Information Barrier Guidelines In Australia: Practical Compliance Steps

Alex Solo
byAlex Solo9 min read
Regulatory Compliance
Contents

If you’re running a startup or small business, you’ll often deal with information that could seriously impact your competitive position if it leaks - like pricing models, product roadmaps, customer lists, tender bids, investor discussions, or even sensitive HR matters.

That’s where information barrier guidelines come in.

In simple terms, information barriers are the practical rules your business sets to stop confidential or sensitive information from flowing to people who shouldn’t have it (internally or externally). Larger organisations often call these “Chinese walls”, but for small businesses, it’s best to think of them as clear, workable boundaries that protect your business and reduce legal risk.

Below, we’ll walk through what information barrier guidelines are, when you need them, what should go in them, and how to implement them without slowing your team down.

What Are Information Barrier Guidelines (And Why Should You Care)?

Information barrier guidelines are written procedures that set out:

  • what information is confidential or restricted in your business
  • who can access it (and who can’t)
  • how it should be stored, shared, and discussed
  • what to do if there’s a suspected breach

For startups and small businesses, the goal is usually not to satisfy “big company bureaucracy”. It’s to protect value and prevent avoidable disputes.

Common Business Reasons You Might Need Information Barrier Guidelines

Information barrier guidelines are especially helpful when you:

  • work with contractors or agencies who also work with your competitors
  • hire staff from competitors (or you’re competing against businesses you’ve previously worked with)
  • run multiple business lines that should not share client or pricing data
  • manage sensitive negotiations (investments, acquisitions, joint ventures, major supplier deals)
  • handle regulated or sensitive data (for example, health information, finance details, or personal information)

Even if you’re not in a heavily regulated industry, having clear internal rules can help show you took “reasonable steps” to protect confidential information - which matters if something goes wrong later.

What Problems Can Information Barriers Prevent?

Good information barrier guidelines can reduce the risk of:

  • confidential information leaks (accidental or deliberate)
  • conflicts of interest (especially where a person or supplier serves multiple parties)
  • privacy complaints if personal information is mishandled
  • client trust issues, especially in professional services and B2B work
  • disputes about who owned what when someone leaves or a relationship ends

In many cases, the legal dispute isn’t just about the leak itself - it’s about the absence of clear rules and documentation.

When Do Information Barrier Guidelines Matter Most For Startups?

Startups move fast. That’s a strength - but it can also create blind spots. You might have:

  • shared folders with “everyone has access” permissions
  • a single Slack/Teams channel for everything
  • informal “please don’t share this” verbal instructions
  • no clear line between personal devices and business devices

That’s very common early on. But the moment you start collaborating with others or handling higher-value information, you’ll want information barrier guidelines that match your growth.

Typical Scenarios Where Barriers Become Urgent

  • Investor due diligence: You’re sending financials, contracts, forecasts, and cap table details around. The more parties involved, the higher the risk.
  • Co-founder or team separation: If someone exits, you need clarity about what they can take, use, or disclose. This often ties into confidentiality and restraint clauses.
  • Agencies and freelancers: A marketing agency might have access to customer data, performance metrics, or your upcoming launch plan.
  • Partnerships and joint ventures: You might share sensitive know-how, but only for a limited purpose.

These are also the moments where your contracts should line up with your internal controls. For example, if you’re relying on confidentiality obligations, a Non-Disclosure Agreement can help reinforce the boundary - but it works best when your business also has internal procedures that support it.

Key Elements To Include In Information Barrier Guidelines

There’s no one-size-fits-all template for information barrier guidelines. The right approach depends on your team size, what information you handle, and how you operate (in-office, remote, hybrid).

That said, strong guidelines usually cover the following.

1. Define What Information Is Restricted

Start by defining categories. For small businesses, it helps to keep this practical. For example:

  • Confidential information: non-public business information that could harm you if disclosed (pricing, supplier terms, strategy decks).
  • Client confidential information: information you hold about a client’s business, not just your own.
  • Personal information: information about identifiable individuals (customers, employees, leads).
  • Highly restricted information: merger talks, fundraising terms, legal disputes, security credentials, payroll and performance records.

This is also the step where you align your policy with your contracts. If your customer and supplier terms say something is confidential, make sure your internal rules treat it that way too.

2. Set Access Rules (Need-To-Know, Not Nice-To-Know)

This is the heart of information barriers: who can access what.

Common approaches include:

  • Role-based access: finance documents accessible only to founders, finance staff, and your accountant.
  • Project-based access: product roadmap files accessible only to the product squad working on it.
  • Client-based access: account teams only access “their” client folder, not the whole client list.

For many businesses, implementing access rules is as simple as setting permissions correctly in Google Drive, Microsoft 365, Notion, or your CRM - and documenting the rule in writing.

3. Cover Communication Rules (Including Meetings And Messaging)

Many leaks don’t happen through hacking - they happen through casual conversations.

Your guidelines should cover:

  • not discussing restricted matters in public places (cafes, co-working spaces, lifts)
  • not sharing confidential info in broad chat channels
  • using designated channels for sensitive topics (e.g. a private “Leadership” channel)
  • being careful with screensharing in meetings
  • how to label documents (e.g. “Confidential”)

If you’re considering recording calls or meetings for training, quality assurance, or dispute resolution, be careful: the rules around consent, workplace surveillance, and listening devices vary between states and territories, and can also depend on how the recording is made and used. Internal guidelines can help your team apply a consistent approach, but they shouldn’t be a substitute for checking the legal requirements that apply to your business.

4. Manage Conflicts Of Interest And “Dual Hats”

Startups often have people wearing multiple hats. A contractor might be working with two businesses in the same industry. A founder might be involved in another venture. An advisor might sit across multiple boards.

Information barrier guidelines should require:

  • disclosure of potential conflicts
  • allocation of the person to a specific project team
  • restrictions on access to certain folders or meetings
  • clear “do not share” boundaries between projects

This isn’t about accusing people of bad intentions. It’s about removing ambiguity so people don’t accidentally end up in the middle of a dispute later.

5. Set Data Handling And Security Basics

Even small businesses should document basic security expectations, such as:

  • password management (unique passwords, password managers, no sharing logins)
  • multi-factor authentication on key systems
  • rules for using personal devices for work
  • how to store restricted files (approved systems only)
  • how to dispose of sensitive data securely

If your business collects personal data, your guidelines should also line up with your external-facing privacy commitments. Many startups start here by implementing a Privacy Policy and then matching internal procedures to what they’ve promised customers.

6. Include A Clear Breach Response Process

When a breach happens, speed and clarity matter.

Your information barrier guidelines should outline:

  • who to notify internally (e.g. a founder, operations lead, or nominated privacy lead)
  • how to contain the issue (revoke access, reset credentials, contact affected parties)
  • how you document the incident
  • when you escalate to legal advice

This doesn’t need to be complicated. But it does need to exist. A calm, consistent process can significantly reduce damage.

How To Implement Information Barrier Guidelines Without Slowing Your Business Down

One of the biggest concerns we hear from startups is that internal policies will create friction.

The good news is: information barrier guidelines can be lightweight, as long as they’re clear and consistently applied.

Step 1: Map Your Sensitive Information

Start with a simple exercise:

  • What information would hurt the business if it leaked?
  • Where does it live (Drive, CRM, email, Slack, laptops)?
  • Who has access today?
  • Who should have access?

You’ll usually find quick wins straight away - like limiting access to “All Clients” folders or removing old contractor accounts.

Step 2: Set Roles And Ownership

Even if you’re a small team, nominate an “owner” of the guidelines (often a founder or operations lead). Their job is to:

  • approve access to highly restricted information
  • handle conflict disclosures
  • ensure onboarding and offboarding steps happen consistently

If you have employees, it’s also important your employment documentation supports your confidentiality rules and expectations from day one. For many businesses, that starts with a fit-for-purpose Employment Contract.

Step 3: Build The Barrier Into Your Tools

Policies fail when they rely on memory alone.

Try to build the barrier into your systems, for example:

  • separate folders for “Leadership”, “HR”, “Finance”, “Client Work”, “Product Roadmap”
  • permission groups rather than individual permissions (easier to manage as you scale)
  • template labels like “Confidential – Internal” or “Client Confidential”
  • restricted channels for sensitive discussions

Step 4: Train People In Plain English (Not Legalese)

Guidelines only work if people understand them.

Your training can be short and practical:

  • What counts as confidential information in your business
  • Where it should be stored
  • Who can approve sharing it externally
  • What to do if someone sends something to the wrong person

If you use contractors, make sure their onboarding includes confidentiality expectations too (and that the contract matches those expectations).

Step 5: Review And Update As You Grow

Information barrier guidelines shouldn’t be “set and forget”.

Revisit them when you:

  • hire your first employee
  • start working with agencies or offshore contractors
  • enter new markets or launch a new product line
  • raise capital or start acquisition discussions

As your structure becomes more complex (new shareholders, investors, co-founders), it can also be worth aligning information controls with your governance documents, such as a Shareholders Agreement or Company Constitution, so decision-making and confidentiality expectations are consistent at every level.

Information barrier guidelines are an internal tool. But they work best when they’re backed by the right legal documents, so you’re not relying on “good faith” alone.

Depending on your business, you might consider:

  • Non-Disclosure Agreement (NDA): useful when you share confidential information with suppliers, potential partners, or prospective buyers/investors before a deal is finalised. This is often the quickest way to set clear boundaries early, especially if you’re moving fast.
  • Employment Contract: sets expectations about confidentiality, use of company information, return of property, and post-employment obligations.
  • Contractor Agreement: clarifies who owns what, confidentiality expectations, and restrictions on misuse of your information (particularly important if contractors work across multiple clients).
  • Privacy documentation: if you handle personal information, your internal practices should match your external commitments, including your Privacy Policy and collection notices where relevant.
  • Customer terms: if clients share their sensitive information with you, your customer agreement should cover confidentiality and permitted use.

From a practical perspective, the “best” set-up is when your policies, contracts and day-to-day tool permissions all point in the same direction.

Don’t Forget Consumer And Marketing Compliance

Information barriers aren’t just about “secrets”. They can also reduce the risk of teams accidentally using information in ways that create legal exposure.

For example, if marketing and sales teams are using performance claims, testimonials, or pricing comparisons, you want internal approval processes to reduce the risk of misleading claims. This overlaps with your obligations under the Australian Consumer Law (ACL) - especially around advertising and representations.

Many small businesses also build “approval gates” into their information barrier guidelines so high-risk communications (like major promotions or warranty statements) are checked before they go out.

Key Takeaways

  • Information barrier guidelines are practical internal rules that stop sensitive information from flowing to people who shouldn’t have it, helping protect your startup’s value and reduce legal risk.
  • The strongest information barriers combine clear policies, tool-based access controls (like folder permissions), and consistent onboarding/offboarding processes.
  • Start by defining what “restricted information” means for your business, then apply a need-to-know access model rather than giving everyone access by default.
  • Information barriers are especially important where there are conflicts of interest, contractors working across multiple clients, sensitive negotiations, or personal information handling.
  • Your internal guidelines work best when supported by the right legal documents, such as an NDA, contractor terms and properly drafted employment documentation.

This article is general information only and does not constitute legal advice. Your circumstances may be different, and you should get advice for your specific situation.

If you’d like help putting information barrier guidelines in place (and matching them to the right contracts and policies), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Liquor Permits in Australia: A Practical Guide

Liquor Permits in Australia: A Practical Guide

Adding alcohol to your business model can be a genuine growth lever. For some venues it’s the main event (bars, pubs, breweries). For others it’s a powerful add-on (cafes, event businesses, meal...

14 May 2026
Read more
5 Legal Risks That Quietly Scare Away Investors

5 Legal Risks That Quietly Scare Away Investors

Could hidden legal issues be killing your next capital raise? These five risks can quietly cut valuation, delay due diligence or send investors walking.

13 May 2026
Read more
Weekdays on the Crane, Weekends on the Lake: The Story Behind Hunter Wake Co

Weekdays on the Crane, Weekends on the Lake: The Story Behind Hunter Wake Co

What does it take to turn a passion for wakeboarding into a compliant business? Hunter Wake Co’s story shows why legal foundations matter from day one.

12 May 2026
Read more
Australia’s Under-16 Social Media Ban: What Businesses Should Know

Australia’s Under-16 Social Media Ban: What Businesses Should Know

Could your social media campaigns be caught by Australia’s under-16 ban? Even if platforms carry the main burden, businesses should review promotions, privacy and child safety now.

12 May 2026
Read more
Section 250D of the Corporations Act: What It Means for Startups and SMEs

Section 250D of the Corporations Act: What It Means for Startups and SMEs

If you’re running a company in Australia, there are a few “corporate housekeeping” rules that can feel a bit distant - until you hit a bump in the road with shareholders, cash...

9 May 2026
Read more
NDIS Policy Templates: Compliance Requirements For Disability Providers

NDIS Policy Templates: Compliance Requirements For Disability Providers

If you’re running (or about to launch) an NDIS disability support business, you’ll quickly find that great service delivery is only part of the picture. You’re also expected to have clear, practical...

9 May 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call