privacy Act compliance. If you're not sure where you stand, we can run an assessment and give you a clear picture of what needs to be done.