03 February 2026
4 min read
Published by:
As February signals the end of the holiday period and the beginning of the serious part of the year, I have been reflecting on what we know in the privacy and data space and, more importantly, what we have yet to learn.
Privacy professionals will remember how long and tortured the journey was to have the Privacy and Other Legislation Amendment Act (POLA) passed on the very last day of parliament in December 2024. Some of those provisions are not scheduled to commence until December this year – including the requirement to report on automated decision-making – while others have been slowly moving forward. That led me to wonder what developments are currently in progress that would give the business community and privacy practitioners certainty around best practices when handling personal information.
Given that data breaches remain such a high-risk affair, it is worthwhile to look at what certainty we have around keeping data secure and what organisations are expected to do in the event of a breach.
The Federal Court’s decision in the Australian Clinical Labs (ACL) case in October 2025 provided some much-needed guidance on reasonable steps to keep information secure and how organisations could respond to a security incident (a more detailed article on this case is yet to come). It was also a milestone in terms of the Australian Information Commissioner imposing fines.
The ACL case involved a data breach that took place in 2022. But what of the other major breaches that occurred that year? What can we learn from them?
The Optus and Medibank breaches prompted broad community outrage at the time and an appetite for change. Some of that change occurred with the Office of the Australian Commission’s (OAIC) new enforcement powers, but where have those cases got to in terms of providing businesses with certainty about what is, and is not, acceptable about data security?
We know that the Commissioner commenced proceedings against Optus in August 2025 and while there have been some preliminary hearings, the matter is not scheduled for hearing until 2027, meaning there is unlikely to be any updates in 2026. More importantly, the concise statement setting out the Commissioner’s allegations in this case will not be released in the foreseeable future, which provides no guidance for organisations.
Thankfully, the Medibank case is moving along. The Commissioner took action against Medibank in the Federal Court in June 2024 and that concise statement provides some useful guidance about what the Commissioner considers to be minimum standards in terms of reasonable steps to protect information in that context.
While the Medibank breach occurred before the POLA amendments, which required that Australian Privacy Principle 11 (APP 11) be amended to include the requirement that reasonable steps to keep information secure include organisational and technical measures, the learnings from the concise statement about the steps that should be taken to protect personal information included:
These steps provide good guidance pending the outcome of the Court’s decision, but many of the steps recommended as reasonable steps are already recognised under pre-existing voluntary standards and protocols and it would be surprising if they were not upheld by any decision. The Court has ordered the parties to complete mediation no later than 30 September this year, so there is a glimmer of hope for an outcome by way of some sort of public statement in time for Christmas.
Another area where guidance is outstanding is the use of facial recognition technology, particularly in retail environments. The determinations made by the OAIC against both Bunnings and Kmart have provided guidance as to the Commissioner’s views on the required notice to be given to the public when facial recognition technology is used.
The Bunnings determination alleged that while Bunnings relied on a permitted general situation exception, this was erroneous and the retailer needed to comply with the Australian Privacy Principles. That determination has been appealed by Bunnings and was heard by the Australian Review Tribunal in October 2025. We hope that a decision will be made and published in 2026.
While the facts of this case relate to activities that occurred in 2020 and 2021, the decision will provide guidance that is applicable to the current retail environment, particularly as businesses attempt to balance increasing violence towards staff and rising theft against individuals’ right to privacy.
As technology continues to advance and businesses integrate automation further into every customer interaction, there are likely to be some interesting issues emerging in 2026.
If you would like more information about the guidance available to your organisation or need assistance with your privacy matters, please get in touch with us here.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by:
