The frameworks behind Alt-TAB

If your product involves children in any way, the UNCRC is the legal bedrock. "Best interests of the child" is not a guideline. It's a binding obligation for Australian government agencies and a strong standard for any organisation serving children. Any product feature that conflicts with a child's best interests, privacy, or access to safe information should be reconsidered.

If any of your users are under 18 and based in the UK, this code is a legal obligation, not a guideline. For Australian-only products, it's not legally binding, but it remains the most specific and practical framework for child-safe design available anywhere. Many Australian teams use it as a voluntary design benchmark, and Australia's forthcoming Children's Online Privacy Code is expected to draw heavily from it. If you're building for children, reading this code is time well spent regardless of your jurisdiction.

If your product involves children in any way, as users, as subjects of data, or indirectly. This framework sets out what you're expected to consider. Especially relevant for consent, age-appropriate design, and any AI features interacting with children.

If your product allows any interaction between users, including messaging, content sharing, community features. The ACCCE's research shows exactly how these features are exploited. This isn't theoretical: it's documented evidence of harm patterns. Alt-TAB references ACCCE research in child safety recommendations. Read it before you build.

Asks whether your product respects human dignity, whether people understand what it's doing, and whether affected people have recourse when things go wrong. Particularly relevant for AI-powered products and systems making automated decisions about people.

Sets the baseline for responsible AI use, explaining how AI works, ensuring it's reliable, and making sure people aren't disadvantaged by automated decisions they can't challenge.

Most useful for AI products in high-stakes contexts like health, safety, finances, or vulnerable people. Gives you a structured way to think about what could go wrong at each stage and what to do about it.

If you collect any personal information (names, emails, health data, location, financial details) you likely have legal obligations here. Most common gaps: consent, data retention, and sharing with third parties. Breaches carry significant penalties.

If your product is an online service accessible to Australians, especially one where users communicate, share content, or interact, you likely have obligations here. Particularly relevant for products involving children, anonymous interaction, or user-generated content.

If your product sends any form of electronic communication to users, including onboarding emails, notifications, marketing messages. The Spam Act applies. The most common gap: assuming in-app consent covers email marketing. It doesn't. You need explicit consent for each communication channel, and every message must include a working unsubscribe option.

If your product has features that could facilitate coercive control, such as location tracking, device monitoring, communication surveillance, financial control, you need to understand how how emerging coercive control laws interact with your product design. Building in safeguards that prevent misuse isn't just ethical: in some contexts it may be legally required. Alt-TAB screens every assessment for these risks regardless of your answers.

If you run a social media service, messaging platform, app store, or search service, Phase 2 codes likely apply to your product. This overview is the clearest plain-language summary of what's required and when.

Asks you to think about who might be harmed by your product, how, and what design decisions can prevent that before anyone is affected. Especially relevant for platforms with user interaction, content sharing, or children as users.

If your product collects or stores personal data, Maturity Level 1 is the minimum cybersecurity baseline you should be working toward. These are practical technical controls, what regulators and funders increasingly expect to see documented.

If your platform allows user-generated content and could be accessed by people experiencing mental health challenges, this signals where regulation is heading. Mental health, wellbeing, social media, or youth-facing products should pay close attention.

If your product uses AI, this sets out what Australian regulators and funders increasingly expect. While currently voluntary, it's the most likely starting point for future mandatory AI regulation in Australia. Getting aligned now is a smart move.

If you're adopting or building AI in Australia, this is your starting point for understanding what the government expects and what practical steps look like. The Foundations guide is particularly useful for organisations new to AI governance.

If you're building technology for government use, or if your product involves government data or decision-making, this framework sets out what assurance looks like in practice. Also a useful benchmark for any organisation wanting to demonstrate rigorous AI governance to funders or regulators.

If your product uses generative AI, operates in immersive environments, uses recommender algorithms, or involves encrypted communications, this guidance helps you understand your obligations. Particularly useful for products at the intersection of innovation and safety risk.

Underpins Human Rights Due Diligence, proactively identifying and addressing human rights impacts of what you're building, not just reacting when something goes wrong. Especially relevant for accountability gaps: who is responsible, and what happens when someone is harmed?

Most relevant for products with global reach or those operating in contexts involving marginalised communities. Asks whether your product contributes to digital inclusion or digital exclusion.

If any of your users are based in the EU, even one person, GDPR applies to you. This is one of the most common legal blind spots for Australian startups and NGOs. If you don't know where your users are, assume some are in the EU. Key requirements: lawful basis for processing, data subject rights, privacy notices, breach notification within 72 hours.

ISO 27001 is not legally required in Australia, but it is increasingly expected by enterprise clients, government bodies, and international partners. If you're targeting B2B sales, government procurement, or enterprise markets, you will almost certainly be asked about it. Understanding the requirements now means you can build toward certification from the start.

If your product could be used by or affect people with disability, and most products will, the CRPD sets the legal foundation. It goes further than WCAG: it's not just about technical compliance, it's about whether people with disability can genuinely participate in and benefit from what you've built. Australia has obligations under this treaty that apply to government agencies and inform the Disability Discrimination Act.

If your product is inaccessible to people with disability, including no screen reader support, no keyboard navigation, inaccessible colour contrast. You may be in breach of the DDA. This is not a guideline: it's Australian law. The Australian Human Rights Commission can investigate and mediate complaints. WCAG 2.2 Level AA is the technical standard you need to meet.

If your product has a digital interface, WCAG applies. Level AA compliance means screen reader compatibility, keyboard navigation, sufficient colour contrast, and no features that exclude people with disability. In Australia, WCAG 2.2 Level AA is the accepted standard for DDA compliance for digital products.

WCAG tells you what to achieve. This toolkit tells you how to achieve it in practice, with Australian context, real examples, and testing tools. If you're starting your accessibility journey, this is the most practical starting point for Australian products. Free to use and regularly updated.

Most relevant when your product affects communities historically excluded from design processes, including people with disability, First Nations peoples, CALD communities, or people experiencing poverty or family violence. Asks whether those communities were involved in designing your product, not just consulted about it.

If your product involves Aboriginal and Torres Strait Islander communities in any way, as users, as subjects of data, or where cultural knowledge may be collected. The CARE Principles set out what ethical engagement looks like. Community consent, authority, and benefit are non-negotiable starting points.

If your product involves Aboriginal and Torres Strait Islander peoples in research, data collection, or service delivery, this Code is the Australian-specific framework for doing that ethically. Covers consultation, consent, cultural sensitivity, and community ownership of data and knowledge.

If your product will be used by any prescribed Victorian organisation, or if it touches family violence risk assessment, case management, information sharing, or service delivery in Victoria, MARAM alignment is a legal requirement. This is one of the most commonly overlooked obligations in technology procurement for the health, housing, legal, and community sectors. A product that disrupts MARAM-aligned workflows or creates information sharing risks could directly undermine safety planning for victim-survivors.

If your product will be used in Victoria by any organisation working in health, housing, legal, child protection, or community services, the Family Violence Protection Act shapes how those organisations must operate. Technology that creates barriers to information sharing, undermines safety planning, or enables a person using violence to monitor or locate a victim-survivor may create legal exposure for the organisations using it.

If your product could reinforce or challenge gender norms, if it amplifies or moderates content relating to women and relationships, or if it touches any context where violence against women is a foreseeable risk, Change the Story provides the evidence base for understanding what prevention actually requires. It's particularly relevant for social media platforms, content moderation systems, advertising technology, and any product reaching young people.

For organisations working in the women's safety, family violence, or child protection sectors, alignment with the National Plan is increasingly expected by funders and government partners. For technology products used in these sectors, understanding where the National Plan is heading helps you anticipate regulatory and procurement requirements before they become mandatory. The Plan specifically identifies technology-facilitated abuse as a priority area.

If you're building or procuring technology for the Victorian family violence sector, Safe and Equal's practice guides explain what MARAM alignment looks like in practice. This is the most direct source of operational guidance on what your product needs to support, not just in principle but in the daily workflows of family violence practitioners.

Any product that stores location data, enables communication, controls devices, or handles health or financial data should be reviewed against this guide. Technology-facilitated gender-based violence rarely involves malicious code. It exploits legitimate features. This helps you find those vulnerabilities before someone else does.

If your platform hosts public discussion, amplifies voices, or could be used to target women or gender-diverse people, this resource helps you understand the specific harm patterns to design against. Directly relevant for media, advocacy, politics, or any space where women are publicly visible.

If your product will be used by or affect Aboriginal and Torres Strait Islander communities, this resource is essential reading before you deploy. It explains the specific safety risks these communities face online and what culturally safe digital practice looks like. Alt-TAB's technology-facilitated gender-based violence screening draws on this context. This resource lets you go deeper.

The problem with the build cycle, three pillars (cybersecurity, human rights, technology-facilitated gender-based violence prevention), Stage 1 and Stage 2 analysis explained, the four risk patterns, all 35 frameworks in a reference table, and Sarah Barnbrook's credentials and speaking engagements.