At Makerble, protecting personal information is built into how we design and operate our platform. This article is a guide for Australian organisations using Makerble who need to understand how the platform supports compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Please note: This article provides general guidance only and is not legal advice. The Privacy Act and its reforms are evolving. For legal advice specific to your organisation, consult a qualified Australian privacy lawyer or the Office of the Australian Information Commissioner (OAIC). For questions about Makerble's practices, contact data.security@makerble.com.

Does the Privacy Act apply to your organisation?

The Privacy Act 1988 applies to private sector organisations but also tononprofits and charities in the following scenarios:

• Your organisation has an annual turnover above AUD $3 million
• Your organisation provides health services (regardless of turnover)
• Your organisation holds personal information under a Commonwealth government contract
• Your organisation trades in personal information

Organisations below the $3 million threshold that do not fall into these categories may currently be exempt but this is under active review. Proposed reforms in a forthcoming second tranche of legislation are expected to remove the small business exemption. Organisations that are currently exempt are encouraged to begin privacy compliance preparations now. Additionally, the tort of serious invasion of privacy, which was introduced in December 2024, applies more broadly.

What are the Australian Privacy Principles?

The 13 APPs govern every stage of how personal information is handled. The principles most directly relevant to Makerble users are as follows:

• ‍APP 1: Open and transparent management of personal information: you must have a clearly expressed, up-to-date privacy policy.
• ‍APP 3: Collection of solicited personal information: collect only what is reasonably necessary for your functions.
• ‍APP 5: Notification of the collection of personal information: individuals must be notified of why their information is being collected and how it will be used.
• ‍APP 8: Cross-border disclosure of personal information: when disclosing personal information to overseas recipients, you must take reasonable steps to ensure it will be adequately protected.
• ‍APP 11: Security of personal information: you must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access.
• ‍APP 12 & 13: Access and correction: individuals have the right to access and correct their personal information.

1. Data security and encryption

Makerble's security measures support your obligations under APP 11.

At rest: All data stored within Makerble is encrypted using AES encryption.

In transit: All data transmitted between users and Makerble is encrypted using SSL/TLS technology.

Additional security measures include Cloudflare and Wazuh firewall protection, Grafana and Loki for real-time monitoring and logging and internal VPNs for secure system access. Makerble conducts security audits every six months, covering access controls, encryption standards, incident response readiness and physical security.

The 2024 reforms explicitly require organisations to take "reasonable steps" to protect personal information, including technical and organisational measures such as encryption, access controls and breach response protocols. Makerble's infrastructure is designed to support these requirements.

2. Access controls

Makerble restricts platform access through:

Two-Factor Authentication (2FA): Available for all user accounts.

Role-based access controls: Administrators can limit which team members can access which data within the platform.

These measures support your APP 11 obligations and your organisation's broader duty to protect personal information from unauthorised access.

3. Cross-border disclosure (APP 8)

Makerble is hosted on Microsoft Azure in Ireland (EU). When your organisation uses Makerble, personal information is stored and processed in the European Union.

Under APP 8, before disclosing personal information to an overseas recipient, your organisation must take reasonable steps to ensure the recipient does not breach the APPs in relation to that information. The EU is subject to GDPR (the General Data Protection Regulation) which iswidely regarded as one of the strongest data protection frameworks in the world and a standard that is comparable to or stronger than the APPs. Australia's 2024 reforms also introduced an international data transfer "whitelist" of countries with comparable privacy protections, further clarifying acceptable cross-border flows.

We recommend that your organisation:

• Documents Makerble's EU-hosted infrastructure in your privacy policy
• References the GDPR standard as the basis for the cross-border transfer
• Includes Makerble in any privacy impact assessments relating to your data processing activities

4. Breach notification: Notifiable Data Breaches scheme

Australia's Notifiable Data Breaches (NDB) scheme requires organisations covered by the Privacy Act to notify the OAIC and affected individuals when an eligible data breach occursi.e., when a breach is likely to result in serious harm to individuals whose information is involved.

Makerble has an incident response process in place to detect and respond to security incidents promptly. In the event of a breach affecting your organisation's data, we will notify you promptly with the information you need to assess your notification obligations under the NDB scheme.

5. Data subject rights: access and correction

Under APPs 12 and 13, individuals have the right to access and correct their personal information. As the organisation collecting and holding data, you are responsible for responding to these requests.

Makerble supports this through:

• Contact record management: Administrators can locate, view, edit and delete individual contact records within the platform
• Data export: All contact and survey data can be exported in CSV format, enabling you to respond to access requests efficiently

What your organisation needs to do

To use Makerble in compliance with the Privacy Act and APPs:

• Confirm whether the Act applies to your organisation based on turnover, service type, and funding arrangements
• Update your privacy policy to name Makerble as a data processor and describe the cross-border transfer to EU-hosted infrastructure
• Notify individuals at the point of collection (APP 5) of why their information is being collected, how it will be used, and that it is processed on a platform hosted in the EU
• Collect only what you need (APP 3) - configure Makerble's forms to capture only the information necessary for your programme delivery
• Respond to access and correction requests using Makerble's contact management tools
• Prepare a data breach response plan that includes Makerble in the notification chain

For questions about Makerble's security and data practices, contact data.security@makerble.com. For guidance on the Privacy Act, visit the Office of the Australian Information Commissioner.