The Australian Data Privacy Checklist

Blue Flower

Safeguarding Data Privacy

Australian professional services firms operate on trust. Your clients share sensitive financial, legal, and personal information with you — and they expect you to protect it. Hiring an offshore team member doesn't create a new risk. It just means the controls you should already have in place need to be documented and enforced before day one.

This is the checklist we walk every Tarino client through. It's practical, not paranoid.

  1. Legal and contractual protections

Before you think about tools or technology, get the legal foundation right. Your contractor agreement needs to do more than cover scope and pay — it needs to create clear, enforceable obligations around how client data is handled.

At a minimum, include:

  • Confidentiality and non-disclosure obligations

  • Permitted use of systems and data (and what's explicitly prohibited)

  • Prohibition on unauthorised sharing, screenshots, downloads, or third-party access

  • Immediate notification requirements if a breach or suspected breach occurs

  • Return or deletion of data and materials at end of engagement

From a compliance standpoint, the Philippines operates under the Data Privacy Act of 2012, which creates meaningful obligations around personal information handling. From the Australian side, APP 8 of the Privacy Act 1988 requires 'reasonable steps' before disclosing personal information overseas. The controls above are designed to meet that standard.

If you don't have a contractor agreement template, ask us - we can point you in the right direction.

  1. Use enterprise-grade tools with permission controls

Work inside platforms where you control access, not the other way around.

Recommended tools:

  • Microsoft 365 (Word, Excel, Outlook, SharePoint, Teams) - permission-based access, audit logs, conditional access policies

  • Google Workspace - shared drives with folder-level permissions, admin console visibility

  • Slack or Microsoft Teams - for day-to-day communication with channel-level access controls

  • 1Password or Bitwarden for Teams - share credentials safely without sending passwords in plain text

  • Notion or Confluence - internal documentation with role-based access

Access should be on a strict need-to-know basis. Your offshore hire should only see what's required for their role - nothing more.

  1. Use a cloud desktop for sensitive roles

For roles that touch sensitive client data regularly, a cloud desktop keeps work inside a controlled environment rather than on a personal device in the Philippines.

Options worth considering:

  • Windows 365 Cloud PC - Microsoft-managed, integrates with Entra ID (Azure AD), easy to provision and revoke

  • Azure Virtual Desktop - more configurable, suits larger or more complex setups

  • Amazon WorkSpaces - strong alternative if you're already in the AWS ecosystem

  • Citrix DaaS - enterprise-grade, often used in financial services and legal

A cloud desktop lets you:

  • Block local downloads and USB transfers

  • Restrict copy/paste outside the environment

  • Centralise security monitoring and logging

  • Revoke access instantly if needed

  1. Strengthen account and device security

Simple settings that make a material difference:

  • Multi-factor authentication (MFA) on every account - no exceptions

  • Strong password policy enforced through your platform admin console

  • Automatic screen lock after 5-10 minutes of inactivity

  • Endpoint protection enabled (Microsoft Defender, Malwarebytes, or equivalent)

  • USB storage restricted where the role doesn't require it

  • Conditional access policies to restrict logins by device or location (available in Microsoft 365 Business Premium and above)

  • VPN required for access to any sensitive internal systems

  1. Background checks and identity verification

Every Tarino candidate completes identity verification and a background check via Veremark before being presented to you. For higher-sensitivity roles, additional screening is available on request.

Once hired, some clients also choose to represent offshore team members transparently in professional profiles (e.g. LinkedIn) with clear location and engagement type - this builds trust with their own clients and stakeholders.

  1. Train your team from day one

The best tools in the world don't help if your hire doesn't know how to use them correctly. We recommend a short onboarding session that covers:

  • Which platforms to use, and which to avoid

  • How to identify phishing attempts and social engineering

  • What to do if a device is lost or an account is compromised

  • How to escalate a suspected incident and who to contact

Keep it brief and practical. A one-page reference document is often more useful than a 30-slide deck.

Done properly, offshore hiring doesn't weaken your data security posture — it just requires you to be deliberate about it. The firms that do this well treat it the same way they treat any new employee: structured access, clear expectations, and a short onboarding process that sets the standard from day one.

If you're unsure where to start, ask us. We've placed staff into mortgage broking, accounting, financial planning, and legal firms — and we know what good looks like.