Skip to main content
Book a Demo
Governance

Compliance with Section 180 of the Australian Corporations Act: What Directors Need to Know 

Directors of Australian companies have substantial responsibilities, not only to their shareholders, but also to a wide array of stakeholders, including employees, customers, and regulators.  

Central to these responsibilities is compliance with Section 180 of the Australian Corporations Act 2001, which sets out the duties of care and diligence for company directors. Understanding and adhering to these obligations is vital to safeguarding both personal and corporate integrity. 

Understanding Section 180 

Section 180 of the Australian Corporations Act mandates that a director or officer of a corporation must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in the same position. This requirement essentially sets a benchmark for directors to act prudently and judiciously in their decision-making processes. 

This broad duty extends to overseeing the company’s data privacy and cyber security practices.

Cyber Security as a Business Risk

Directors must stay informed about and monitor their organisation’s activities, policies, and affairs, including having appropriate systems to prevent and respond to cyber security and data incidents. Protecting key organisational data and ensuring cyber security resilience is considered part of directors’ existing obligations under Section 180.

Potential Liability for Inadequate Practices

Directors could potentially be held personally liable under Section 180 if the company fails to implement adequate data privacy and cyber security measures. This “stepping stone” liability means directors may be found to have breached their duty of care if the company contravenes privacy laws or suffers a major data breach due to insufficient safeguards.

Recent Legal Precedents

Recent court cases have highlighted the importance of cyber security under directors’ duties:

  • In ASIC v RI Advice Group Pty Ltd [2022], the Federal Court found that failing to have adequate cyber security risk management systems in place could contravene the Corporations Act’s requirement to provide financial services “efficiently, honestly and fairly”.
  • While this case specifically related to financial services licensees, it signals ASIC’s position on cyber security risk management and may be extended to apply directly to directors’ duties under Section 180.

Proactive Risk Management

To fulfill their Section 180 obligations regarding data privacy and cyber security, Directors should:

  • Implement robust risk management frameworks to identify, assess, and mitigate potential cyber and privacy risks.
  • Regularly review and update the company’s data protection and cyber security policies and practices.
  • Seek expert advice when faced with complex cyber security or privacy issues.
  • Promote a culture of compliance and ethical conduct around data handling throughout the organization.

By taking a proactive approach to data privacy and cyber security governance, directors can better meet their duty of care obligations under Section 180 and protect both the company and themselves from potential liability.

Practical Steps for Compliance 

To help ensure compliance with Section 180, directors should look at implementing a proactive and systematic approach. Here are some practical steps to help meet these obligations.

Stay In the Game 

Directors must be on the ball when it comes to the company’s operations and the industry landscape. Things that can help with this include regularly reviewing financial statements, operational reports, and legal updates. Staying engaged with continuous education and training can also help directors stay current with best practices and regulatory changes. 

Effective Risk Management 

Implement robust risk management frameworks to identify, assess, and mitigate potential risks. Regular risk assessments and audits are crucial to maintaining oversight and ensuring that the company is not exposed to undue risks. 

Record Decision Making  

Maintain detailed records of board meetings and decisions. This includes documenting the rationale behind decisions, the information considered, and any expert advice sought. Proper documentation can provide some background evidence if the decisions are later questioned. 

Seek Professional Advice 

Directors should not hesitate to seek independent professional advice when faced with complex issues. Legal, financial, and industry specific experts can help by providing valuable insights and help when faced with challenging decisions. 

Promote a Culture of Compliance  

Creating a corporate culture that prioritises compliance and ethical conduct is something which will assist your organisation in the long run. It’s important to encourage transparency, accountability, and open communication within the organisation. Regular training sessions on compliance and corporate governance can help embed these values across the company. 

The Role of Technology in Compliance 

Making technology your friend can significantly enhance a director’s ability to comply with Section 180. Modern SaaS solutions offer tools for governance, risk management, and compliance (GRC) that streamline processes and provide real-time insights.  

de.iterate offer a range of frameworks like ISO27001, ISO27701 and Essential Eight Compliance that can help safeguard your organisation. These platforms can help to automate compliance checks, monitor regulatory changes, reduce the administrative burden on directors, ensuring consistent adherence to statutory obligations. 

Compliance with Section 180 of the Australian Corporations Act is not just a legal requirement but a pivotal aspect of effective corporate governance. By exercising due care and diligence, directors can help protect their company from legal risks, while creating a sustainable and ethical business environment. Embracing a proactive approach to compliance, supported by technology and professional advice, will equip directors to meet their responsibilities and drive their companies towards long term success. 

If you would like to find out more about how you take your organisation’s data privacy to the next level, get in touch today.  

Tags:

Governance
deiterate-platform

Get your ducks in a row with de.iterate

Subscribe to our newsletter for all the latest tips, tricks and insights to improve your GRC program.

Related Articles

AI Threats Are Evolving And So Must Our Audits: Why Surface-Level Compliance Won’t Cut It Anymore

AI Threats Are Evolving And So Must Our Audits: Why Surface-Level Compliance Won’t Cut It Anymore

sallydeiteratecom Nov 24, 2025 6:02:13 PM
How de.iterate is Using AI to Simplify and Strengthen Compliance

How de.iterate is Using AI to Simplify and Strengthen Compliance

sallydeiteratecom Oct 31, 2025 2:02:32 AM
Compliance Isn’t a Checkbox. It’s a Continuum.

Compliance Isn’t a Checkbox. It’s a Continuum.

sallydeiteratecom Oct 30, 2025 12:59:07 AM
Guides vs Governance: Understanding the Difference

Guides vs Governance: Understanding the Difference

sallydeiteratecom Oct 30, 2025 12:47:12 AM