Data privacy has become a critical priority for Australian businesses as cyber threats, data breaches, and regulatory expectations continue to evolve. Organisations of all sizes must take proactive steps to protect personal information, maintain customer trust, and comply with privacy...
There's a moment every business leader dreads. The phone rings, or an email lands in the inbox, and the message is simple but devastating: your organisation has experienced a data breach. Customer records are exposed. Regulatory scrutiny is imminent. Legal teams are being activated.
For too long, that scenario felt abstract — something that happened to large corporations overseas, or the result of a sophisticated nation-state attack that a small business couldn't be expected to prevent. That perception has now been thoroughly dismantled in Australia. Data privacy isn't a theoretical risk anymore. It's a live, urgent, and expensive business issue that touches organisations of every size, across every industry.
The years 2022 through 2025 delivered a string of data breaches so significant that they shifted the entire national conversation about how businesses handle personal information.
The Optus breach affected up to 9.8 million people, Latitude Finance exposed the records of around 14 million Australians, and the Medibank attack compromised approximately 9.7 million customer records. Then, in May 2024, e-prescription provider MediSecure was hit — and the consequences were so severe that the company declared insolvency and entered voluntary administration just three weeks after the breach, with 6.5 terabytes of patient and physician data reportedly posted for sale on a hacking forum.
These weren't fringe players. These were established, trusted organisations. And the damage wasn't limited to data loss.
According to the IBM Cost of a Data Breach Report 2024, the average cost of a breach in Australia has risen to AUD $4.26 million, a 5.7% increase from the previous year. That figure doesn't capture the reputational erosion, the customer exodus, or the years of regulatory proceedings that follow.
Optus lost some 65,000 subscribers in just a few months following its breach, and the company flagged that the clean-up could cost $140 million. The lesson is stark: a data breach is no longer a recoverable inconvenience. For some organisations, it becomes an existential event.
For many years, critics argued that Australia's Privacy Act 1988 was simply not equipped for the realities of a digital economy. The legislation that once governed how organisations handled paper files was being stretched to cover cloud storage, AI systems, mobile apps, and cross-border data flows. The gap between the law and lived reality was widening.
That changed decisively with the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024, representing the most substantial overhaul of Australian privacy law in the Act's history.
The reforms have rolled out in stages, and 2026 is a pivotal year. The requirement to disclose how personal information is used in substantially automated decision-making processes commences 10 December 2026 — which means any business using algorithms or AI tools to make decisions about customers, employees, or applicants now has a transparency obligation it simply cannot ignore.
The broader reform picture includes several significant new elements:
A new statutory right to sue for serious privacy breaches commenced on 10 June 2025, along with substantially stronger requirements for businesses handling personal information.
Expected 2026 reforms include new individual rights such as the right to erasure, the right to object to targeted advertising, the right to correction, and the right to data portability.
A legally binding Children's Online Privacy Code is mandated for release by 10 December 2026, setting out clear obligations for organisations handling the data of young Australians.
The penalty framework has also sharpened considerably. Under Australia's updated Privacy Act, companies can face fines of up to AU$50 million for serious or repeated data breaches. That is no longer a deterrent that only applies to multinationals. It applies to any organisation covered by the Act.
The Office of the Australian Information Commissioner (OAIC) has traditionally been seen as a relatively mild regulator — one that preferred enforceable undertakings and negotiated outcomes over hard enforcement action. That reputation is being revised.
The Information Commissioner has filed legal proceedings against Optus over its 2022 data breach, following a separate ACMA lawsuit over the same incident, while the OAIC also filed charges against Medibank for its breach — which has already cost Medibank over $125 million, not including a $250 million APRA penalty.
The message from Privacy Commissioner Carly Kind has been unambiguous: all organisations holding personal information need to ensure they have strong data governance and security practices that are both thorough and embedded into everyday operations — not treated as a compliance checkbox.
This is a meaningful shift. Regulators are investigating, litigating, and issuing penalties. Businesses that assumed the OAIC would always settle for an undertaking are now operating on outdated assumptions.
It's easy to frame data privacy as a regulatory compliance issue — a matter of fines, legal fees, and organisational risk management. But the human dimension is what makes this genuinely urgent.
A healthcare worker in Melbourne opened her email one morning to find that her Medicare details, prescription history, and address had been accessed without her knowledge. She hadn't made any mistake. She'd simply used a healthcare service that had inadequate security controls. The months that followed involved credit monitoring, identity verification processes, and a constant background anxiety about what someone might do with her information.
Multiply that experience across millions of Australians — as happened in the Medibank and MediSecure incidents — and the scale of harm becomes tangible. According to a federal cybercrime inquiry, over 11,000 cases of cybercrime have been connected to the Medibank data breach alone. Behind each of those cases is a person dealing with consequences that no fine can fully address.
This is why data privacy is increasingly a matter of ethics and organisational values, not just legal compliance.
Despite the headlines, many Australian businesses continue to make the same fundamental errors in how they collect, store, and handle personal information.
The most common issue is data hoarding. Organisations collect far more personal information than they actually need, retain it far longer than is appropriate, and then fail to protect it adequately. The Latitude Financial breach raised serious questions about why the company was storing customer records from 2005 — well beyond any reasonable retention requirement.
Third-party risk is another persistent blind spot. A business may have strong internal controls, but if a supplier, cloud provider, or software vendor has weak security practices, the exposure flows both ways. The growing use of external service providers — particularly cloud and software services — is one of the key reasons for the increase in breach notifications to the OAIC.
Then there's the culture problem. Cybersecurity and data privacy are often treated as IT department concerns rather than organisation-wide responsibilities. When that mindset prevails, frontline staff — the people who actually handle customer data every day — are often the least informed and the least prepared.
Australian Super reportedly assessed their cyber risk as low likelihood prior to the April 2025 credential stuffing attacks against their systems and multiple other superannuation funds — a gross underestimation of the threat landscape that left them vulnerable.
Australia's privacy reforms don't exist in a vacuum. The global regulatory environment has been moving toward stronger privacy protections for the better part of a decade, led by frameworks like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act.
Australian reforms are now consciously aligning with international standards — expanded definitions of personal information, stronger consent requirements, and individual access rights that mirror what European consumers have been able to exercise for years. Under the anticipated 2026 reforms, consent must be voluntary, informed, current, specific, and unambiguous, with pre-ticked boxes and dark patterns restricted.
For businesses operating across borders — and many Australian companies do, whether through international clients, offshore data storage, or global software platforms — this convergence creates both obligations and opportunities. Getting privacy right in Australia increasingly means getting it right for an international standard.
Businesses that take data privacy seriously aren't just protecting themselves from regulatory action. They're building something more durable: customer trust.
Practical data privacy starts with knowing what you actually hold. A data mapping exercise — understanding what personal information the business collects, where it sits, who has access to it, and how long it's retained — is the foundation of any credible privacy program. It's unglamorous work, but without it, every other privacy initiative is built on sand.
Privacy impact assessments for new products, systems, or processes help organisations spot risks before they become incidents, rather than investigating them afterward. Staff training ensures that the people who interact with customer data daily understand their obligations — because the most sophisticated technical controls can be undone by a single misdirected email or reused password.
Businesses looking to build genuine privacy capability in their teams can explore the Privacy & AI Governance: Complying with the Privacy Act course at the Australian Compliance Institute, which covers Australian Privacy Principles, AI data obligations, and practical implementation guidance. For those whose work intersects with cybersecurity obligations — increasingly relevant under the Security of Critical Infrastructure Act — the Cybersecurity Fundamentals & Ethical Hacking course provides foundational knowledge for non-technical staff and decision-makers alike.
Some organisations still approach data privacy as a cost to minimise. That framing consistently leads to underinvestment — right up until an incident makes the alternative cost catastrophically clear.
The better framing is competitive advantage. Consumers are increasingly aware of how their data is used. A business that can demonstrate genuine privacy practices — not just a lengthy privacy policy nobody reads, but visible, credible commitments — earns a form of trust that is genuinely difficult to replicate.
Organisations that take proactive steps to adapt their privacy governance frameworks, enhance data security measures, and increase transparency about data practices will be better positioned in Australia's evolving privacy landscape.
The regulatory environment will only tighten further. The organisations building strong privacy foundations now won't just be compliant when the next round of reforms arrives — they'll be ahead of it.
diversity and inclusion
Inclusive leadership is essential for building high-performing, diverse, and respectful workplaces. This guide outlines 10 practical inclusive leadership practices every manager should know, including communication...
Australian employers
This practical guide helps Australian employers understand their Privacy Act obligations and implement effective privacy practices. Learn how to manage personal information, strengthen data protection,...
AML Compliance
Money laundering and terrorism financing are often grouped together under AML/CTF regulations, but they serve very different purposes. This guide explains the key differences, common...
