06 May 2026
7 min read
Published by:
This year’s Privacy Awareness Week theme, ‘Trust is built here: In every privacy complaint, in every resolution’, is a timely reminder that trust is strengthened through how organisations handle and resolve privacy complaints in practice, not just in policy.
As the use of AI and other technologies continues to grow, the amount of personal information being collected, used and managed is increasing, making strong privacy practices even more critical.
In support of this year’s initiative, we explore five key areas where trust is built in practice – from how organisations design and assess their systems and manage employee data, to how organisations respond to data breaches and exercise judgement when relying on privacy exemptions.
Privacy impact assessments (PIAs) are a critical tool used to help identify and mitigate privacy risks by assessing the flow of personal information and ensuring compliance with privacy obligations. As highlighted by recent regulatory actions and cases, many of the issues that lead to data breaches or compliance failures, such as weak controls, poor system design, or inadequate notice to individuals, can often be identified early through a well-conducted PIA.
The Office of the Australian Information Commissioner’s (OAIC) Privacy Foundations self-assessment tool provides a useful starting point for organisations to evaluate their existing privacy practices. The tool involves two steps – a questionnaire and an action planning phase based on the responses. It then offers practical recommendations to help embed stronger privacy practices into day-to-day processes.
Businesses adopting new technology, like AI or technology that collects or uses sensitive information, must check they have conducted a thorough privacy impact assessment to ensure they are abiding by the OAIC’s guidelines and protecting individual privacy rights. The use of facial recognition technology in retail environments provides a clear example.
In the Administrative Review Tribunal’s decision on Bunnings’ use of facial recognition technology, the retailer was found to have breached a number of Australian Privacy Principles (APP) which relate to privacy notices and notifying individuals that their personal information is being collected.
The Tribunal found Bunnings to be deficient in notifying the public about its practices and policies, which it believes could have been avoided if they had done a comprehensive privacy impact assessment prior to implementation. The Tribunal’s decision makes clear that conducting a privacy impact assessment before adopting new technology is a baseline requirement, not an optional extra. Its decision around notices also confirms that organisations must be transparent with individuals about how they collect and use their personal information. It further confirmed that APP 1 does not end with having a privacy policy, a policy must be supported by ‘practices, procedures and systems’ (question – do we know if this is from the decision? If it is, use double quotation marks).
Employees are particularly sensitive to how their data is handled. Clear policies and proportionate surveillance practices show respect and accountability, which builds internal trust and reduces reputational risk externally.
While ‘employee records’ are generally exempt from the Privacy Act, there may be aspects of surveillance that are covered, and specific surveillance legislation and other workplace laws may also apply. The employee records exemption has also been found to be very narrow in past decisions.
Workplace surveillance is also becoming more sophisticated and widespread, but the laws that govern it haven’t kept pace. From AI monitoring tools to wearable trackers and biometrics, new technologies are being deployed in workplaces across many industries, yet there is little regulation on how and when employers can use them. It is important for businesses and employers to be transparent in their surveillance and record-keeping practices to create a culture of trust and privacy in their workplace.
When using surveillance technology, businesses must remain compliant with the Privacy Act by:
While there is far more to be said about balancing security and privacy, and the use of technology, the above provides a solid foundation.
How an organisation responds often matters more than the breach itself. Good handling builds trust.
Although we have yet to see what comes out from the Medibank and Optus breaches, the Federal Court’s decision in the Australian Clinical Labs case in October 2025 provided some much-needed guidance on reasonable steps to keep information secure and on how organisations can respond to a security incident.
The Australian Clinical Labs case showed that legacy systems can be a problem. In the case, the acquired organisation did not have policies in place, and it appears that staff were not trained to understand privacy issues. Organisations need to critically assess likely implications, and not rely too heavily on third party providers without considering the risks of serious harm.
Cyber threats continue to be a growing concern for Australian businesses, with malicious cyber activity estimated to cost over $1 billion annually. From distributed denial of service (DDoS) attacks to phishing, data theft, and ransomware, the risks are escalating. Though regulatory expectations around prevention and response are becoming clearer, it is still evolving.
Where there are reasonable grounds to believe there has been an eligible data breach, the time frame for notification is as soon as practicable. What will constitute ‘practicable’ will vary on the time, effort and cost required to comply.
A prompt response, clear communication and a fair resolution process can help an organisation demonstrate accountability, honesty and clarity to restore trust and confidence.
Complaints are opportunities to demonstrate fairness, accountability and responsiveness. They may also be your best source of information regarding impending problems, and acting on them may substantially mitigate future risks. Trust is built in the moment of challenge. Conversely, a failure to respond to complaints in a timely manner is also a common factor for escalation.
APP 1 requires organisations to have appropriate practices, procedures and systems in place to support privacy compliance, including complaint handling processes, with the OAIC able to draw on overseas guidance when assessing compliance.
Organisations should not lightly rely on the availability of legal exceptions when considering compliance with privacy laws.
In the matter of Bunnings, it relied on the exception under section 16A of the Privacy Act where the collection, use or disclosure of sensitive information was necessary to lessen or prevent a serious threat to the life, health and safety of any individual and suspected unlawful activity or serious misconduct. On appeal, it was determined the exception applied, but the circumstances were very specific to Bunnings and the issues they were facing.
There is a growing gap between legal compliance and community expectations that may lead to further challenge of legal ‘loopholes’. Further, the availability of exceptions, as shown with Bunnings, does not mean that an organisation is excused from providing proper notification, where possible, of the collection, use and disclosure of information.
Managing privacy risks is not a one and done task, it is an ongoing journey of continuous monitoring and responding to ongoing challenges. Managing the compliance risk is complex, but managing the fallout from lax privacy compliance is more costly and time consuming.
If you have any questions about this article or how you can strengthen your privacy practices, please get in touch with us here.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by:
