Tools & Workspace

Data Security and Confidentiality for VAs

The VA Handbook · Updated 2026-07-18

A working VA typically holds logins for a dozen or more systems that belong to other people: inboxes, calendars, banking-adjacent platforms, customer databases. That access is the job. It is also the risk. A security incident involving client data can end a VA business overnight, and most incidents trace back to a small set of preventable habits.

Passwords and access

Use a reputable password manager, and use it properly: unique passwords for every service, credentials shared with clients through the manager's sharing features rather than by email or text, and a record of exactly what access you hold for each client. Turn on multi-factor authentication everywhere it is offered, starting with your own email — the account that can reset every other account. Where client platforms allow you to have your own user login rather than sharing theirs, take that option; it is safer for both sides and keeps an honest audit trail.

Devices and files

  • Keep your operating system and browser updated — updates are mostly security patches.
  • Use full-disk encryption and a lock screen; a stolen laptop should be a hardware loss, not a data breach.
  • Avoid doing client work over public Wi-Fi without protection.
  • Store client files in the client's own systems where possible, so ending an engagement does not mean excavating your drive.
  • Back up your own business data; a VA who loses their task system loses every client's commitments at once.

Confidentiality is a habit, not a clause

Most VA agreements include a confidentiality clause, and it should be honoured beyond the letter. That means not naming clients in public without permission, not using one client's information in another's service, and being vague in case studies unless the client has approved specifics. It also means household discipline: screens locked when you step away, client calls not taken where others can overhear sensitive detail, documents not left open on shared family computers.

Know your obligations

Australian privacy law, overseen by the Office of the Australian Information Commissioner (OAIC), sets rules for how personal information is handled. Small businesses are not all covered by the Privacy Act, but many of your clients will be, and their obligations flow through to how you must treat their customers' data. The OAIC also administers the Notifiable Data Breaches scheme, under which certain breaches must be reported. You do not need to be a lawyer — you need to know that the framework exists, follow your client's data-handling instructions, and ask rather than guess when handling personal information.

If something goes wrong

Speed and honesty are everything. Tell the affected client immediately — before you fully understand the scope, not after. Change the affected credentials, work out together what was exposed, and support whatever notification obligations the client has. The instinct to quietly fix it and say nothing is the one decision that reliably makes a bad situation unrecoverable; clients forgive incidents far more readily than they forgive concealment.

FAQ

Do I need an NDA with every client?

A confidentiality clause in your standard service agreement usually covers it. Some clients — especially in legal, medical or finance-adjacent fields — will ask you to sign their own NDA as well, which is routine.

Should clients share their actual passwords with me?

Only when a platform offers no alternative, and then only via a password manager. Separate user accounts with appropriate permissions are always the better option where they exist.

What happens to access when an engagement ends?

Offboarding should mirror onboarding: work through your access register, have the client revoke each item or change shared credentials, hand over any files you hold, and confirm completion in writing. The register you kept from day one is what makes this a ten-minute job instead of an argument.

Is antivirus software enough?

No single tool is. The combination that matters is updates applied promptly, unique passwords with multi-factor authentication, encrypted devices, cautious clicking, and backups. Security is layers of boring habits, not one product.

Hiring a VA for your business instead? Visit virtualassistants.au, our guide for businesses that delegate.