Privacy Act 1988 has always required organisations to take 'reasonable steps' to protect personal information. For two decades that phrase did relatively little work. Reforms enacted through 2024-2026 have hardened the interpretation. OAIC determinations and tribunal decisions now point at specific Microsoft 365 controls — sensitivity labelling, Data Loss Prevention, access reviews, breach detection — as baseline expectations for any organisation handling personal information at scale.
The mismatch between what the law expects and what most Australian mid-market tenants have deployed is large. Frontrow audits Information Protection postures across professional services, regulated industries and regional operations. The pattern is consistent: sensitivity labels published, training delivered, four percent of new documents actually labelled. Encryption configured on the top tier of labels but not enforced because the labels aren't being applied. DLP policies built, sitting in audit-only mode for two years, surfacing incidents nobody triages. The controls exist. They don't bite.
What 'reasonable steps' now means in practice
OAIC's interpretive trajectory is consistent: the reasonableness of an organisation's protection of personal information is judged against contemporary technical baselines. For a Microsoft 365 tenant in 2026, the contemporary baseline includes sensitivity labels with encryption on personal-information-bearing content; auto-labelling using built-in or trainable classifiers to push label adoption past manual ceilings; container labels on SharePoint sites and Microsoft 365 Groups holding personal information; DLP policies in enforcing mode (not audit-only) covering Exchange, SharePoint, OneDrive and Teams; and an audit log retention long enough to evidence the controls actually fired.
An organisation that holds personal information at scale and has none of the above exposes itself to two compounding findings in the event of a breach: the breach itself, and the OAIC determination that the protective controls were not reasonable. The second finding compounds the regulatory cost of the first.
What's actually deployed in AU mid-market
Frontrow's field data on Information Protection deployment in Australian mid-market is not encouraging.
- Approximately 70% of audited tenants have sensitivity labels published. Of those, approximately 80% have label adoption rates below 30% on new documents. The label exists. It is not being applied.
- Approximately 30% have container labels enabled. Most have only file-level labels — leaving sensitive sites fully shareable even when individual files are correctly classified.
- Approximately 20% of audited tenants have DLP policies out of audit-only mode. The policies are built. They are not enforcing.
- Approximately 10% of audited tenants have auto-labelling configured at rest in SharePoint and OneDrive. Auto-labelling requires E5 / E5 Compliance and a configuration step that is rarely completed.
- Approximately 5% of audited tenants have a documented Information Protection program with quarterly review of label adoption, DLP outcomes, and exception management.
The headline: most AU mid-market tenants have an Information Protection program on paper that does not protect information in practice. The Privacy Act standard has hardened to the point where this gap is material.
What good looks like
Label taxonomy and adoption
Four to five labels (Public, Internal, Confidential, Highly Confidential, Restricted). Encryption configured on Confidential and above with usage rights restricting external sharing. Mandatory labelling enabled in Word, Excel, PowerPoint and Outlook so users cannot save or send without choosing a label. Adoption tracked via Purview Activity Explorer with a target above 60% on new documents. Auto-labelling closing the remaining gap on detectable sensitive content (TFN, ABN, Australia Driver's Licence, Medicare, healthcare identifiers).
Container labels
Container labels enabled at the tenant level (PowerShell step that most tenants haven't completed). Labels assigned to existing SharePoint sites by sensitivity tier. New site creation requires container label selection. Container labels constrain external sharing setting, default site privacy, default permissions and unmanaged-device download — meaning a Confidential-labelled site cannot be shared externally and cannot be downloaded to a personal iPad regardless of the user's intent.
DLP enforcement
DLP policies covering Exchange, SharePoint, OneDrive, Teams and (where E5 / E5 Compliance is licensed) Endpoint and Defender for Cloud Apps DLP. Policies tied to label conditions ("contains content labelled Confidential and shared externally") rather than raw content matching, because label-conditioned DLP is more accurate and produces fewer false positives. Tiered enforcement: enforce-with-override for most policies (user can override with justification, override is logged), enforce-without-override for the highest-sensitivity policies (PCI, healthcare identifier, board content). Triage queue staffed.
Privacy Act 2026 alignment
An evidence pack for the board and the regulator. Quarterly: label adoption rate, DLP incidents triaged, mean time to triage, exception register, container label coverage of sites holding personal information, retention policy alignment with NDB scheme assessment requirements. The evidence pack is what turns 'we have controls' into 'we can demonstrate the controls are reasonable'.
Try it
Score your Information Protection stack maturity
The IP Stack Maturity Check scores file labels, container labels, DLP, auto-labelling and the Copilot data boundary against Privacy Act 2026 expectations.
10 questions · 5 domains
Information Protection Stack Maturity Check
Sensitivity labels alone don't protect data. The stack is labels (file + container) + DLP + auto-labelling + the SharePoint/Copilot data boundary. Score where you sit across all five — and where Privacy Act 2026 expects you to be. Pick the option closest to your tenant today.
Domain 1
Sensitivity labels (file-level)
Whether sensitivity labels are deployed, used by humans, and enforced where required.
Do you have a published sensitivity label taxonomy in use?
Source: Microsoft Learn: Get started with sensitivity labels.
What percentage of new documents are labelled (per Purview Activity Explorer)?
Source: Microsoft Learn: Activity explorer in Microsoft Purview.
Domain 2
Container labels (Sites, Teams, Groups)
Whether SharePoint sites, Microsoft 365 Groups and Teams have sensitivity labels applied at the container level — controlling membership, sharing and unmanaged-device access.
What proportion of SharePoint sites have a container sensitivity label applied?
Source: Microsoft Learn: Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups and SharePoint sites.
Do your container labels actually constrain external sharing and unmanaged-device access?
Source: Microsoft Learn: Configure sensitivity labels for SharePoint sites; Block download from SharePoint sites for unmanaged devices.
Domain 3
Data Loss Prevention
Whether DLP policies cover Exchange, SharePoint, OneDrive, Teams and endpoint, are out of audit-only mode, and are tied to label conditions where appropriate.
Which workloads do your DLP policies cover?
Source: Microsoft Learn: Microsoft Purview Data Loss Prevention; Get started with Endpoint DLP.
What mode are your DLP policies in?
Source: Microsoft Learn: Plan a Data Loss Prevention deployment.
Domain 4
Auto-labelling
Whether sensitive content is auto-labelled at rest in SharePoint and OneDrive, and at send-time in Exchange, using built-in or trainable classifiers.
Is auto-labelling enabled for content at rest in SharePoint and OneDrive?
Source: Microsoft Learn: Apply a sensitivity label to content automatically.
Is auto-labelling enabled for outbound email in Exchange Online?
Source: Microsoft Learn: Apply a sensitivity label to content automatically; Exchange Online client-side and service-side labelling.
Domain 5
SharePoint search and Copilot data boundary
Whether Restricted SharePoint Search is configured, oversharing is detected, and the Copilot data boundary respects sensitivity labels.
Have you assessed SharePoint oversharing in the context of Microsoft 365 Copilot?
Source: Microsoft Learn: Restricted SharePoint search; Microsoft 365 Copilot data security and compliance.
Does the Copilot data boundary in your tenant respect sensitivity labels for grounding and citations?
Source: Microsoft Learn: Microsoft 365 Copilot data security and compliance; Sensitivity labels and Microsoft 365 Copilot.
This is an indicative self-assessment. It is not a substitute for a tenant-level Information Protection review. For verified results Frontrow Technology offers an in-tenant IP stack assessment with Purview audit data.
How Frontrow runs this as a managed program
Information Protection is a continuously evolving program rather than a project. Frontrow's Managed Identity & Information Protection service runs a quarterly review of label taxonomy, adoption rates and DLP outcomes. Auto-labelling policies are tuned monthly. Container labels are applied to net-new sites by default. Restricted SharePoint Search is managed with documented exit-plan tracking where deployed. The Copilot data boundary is verified against label inheritance. The output is a Privacy Act 2026 alignment evidence pack for the board and a monthly delta report for the IT lead.
If your tenant's Information Protection program is closer to the four-percent number than to the contemporary baseline, that's the engagement. Email Frontrow at info@frontrow.email.