The Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles (APPs) that govern how organisations collect, use, store, and disclose personal information. If your business has an annual turnover of $3 million or more, or if you are a health service provider, government agency, or certain other entity types, you are bound by the Privacy Act.
When you use an eSignature platform, personal information flows in both directions: you collect data from signers (names, emails, signatures), and your eSignature provider collects data about the signing process (IP addresses, timestamps, device information). Both you and your provider have obligations under the APPs.
2024 Privacy Act Reforms
The Australian Government has been progressively implementing reforms from the Privacy Act Review. These include stronger enforcement powers, a statutory tort for serious invasions of privacy, and new requirements around automated decision-making. Stay informed about changes that may affect your eSignature practices.
Have a clear, up-to-date privacy policy that explains how you handle personal information collected through eSignatures.
Only collect personal information that is reasonably necessary. For eSignatures, this includes names, emails, and signing metadata.
Tell signers what data you are collecting, why you are collecting it, and who will have access. A clear signing invitation email covers this.
Only use signing data for the purpose it was collected. Do not use signer emails for marketing unless you have separate consent.
If your eSignature platform stores data overseas, you are responsible for ensuring the overseas entity complies with the APPs.
Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. Encryption and access controls are essential.
APP 8 states that before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure they will not breach the APPs. If they do breach, you are liable -- as if you had committed the breach yourself.
Many popular eSignature platforms store data in the United States or Europe. While this is not prohibited, it creates compliance complexity. You need to verify the provider's data handling practices, understand the applicable foreign laws (such as the US CLOUD Act), and be prepared to demonstrate compliance to the OAIC if questioned.
When your eSignature data stays in Australia, APP 8 cross-border disclosure obligations do not apply. This is the simplest path to compliance.
All data -- documents, signatures, metadata, and audit trails -- is stored in Google Cloud's australia-southeast1 (Sydney) region. Nothing leaves Australia.
All data is encrypted with AES-256 at rest and TLS 1.3 in transit. Signing tokens are single-use and time-limited.
Role-based access ensures only authorised users can view documents. Recipients only see their assigned fields.
Every action is logged with timestamp, IP address, and geolocation. Audit trails cannot be modified after creation.
We collect only what is necessary for the signing process. No behavioural tracking, no advertising profiles, no data selling.