Most Australians who self-host data at home or in a small business are not covered by the Privacy Act 1988 in the way they assume - but some are, and the distinction matters. The Privacy Act has a small business exemption that removes most home NAS users and micro-businesses from its direct obligations. However, if you store other people's personal information, handle health data, or run a business above the threshold, you have real legal obligations regardless of whether the data lives on your NAS or in a commercial cloud. This article explains where the lines are, what they mean in practice, and what sensible data hygiene looks like regardless of your legal position.
In short: Personal home NAS use falls outside Privacy Act obligations in most cases. Small businesses under $3 million annual turnover are generally exempt unless they handle health data, provide certain services, or have opted in. Above the threshold, the Australian Privacy Principles apply regardless of where data is stored - NAS, cloud, or paper. Self-hosting does not create extra obligations, but it does mean you are responsible for your own security rather than a cloud provider.
Note: This article provides general information, not legal advice. Australian privacy law is under active reform as of 2026. Consult a privacy lawyer for specific compliance questions, particularly if you handle health information, employee data, or data belonging to a large number of individuals.
The Small Business Exemption
The Privacy Act 1988 contains a small business exemption (section 6C) that removes most small businesses from the Australian Privacy Principles. A 'small business operator' is generally an entity with annual turnover of $3 million or less. If your business falls below this threshold, the Privacy Act's core obligations do not directly apply to you.
For home NAS users storing personal data, this exemption almost always applies. A person storing their own family's data on a home NAS has no Privacy Act obligations because there is no 'business' involved at all. Privacy law applies to organisations collecting and handling other people's data in a business context, not to individuals managing their own information.
However, the exemption has important carve-outs that pull some small businesses back in:
- Health service providers: Any business providing a health service and holding health information is covered, regardless of size. A sole-practitioner GP, physio, or psychologist with a NAS holding patient records has Privacy Act obligations.
- Businesses that collect or disclose personal information for a benefit: If personal information is your product (data brokers, some marketing services), the exemption does not apply.
- Businesses related to a larger entity: If you are a subsidiary or related entity of a company above $3 million, the exemption may not apply.
- Businesses that have opted in: Some businesses voluntarily subject themselves to the Privacy Act for commercial or trust reasons.
What the Australian Privacy Principles Require
For organisations covered by the Act, the 13 Australian Privacy Principles (APPs) impose obligations across the data lifecycle. The ones most relevant to a self-hosted environment:
- APP 1 (Open and transparent management): You must have a Privacy Policy describing what personal information you collect and how you handle it. For a small business NAS operator covered by the Act, this means a published policy that people can access before giving you their data.
- APP 6 (Use or disclosure): Personal information collected for one purpose cannot generally be used for another purpose without consent.
- APP 11 (Security): You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. This is the most operationally significant APP for a self-hosted setup - it requires active security measures, not just good intentions.
- APP 12 (Access): Individuals have the right to access personal information you hold about them.
- APP 13 (Correction): Individuals can request correction of inaccurate information.
Where Self-Hosting Changes the Risk Picture
When you store other people's personal information in a commercial cloud service, the cloud provider's security infrastructure, certifications, and incident response capabilities form part of your security posture. With self-hosting, that responsibility sits entirely with you. This is not a reason to avoid self-hosting, but it is a reason to be deliberate about security measures.
For a covered entity, APP 11 requires 'reasonable steps' to protect personal information. What is reasonable depends on the sensitivity of the data and the size of the organisation. A sole-practitioner health service with a NAS holding patient records has a different 'reasonable steps' standard than a large health network. But 'reasonable' is not 'trivial' - it includes:
- Encryption at rest (most modern NAS support this - Synology's Encrypted Shared Folder feature, QNAP's volume encryption)
- Encrypted transmission (HTTPS for any web access, VPN or Tailscale for remote access rather than plain HTTP)
- Access controls (separate user accounts with minimal permissions rather than everyone using admin credentials)
- Backup (a NAS with no backup is a single point of failure for regulated data)
- Physical security (a NAS accessible to anyone in a building is not secure)
Data Breach Notification Obligations
The Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act) requires covered entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a data breach is likely to result in serious harm. Small businesses exempt from the Privacy Act are also exempt from the NDB scheme.
If you are covered, a breach notification is required when:
- There is unauthorised access to, or disclosure of, personal information you hold
- The access or disclosure would be likely to result in serious harm to affected individuals
- You have been unable to prevent the risk of serious harm through remedial action
For a self-hosted environment, a ransomware attack on a NAS holding client personal information that results in data exfiltration would trigger NDB obligations for a covered entity. An attack that encrypts data without confirmed exfiltration may or may not trigger it, depending on the circumstances. When in doubt, notify.
2026 Privacy Act Reforms
The Australian government has been progressing significant reforms to the Privacy Act. Key proposed changes relevant to small businesses and self-hosters include:
- Small business exemption review: The $3 million threshold and the exemption itself are under review. Proposed reforms may remove or significantly narrow the exemption, bringing more small businesses under the Act's obligations. As of mid-2026, this has not been legislated but remains a live policy issue.
- Direct right of action: Individuals may gain the right to sue for privacy breaches directly (currently they must complain to the OAIC first). This increases liability exposure for covered entities.
- Children's privacy: Stronger protections for children's personal information are proposed, with direct implications for businesses collecting data from minors.
The OAIC website is the authoritative source for current reform status. Any business that may currently be borderline on the small business exemption should monitor these reforms closely.
Practical Steps for Home and Small Business NAS Users
Regardless of whether you are legally covered by the Privacy Act, good data handling practices protect you and the people whose data you hold:
| Encryption at rest | Enable Synology Encrypted Shared Folder or QNAP volume encryption for folders holding third-party personal data |
|---|---|
| Access controls | Separate NAS user accounts per person with minimum required permissions. No shared admin credentials. |
| Remote access | Use Tailscale or a VPN rather than direct port forwarding. Avoid HTTP access to NAS from the internet. |
| Backup | Maintain at least one offsite backup of regulated data. A NAS with no offsite backup is a single point of failure. |
| Audit logging | Enable NAS access logging. Most NAS software can log file access events useful for breach investigation. |
| Retention policy | Define how long you keep personal data and delete it on schedule. Keeping data indefinitely 'in case it is useful' creates unnecessary risk. |
| Privacy policy | If covered by the Act, publish a Privacy Policy and keep it current. Free templates available from the OAIC. |
Related reading: our NAS buyer's guide.
Does Australia's Privacy Act apply to a home NAS storing family photos and documents?
No. The Privacy Act applies to organisations handling other people's personal information in a business context, not to individuals managing their own data. A person storing their own family's photos, documents, and personal files on a home NAS has no Privacy Act obligations.
I run a small business with client records on a NAS. Am I covered by the Privacy Act?
It depends on your annual turnover. If your business has turnover of $3 million or less, the small business exemption likely applies and you are generally not covered by the Privacy Act - unless you handle health information, in which case you are covered regardless of size. If your turnover is above $3 million, the Australian Privacy Principles apply to all personal information you hold, including data stored on a NAS. When in doubt, seek advice from a privacy lawyer or the OAIC.
Is self-hosting more or less legally risky than using a cloud service for business data?
The Privacy Act's obligations are the same regardless of where data is stored. What changes is who is responsible for security. With a cloud service, the provider's security measures form part of your compliance posture. With self-hosting, all security measures are your responsibility. Neither is inherently more or less risky legally - the risk depends on how well you implement security in either case. A well-secured NAS can meet the same 'reasonable steps' standard as a well-configured cloud service.
What should I do if my NAS is breached and I hold client personal data?
If you are a covered entity under the Privacy Act: assess whether the breach is likely to result in serious harm to individuals. If yes, notify the OAIC and affected individuals as soon as practicable (within 30 days of becoming aware). Document your assessment and notification process. If you are exempt from the Act but have contractual obligations to clients, check those contracts for breach notification requirements. Regardless of legal obligations, notifying affected individuals is good practice and builds trust.
Does the Australian Privacy Act cover data stored on a NAS overseas?
The Privacy Act applies to Australian organisations and their data handling practices regardless of where data is stored. If you are a covered entity and store personal information offshore (including on a cloud service with servers outside Australia), APP 8 (Cross-border disclosure) applies. You must take reasonable steps to ensure the overseas recipient complies with the APPs. For a small business storing data on a NAS in their home in Australia, this is not relevant - the NAS is in Australia.
Securing a self-hosted setup against data breaches starts with proper remote access controls. For Australian users, especially those on CGNAT-affected NBN connections, Tailscale is the most practical secure remote access solution.
Tailscale vs Cloudflare Tunnels for Remote Access