Perth Contractor Cybersecurity Requirements - City Bylaw

Perth, Western Australia contractors engaged by the City of Perth must manage cybersecurity and data handling risks when delivering services, works or digital systems. This guide explains common contractual cybersecurity obligations, how enforcement and complaints are handled by City teams, and practical action steps for compliance, incident reporting and appeals. It is written for contractors, procurement officers and project managers who must integrate information security controls into bids, statements of work and supplier agreements in Perth.

Penalties & Enforcement

The City of Perth enforces contractor cybersecurity obligations through contract remedies, procurement exclusions and administrative actions managed by Procurement and Contract Management teams and By-law Enforcement where applicable. Specific statutory monetary fines for cybersecurity breaches by contractors are not specified on the City's published procurement and contract pages as of February 2026.

• Monetary fines: not specified on the City's publicly published procurement or contract pages as of February 2026.
• Contract remedies: termination, withholding of payment, liquidated damages or claims for loss under contract terms.
• Administrative sanctions: suspension from tender lists, de‑registration as an approved supplier, or restrictions on future City contracts.
• Non-monetary orders: directions to remediate systems, data deletion, or forensic review requirements.
• Enforcer and complaint pathway: Procurement and Contract Management teams and By-law Enforcement; use the City of Perth official contact and procurement enquiry channels to report incidents.

Escalation and repeat offences

The City typically escalates from notice and remediation requirements to contract suspension or termination for unresolved or repeated breaches; exact escalation steps and any monetary ranges are not specified on the City's procurement pages as of February 2026.

Appeals, review and time limits

Appeal and review routes depend on the contract terms and the City's published procurement dispute procedures; contractors should follow the contractual dispute resolution clause and any specified internal review process, lodging appeals within the timeframes set in the contract or procurement rules.

Defences and discretion

Common contractual defences include force majeure, reasonable excuse, compliance with an approved variation or an express exemption in the contract. The City retains discretion under contract terms to accept remediation plans or to exercise termination rights.

Common violations

• Poor access controls leading to unauthorised data access.
• Use of insecure software or failure to patch critical vulnerabilities.
• Failure to report data breaches within the timeframes required by contract or law.
• Non-compliance with agreed data-handling schedules and encryption requirements.

Applications & Forms

No dedicated City of Perth cybersecurity permit form is published on the City's procurement pages as of February 2026; cybersecurity obligations are usually enforced via supplier declarations, contract schedules and tender compliance documents included in procurement submissions.

Practical Compliance Steps for Contractors

• Include an information security plan or schedule with bids showing controls, encryption and incident response.
• Complete any supplier declarations and attach security assessment evidence where requested.
• Establish a breach notification process aligned to contract timing and applicable data breach laws.
• Designate a single point of contact for City enquiries and incident reporting.

FAQ

Do I need a formal information security plan to contract with the City of Perth?

Yes — tenderers are generally expected to demonstrate appropriate information security controls; include a concise plan or schedule in your bid and attach supporting evidence where required.

How do I report a suspected data breach affecting City information?

Report incidents immediately to the City of Perth procurement or contract contact shown on your contract, and follow any contractual incident notification steps; also preserve evidence and follow your internal incident response procedures.

Are there mandatory cybersecurity standards contractors must meet?

The City expects proportionate controls in contracts; specific technical standards may be referenced in procurement documents — if none are specified, follow recognised best practice such as government cyber guidance and the Australian Cyber Security Centre recommendations.

How-To

1. Read the procurement documents and contract schedules to identify cybersecurity clauses and required evidence.
2. Prepare or update an information security plan addressing access controls, patching, encryption and incident response.
3. Attach supplier declarations, risk assessments and penetration test summaries to your tender submission.
4. Set up monitoring, logging and retention procedures to meet audit and forensic needs.
5. Nominate a breach contact and test your incident response with a tabletop exercise before contract start.
6. If a breach occurs, notify the City immediately, remediate, preserve evidence and follow contractual dispute or appeal steps if needed.

Key Takeaways

• Cybersecurity obligations are enforced through contract terms and procurement controls rather than a separate City cybersecurity permit.
• Documented evidence, supplier declarations and an incident response plan are essential for compliance.
• Use the City of Perth procurement and contact channels to report incidents and seek guidance.

Help and Support / Resources

• City of Perth - Procurement and Buying
• City of Perth - Contact and complaints
• Australian Cyber Security Centre - Guidance and Essential Eight