Finance
Human Resources
Technology
Australian business

APP 8 and Offshore Bookkeeping

A padlock overlaid on a map of Australia and Southeast Asia, representing cross-border data protection obligations for Australian businesses.
Scale Suite manages finance and HR for growing Australian businesses. Drop the team a message here →

The maximum civil penalty for a serious interference with privacy in Australia now runs to the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover. Most business owners have never read Australian Privacy Principle 8, yet the moment a bookkeeping provider routes your payroll file through an offshore team, APP 8 is the rule that governs what happens next. This guide explains what the law actually requires, the difference between a compliant offshore model and a risky one, and the questions to ask any provider before your data leaves the country.

Published: July 2026


What Is APP 8?

APP 8 is one of the 13 Australian Privacy Principles in the Privacy Act 1988. It deals with cross-border disclosure of personal information. In plain terms: before an Australian entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure that recipient will handle the information in line with the Australian Privacy Principles.

The principle is backed by an accountability rule in section 16C of the Act. If the overseas recipient mishandles the information, the Australian entity that disclosed it is treated as having committed the breach itself. You cannot outsource the data and outsource the responsibility with it. The liability stays onshore, with the business that sent the information out.

That accountability rule is the reason APP 8 matters commercially and not just legally. When a business hands its books to a provider, and that provider hands the data to an offshore team, someone in that chain carries Australian legal responsibility for what happens to it. A well-designed offshore model makes it clear exactly who that is and how the risk is controlled. A poorly designed one leaves the business owner exposed without knowing it. For how supervised offshore capacity is used commercially, see hiring offshore finance staff and compare delivery models against embedded finance teams. The OAIC APP guidelines remain the primary instrument.


Does the Privacy Act Even Apply to Your Business?

This is where most owners get incomplete advice, so it is worth being precise.

The Privacy Act contains a small business exemption. Businesses with an annual turnover of $3 million or less are generally not covered by the Australian Privacy Principles. On a quick read, that sounds like a free pass. It is not, for four reasons.

First, the exemption has carve-outs. Health service providers, businesses that trade in personal information, credit reporting participants and Commonwealth contracted service providers are covered regardless of turnover.

Second, tax file numbers are protected separately and universally. The Privacy (Tax File Number) Rule 2015 applies to every entity that receives a TFN, with no turnover threshold. Unauthorised use or disclosure of a TFN is both an interference with privacy and a criminal offence under taxation law. Every payroll file contains TFNs. The moment payroll is involved, the size of your business stops being a defence.

Third, the exemption belongs to you, not to your provider. A bookkeeping or outsourced finance provider with turnover above $3 million is a fully covered APP entity in its own right. Its handling of your data, including any offshore transfer, is regulated even if yours is not.

Fourth, the exemption is on borrowed time. The Australian Government has agreed in principle to remove the small business exemption as part of the current privacy reform program, and the first tranche of reforms has already passed. The direction of travel is one way. Building your data practices around an exemption that is scheduled for removal is planning to fail.

There is one more exemption worth addressing directly, because it gets misquoted: the employee records exemption. An employer’s handling of its own employee records, in connection with the employment relationship, is largely exempt from the APPs. But that exemption covers the employer’s own acts. It does not travel with the data to a third-party provider. When an outsourced bookkeeping team processes your employees’ names, addresses, dates of birth, TFNs, bank details and pay history, the provider is not the employer, and the exemption does not shield the provider’s handling. Anyone who tells you employee data is exempt end to end has not read section 7B closely enough.


Use vs Disclosure: The Distinction That Decides Everything

APP 8 regulates disclosure to an overseas recipient. Under the OAIC’s guidelines, not every offshore access event is a disclosure. The analysis turns on control.

If a provider hands your data to a separate overseas company to hold and process on its own systems, that is a disclosure. APP 8 applies in full, and the accountability rule in section 16C sits behind it.

If, instead, offshore staff access data that remains inside Australian-controlled systems, where the Australian entity retains effective control over the information at all times, the OAIC’s guidance treats this as closer to a use of the information rather than a disclosure. The data does not change hands. The offshore team works inside the tent rather than receiving a copy to take away.

This distinction is the architectural heart of a well-built offshore delivery model, and it produces a simple test any business owner can apply: does your data ever leave systems controlled from Australia? In a strong model, offshore analysts log into the Australian entity’s cloud accounting file, document management and payroll systems under individually named accounts, with no local downloads, no email attachments of source data and no copies sitting on overseas servers. In a weak model, files are exported and sent to an offshore processing centre that stores them on its own infrastructure, and the Australian client has no visibility of where the data physically sits.

Both models can be made lawful. Only one of them keeps the risk architecture simple.


Worked comparison: two providers, same price band

Provider A charges $2,800 a month for bookkeeping and payroll. Offshore staff receive weekly CSV exports of payroll and bank data by email, process them in local spreadsheets, and email journals back to Australia. Client TFNs and bank details sit in overseas mailboxes and on local drives. There is no named access log on the client’s systems.

Provider B charges $3,200 a month. Offshore CPA analysts log into the client’s Xero and payroll platform under named MFA accounts, never export source files, and work under documented APP-aligned contracts with CA review in Sydney. Access is revoked the day someone leaves.

The fee gap is $400 a month, or $4,800 a year. One serious privacy incident under Provider A’s model can exceed that gap by orders of magnitude once legal costs, notification, remediation and customer trust are counted. Judge architecture, not the map and not the lowest monthly fee. For fee context, see the cost of bookkeeping in Australia and the bookkeeper pricing guide.


What APP 8 Requires When Disclosure Does Occur

Where a transfer is a disclosure, the entity has three main pathways.

The default pathway is reasonable steps: before disclosing, take reasonable steps to ensure the overseas recipient does not breach the APPs. In practice, this means binding contractual terms that require APP-equivalent handling, plus the practical measures that make the contract real: access controls, security standards, training, audit rights and breach notification obligations flowing back to Australia. A contract nobody enforces is not a reasonable step; a contract embedded in an operating model is.

The second pathway is the substantially similar law exception. If the recipient is subject to a law or binding scheme that protects the information in a way substantially similar to the APPs, and the individual can actually enforce that protection, APP 8.1 does not apply. Very few destinations satisfy this cleanly, and relying on it requires a considered legal position, not an assumption.

The third pathway is informed consent: the individual consents to the disclosure after being expressly told that the APP 8.1 protection will not apply. For employee payroll data, this pathway is weaker than it looks. Consent must be informed, voluntary, current and specific, and consent extracted as a condition of getting paid sits on shaky ground. Providers that wave a consent clause buried in an engagement letter as their entire APP 8 strategy are running the thinnest version of compliance available.

The practical conclusion for business owners: a provider whose answer to APP 8 is “our clients consent” is doing the minimum. A provider whose answer is “the data never leaves Australian-controlled systems, offshore access is contractually bound to APP standards, and here is how we monitor it” is doing the job properly.


What a Compliant Offshore Model Looks Like

Having built and operated a supervised offshore finance team, here is what the control set looks like when it is done seriously. Use this as a benchmark for any provider, including us.

  • Data residency by design. Client records stay in the Australian entity’s cloud systems. Offshore staff access them; they do not receive them. No local storage, no exports of source files, no personal email, no USB pathways.
  • Named individual access. Every offshore team member logs in under their own identity with multi-factor authentication. Shared logins make audit trails fiction.
  • Least-privilege permissions. A payroll analyst sees the payroll files of the clients they serve, nothing else. Access maps to task, not to convenience.
  • Contractual APP obligations. Employment and services agreements bind offshore staff to Australian Privacy Principle standards, confidentiality and TFN Rule handling, with consequences that are enforceable in practice.
  • TFN-specific controls. TFNs are masked or restricted wherever the task does not require them, and never stored outside the payroll system of record.
  • Exit procedures. Access is revoked on the day a team member leaves, with a checklist, not an intention.
  • A tested breach response. A written plan covering containment, assessment against the Notifiable Data Breaches scheme, and notification to affected clients within defined timeframes.

At Scale Suite, our Philippines-based CPA analysts work under exactly this architecture, with CA-qualified oversight in Sydney and BAS agent supervision on every lodgement. The point is not that offshore delivery is risky. It is that offshore delivery is a design problem, and the design is either visible and documented or it is not. Related control themes also appear in internal controls for small business and in how you evaluate any complete guide to outsourcing bookkeeping in Australia.


The Notifiable Data Breaches Scheme Still Applies

If personal information is involved in a breach that is likely to result in serious harm, the Notifiable Data Breaches scheme requires covered entities to assess suspected breaches within 30 days and notify both the OAIC and affected individuals when the threshold is met. A breach that happens on an offshore contractor’s watch does not sit outside the scheme; through the accountability rule, it lands with the Australian entity that disclosed the data.

For a business owner, the operational takeaway is simple: your provider’s breach plan is part of your breach plan. Ask to see it before you need it. Thirty days sounds generous until day three of a live incident when nobody can say which payroll extracts left the building.


Decision Framework: Keep Onshore, Use Access Model, or Accept Disclosure

Keep fully onshore when the data set is unusually sensitive, your board or customers require Australian residency, or your provider cannot evidence controls. Price the premium against risk appetite.

Prefer access-without-export when you want offshore capacity economics with simpler risk architecture. This is the default for most SMEs buying embedded bookkeeping and payroll support.

Accept full disclosure offshore only with binding APP-equivalent contracts, audit rights, insurance, breach flow-back, and a clear Australian responsible entity. Budget for real oversight, not a brochure clause.

Use the hire vs outsource calculator for cost structure, then apply this privacy test before you sign.


Nine Questions to Ask Any Provider Using Offshore Staff

  1. Where is my data physically stored, and does any copy ever sit on overseas infrastructure?
  2. Do offshore team members access my systems directly, or are files exported and sent to them?
  3. Are offshore staff employed and contractually bound to Australian Privacy Principle standards, including the TFN Rule?
  4. Is every login individually named with multi-factor authentication, and is access logged?
  5. Who in Australia supervises the offshore work, and what is their professional accountability?
  6. What happens to access when an offshore team member resigns or is terminated?
  7. What is your documented breach response plan, and when was it last tested?
  8. Do you carry cyber insurance that covers offshore delivery?
  9. If something goes wrong offshore, who is legally responsible to me here in Australia?

A provider with a mature model will answer all nine without flinching. Hesitation on questions one, two and nine tells you the architecture was never designed, only assembled.


Related resources and next reading


FAQ

Is it legal for an Australian bookkeeper to send my data to an offshore team?
Yes, when it is done in line with the Privacy Act. The provider must either keep the data inside Australian-controlled systems that offshore staff access under supervision, or comply with APP 8’s requirements for cross-border disclosure, most commonly by taking reasonable steps to bind the overseas recipient to Australian privacy standards. The legality depends entirely on how the model is built.

Does the Privacy Act apply to small businesses with turnover under $3 million?
Generally the APPs do not apply to businesses under the $3 million threshold, but the exceptions matter: TFN handling is regulated for every entity regardless of size, health providers and data traders are covered, and your provider is likely a covered entity even if you are not. The government has also agreed in principle to remove the small business exemption.

What is APP 8 in simple terms?
Before sending personal information overseas, take reasonable steps to make sure the overseas recipient will protect it to Australian standards. If they mishandle it anyway, the Australian sender is on the hook as if it breached the rules itself.

Are employee records exempt from the Privacy Act?
Only in the employer’s own hands, and only in connection with the employment relationship. The exemption does not extend to an outsourced provider processing that data, and it never displaces the TFN Rule.

Do offshore bookkeeping staff see tax file numbers?
In payroll work, some level of TFN access is often unavoidable, which is why the TFN Rule applies to every entity that receives one. A well-run provider restricts TFN visibility to the tasks that require it, keeps TFNs inside the payroll system of record and prohibits any storage outside it.

Who is liable if an offshore team member misuses my data?
Under section 16C, the Australian entity that disclosed the information is treated as responsible for the overseas recipient’s breach. Contract terms then determine how liability is shared between you and your provider, which is why the provider’s own accountability and insurance matter.

Do I need my employees’ consent to have payroll processed offshore?
Consent is one lawful pathway, but it is the weakest one for employment data because consent must be informed, voluntary and current. The stronger approach does not depend on consent at all: keep the data under Australian control and bind offshore access to APP standards. Transparency with your team remains good practice either way.

What should happen if there is a data breach involving an offshore provider?
Containment first, then an assessment against the Notifiable Data Breaches scheme within 30 days. If the breach is likely to cause serious harm, the OAIC and affected individuals must be notified. Your provider’s contract should oblige them to tell you immediately, not after they have finished investigating.

Is offshore bookkeeping less safe than onshore bookkeeping?
Location is a weaker predictor of risk than architecture. An onshore bookkeeper emailing spreadsheets to a personal laptop is a bigger exposure than an offshore analyst working inside a locked-down, logged, Australian-controlled system. Judge the controls, not the map.

What is the single best control when using offshore staff?
Keep personal information inside Australian-controlled systems and grant named, least-privilege access rather than exporting files. Pair that with contractual APP standards, MFA, exit revocation and a tested breach plan.


About Scale Suite

Scale Suite is a Sydney-based provider of outsourced finance teams and fractional CFO services for Australian SMEs. We deliver weekly bookkeeping, payroll, BAS/IAS lodgement, cashflow reporting, management accounts, and strategic fractional CFO oversight, all as a fully embedded team that works inside your business.

CA-qualified, Xero Certified, and registered BAS Agents, we replace fragmented bookkeepers and once-a-year accountants with one responsive finance function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.

Visit Scale Suite | View Our Finance Services | View Our HR Services | Get Your Free Proposal


Disclaimer

We review and check this guide periodically. At the time of writing (July 2026), all information was current. Scale Suite is a registered BAS Agent, not a licensed tax advisor or financial advisor. This content is general information only and does not constitute professional tax, financial, or legal advice. Some details may change over time.


Sources

  • Privacy Act 1988 (Cth), Australian Privacy Principle 8 and section 16C (https://www.legislation.gov.au/C2004A03712/latest)
  • Office of the Australian Information Commissioner, Australian Privacy Principles Guidelines, Chapter 8: Cross-border disclosure of personal information (https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information)
  • Office of the Australian Information Commissioner, Notifiable Data Breaches scheme guidance (https://www.oaic.gov.au/privacy/notifiable-data-breaches)
  • Privacy (Tax File Number) Rule 2015 (https://www.legislation.gov.au)
  • Attorney-General’s Department, Privacy Act Review Report and Australian Government Response (https://www.ag.gov.au)
  • Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (https://www.legislation.gov.au)

About Scale Suite

Scale Suite is a Sydney-based provider of outsourced finance and HR services for Australian SMEs. We deliver bookkeeping, financial reporting, payroll processing, fractional CFO support, recruitment, employee onboarding, people and culture support, and fractional HR oversight, all as a fully embedded team that works inside your business.

Employment Hero Gold Partner, CA-qualified, and Xero Certified, we replace fragmented finance and HR processes with one responsive, senior-level function at a fraction of the cost of full-time hires. We serve growing businesses across Sydney, Melbourne, Brisbane, and Perth, with packages starting from $1,500 per month and no lock-in contracts.

Contact us

Book Your Free Assessment

30 minutes with our team.

We'll review your current finance setup, compare the full cost of an internal hire against our embedded team, and show you exactly what your finance function should cost at your stage of growth.

You'll leave with a clear view of what's working, what's missing, and where you'd save.

No lock-in contracts. 30-day money-back guarantee.

Prefer to book directly?
Grab a time here.

Thanks, you're in. Grab a time below.
Pick a 30-min slot that works and we'll see you there.

Prefer us to call you? We'll reach out with the details you've provided.
Oops! Something went wrong while submitting the form.
"A collage of five people in circular frames: a woman smiling by a blue door, a young man in an apron, a man in a shirt near shelves, a woman with long hair in an office, and a man in profile view."

Book your free 30-minute strategy call now

Schedule My Call