This year’s Privacy Awareness Week has reminded us that “privacy – it’s everyone’s business”.
Why Privacy Awareness Week?
Privacy Awareness Week (16-22 June) is always a useful landmark in the year for organisations to take stock of privacy awareness within their organisation and to reflect on how growing privacy awareness across society, rising regulatory expectations and a growing enforcement appetite impacts risks and unlocks opportunities.
Now that the flurry of Privacy Awareness Week activity is behind us, we’ve pinpointed 12 quick things you can do now to level up privacy in your organisation, based on common themes we see:
- If your privacy policy has not been updated in the last 12 months, review the sections on collection, use, disclosure, overseas disclosure and security measures for currency. A review of recent privacy impact assessments should identify any overseas disclosure jurisdictions which may need to be added to your privacy policy.
- Identify the top five points of collection of personal information in your organisation and confirm that collection notices are in place. Check that they identify any laws pursuant to which personal information is collected, and consequences if personal information is not provided – two matters generally not covered by privacy policies.
- Review the OAIC’s recent guidance on pixel technologies, especially in light of increased regulatory attention on the use of that technology.
- Start making enquiries about how your organisation uses computer programs to make decisions about individuals that significantly affect their rights and interests. This will allow you to start forming a view about what information may need to be disclosed in your privacy policy when automated decision-making transparency requirements commence in December 2026.
- Check your data breach/incident response plan includes up-to-date details for internal personnel and third-party providers.
- Test whether a range of people in your organisation can find the data breach/incident response plan and the reporting pathway for a suspected data breach.
- If key members of your data breach/incident response team have not conducted a data breach simulation in the last 12 months, schedule one.
- Confirm that your organisational information security measures are clearly described in documentation, and that auditing or monitoring of those measures are in place.
- Check in with your key suppliers who have access to or host or process your organisation’s personal information – ask for an update on their information security and other technical and organisational measures in place to protect your data. Exercise your contractual rights to audit compliance and require reporting.
- Confirm that deletion and de-identification procedures are in place for aged and redundant data by sample testing a large database of personal information.
- Benchmark your personal information security by asking your team to confirm if you have in place the information security controls listed in Annexure B to the OAIC’s Concise Statement in the Medibank case. You could also do the same exercise with the Annexure A to ASIC’s Concise Statement in the FIIG proceedings. Keep in mind that these requirements are not determinative of an organisation’s information security obligations, and are just a resource. Smaller organisations may not be required to meet the same standards, and may wish to seek advice about what measures to prioritise.
- Refresh your understanding of legal professional privilege, especially in the context of post-data breach engagement of experts, communications and litigation, by reviewing summaries of the Optus and Medibank decisions. Subscribe to JWS’ insights to make sure you’re across the latest updates in this fast-moving space.
Deeper dive exercises include:
- auditing your marketing processes for compliance with Spam Act obligations, especially ACMA’s pattern of regular enforcement action against businesses that fail to comply with consent and unsubscribe requirements;
- identifying the APPs in relation to which the OAIC can now issue infringement notices, and map the processes and procedures in place to reduce compliance risk for each of those APPs; and
- conducting a fulsome privacy audit of your organisation, which will help you understand the personal information you hold and what you do with it, identify compliance risks against the latest reforms, and position you well to consider the impact of future reforms.
Taking stock of the state of privacy in Australia
We explore a number of the core dimensions of privacy currently at play.
1. Growth in individuals’ privacy consciousness: While the next Australian Community Attitudes to Privacy study conducted by the OAIC will not take place until next year, there is plenty of evidence that there is growing privacy consciousness among Australians. We are seeing a rise in novel privacy complaints, reflecting a cohort of people who are dissatisfied with conduct and find creative ways to express that dissatisfaction through alleged breaches of privacy obligations. We are also seeing a rise in privacy complaints being brought as “revenge” claims in the wake of other conduct or disputes which have not been resolved in the individual’s favour.
2. Enforcement action projected to rise: The Privacy Commissioner has expressed that she is keen to pursue more enforcement action, leveraging the larger suite of enforcement options presented by the latest reforms. The Commissioner’s areas of focus include:
- businesses’ handling of large volumes of information (such as data brokerage);
- emerging technologies (such as AI, biometric technologies, connected vehicles, apps and pixel technology); and
- ‘reasonable expectation’ for use and disclosure of personal information for secondary purposes.
The Commissioner will soon be releasing an updated statement of regulatory priorities which are likely to reflect these increased areas of focus.
3. Avenues for direct action by individuals against businesses are growing: Recent class actions arising from high-profile data breaches highlight an important development. As privacy complaints must be made to the OAIC, individuals are increasingly asserting concurrent rights under other legal frameworks, such as consumer law. These include allegations of misleading or deceptive conduct and misrepresentation. As of 10 June 2025, individuals now also have the right to bring direct actions under the new statutory tort of privacy, which is also likely to increase the risk profile for certain more serious privacy and personal information practices.
4. Waves of Privacy Act reforms: Most of the first tranche of the Privacy Act reforms have now taken effect. The Children’s Online Privacy Code will be developed by December 2025, and the automated decision-making transparency requirements will commence in December 2026.
However, there are some significant changes, including the introduction of a ‘fair and reasonable test’ for handling personal information, proposed in the second tranche of reforms for which the government has indicated in-principle agreement. In relation to many recommendations, the government supports further consultation, which will hopefully progress in the coming months, but it does not seem very likely that reforms will progress to Parliament this calendar year.
5. Density of digital platforms regulations: Changes to privacy laws, including the development of the Children’s Online Privacy Code, are taking place in the context of broader regulatory reforms that intersect. In the context of digital platforms:
- Australia is progressing towards the implementation of social media age-gating so that social media platforms are required to take reasonable steps to ensure that under 16s are not using their platforms;
- the eSafety Commissioner is working on Phase 2 eSafety Codes;
- we will likely see new legislation providing for ex-ante competition law regulation of digital platforms via a Digital Platforms Code;
- the ACCC has just released its final Digital Platform Services Inquiry report, finding that without appropriate laws in place “Australian consumers and business continue to encounter a significant number of harmful practices across a range of digital platform services”;
- the ACCC is working on the detail of the newly passed Scam Prevention Framework; and
- new laws to address unfair trade practices like dark patterns have been proposed.
6. AI: The regulation of AI in Australia is being tackled in a number of different ways, including through proposed mandatory guardrails for high-risk AI. Through a privacy lens, the OAIC is particularly focussed on the inclusion of personal information in AI model training data, and has reinforced in recent guidance the requirements for compliance with the APPs in relation to that collection and use of personal information.
7. Employee privacy: While the Privacy Act currently includes an exemption for the handling of employee records in certain circumstances, we are seeing a steady increase in the consideration of employee privacy, in part generated by increased interest and enquiries by employees. Beyond the Privacy Act, employers are navigating a range of workplace surveillance and surveillance devices regulatory requirements in the context of CCTV, monitoring acceptable use of IT systems, and monitoring location (such as employees in fleet vehicles). In addition, questions frequently arise in relation to employees’ use of technologies and devices to record meetings and conversations in the workplace.
Privacy risks should be regularly reassessed
Privacy is not a set and forget exercise. Privacy risk changes rapidly in light of changes to the law, changes to regulatory enforcement mechanisms and approaches, learnings from recent enforcement action, emerging technologies, the introduction of individuals’ direct rights of action and shifts in community expectations more broadly.
As such, privacy risks should be regularly reassessed in your organisation to identify and address privacy risk hot spots, and ensure that compliance programs are commensurate to overall risk to the organisation.
Clear air post-Privacy Awareness Week is just the occasion to pause and reflect.