Legal Insights

Privacy Awareness Week 2025: From the Break Room to the Boardroom, It's Everyone’s Business!

• 16 June 2025 • 15 min read

Privacy is everyone’s business – and a shared responsibility across an entire organisation.

Privacy Awareness Week (PAW) is an annual event run by the Office of the Australian Information Commissioner (OAIC) to raise awareness of privacy issues and the importance of protecting personal information.

This year’s theme – ‘Privacy – it’s everyone’s business’ is closely tied to key reforms to the Privacy Act which came into force late last year.

The theme highlights the critical importance that all personnel in an organisation’s privacy compliance journey. PAW takes place in a more complex regulatory environment following key updates to the Privacy Act which are now in force.

It’s not just your IT department - ‘everyone’ must play a role in keeping personal information safe and secure.

One of the key reforms to the Privacy Act were changes to APP 11.

APP 11 requires an organisation to take ‘such steps as are reasonable in the circumstances’ to:

protect personal information it holds from ‘misuse, interference, loss and unauthorised access, disclosure and modification’; and
destroy and de-identify personal information it no longer needs.

In December 2024, Tranche 1 of the Privacy Act reforms introduced a new APP 11.3, which specifies that both technical and organisational measures should be implemented to meet the ‘reasonable steps’ criteria in protecting, de-identifying and destroying personal information.

This means that in addition to encrypting data and implementing access controls (technical processes), securing personal information now requires ‘organisational’ (people-centric) measures such as:

governance and culture – which the OAIC expects to include appropriate training, resourcing and a focus from management to foster a ‘privacy and security aware culture’. The OAIC has made clear in guidance that ‘insufficient interest in personal information security from staff, in particular senior management including the board (or equivalent decision making body), can lead to threats to the security of personal information being ignored and not properly attended to’;
effective policies and procedures – to ensure that there is ‘oversight, accountability and lines of authority for decisions regarding personal information security’; and
personnel security and training – all staff need to be aware of their responsibilities and avoid practices that would breach privacy obligations, and be able to recognise an eligible data breach.

A key driver for these reforms was an overemphasis on technical measures. PAW provides an opportunity for critical reflection regarding the people-centric measures in place to protect personal information and comply with obligations under the Privacy Act.

What are the other key changes to the Privacy Act now in force?

Changes to penalty regime for contraventions of the Privacy Act

The Privacy Act now contains three tiers of civil penalties that can be imposed for ‘serious’ or ‘repeated’ interferences with privacy. The Amendment Act introduces a new mid-tier civil penalty for interference with privacy that do not reach the threshold of ‘serious’. The maximum penalty would be $626,000 for an individual and $3.3 million for a body corporate.
It also proposes new powers to the Office of the Australian Information Commissioner (OAIC) to issue infringement notices (imposing civil penalties of up to $62,600) for prescribed breaches of the APPs. The provision largely focuses on breaches relating to privacy policy requirements, processes around direct marketing and correction of information.
These amendments increase the tool kit available to the OAIC and follow significant increased penalties and powers under the Act. On the ground, advising clients we have seen a distinct change in Regulator’s approach. The OAIC has advanced in maturity as a Regulator. Scrutiny is greater in respect of data breaches, complaints and breaches. The Regulator is showing an increased willingness to exercise its enforcement powers.

New statutory tort for serious invasions of privacy

The Amendment Act introduces a new cause of action in tort for intentionally or recklessly intruding upon a person’s seclusion, or misusing information that relates to them, in circumstances where a reasonable expectation of privacy exists. The invasion of privacy must be ‘serious’ and is actionable without proof of damage.
The new statutory tort considers the ‘countervailing public interest’ and prescribes specific matters which may constitute a countervailing public interest, such as national security, public health, and the detection of, and prevention of crime and fraud. This aims to ensure that the public interest is considered as part of the cause of action in every case, rather than only in those cases where the defendant has cited evidence of a public interest in the invasion of privacy.
While it may take some time to see how the tort of privacy is applied, what is clear from our experience on the ground is the increased awareness of individuals of privacy as an issue and heighted consumer frustration when things go wrong. We are seeing an increase in complaints, access requests and individuals looking to hold organisations to account for breaches of the Privacy Act. If Australia follows the lead of UK and EU we predict that actions and expectations of individuals is only set to increase and organisations should be planning for this increased exposure.

Compliance notice regime

The Amendment Act introduces a new compliance notice regime, building upon introduction of civil penalty provisions for interferences of privacy that do not reach the threshold of ‘serious’.
Under this regime, the OAIC may issue a compliance notice to an APP entity if there is a reasonable belief that the APP entity has contravened certain APPs. This provision continues to focus on breaches relating to privacy policy requirements (APP 1), processes around direct marketing (APP 7) and access to/correction of information (APPs 12 and 13). Failure to comply with a compliance notice is a civil penalty (of up to $62,600 for corporations). By complying with the notice, the APP entity effectively admits to the contravention and is deemed to have contravened the relevant APP.
Our prediction is that the OAIC will be keen to follow in the footsteps of the ACMA (who regulates the Spam Act) and issue these “speeding tickets” for non-compliance.

What can we expect from Tranche 2?

Tranche 2 will likely cover a broad spectrum of issues including:

expanding the definition of ‘personal information’ to potentially include information that relates to an individual ‘even if the identity of the individual is unknown’;
changing key exemptions, including small business and employee exemptions;
changing the definition of ‘consent’; and
alignment with the European General Data Protection Regulation to include:
- a 72 hour notice requirement for eligible data breaches, meaning organisations are to be put under greater pressure to notify the OIAC before full details of the breach are known;
- distinction between controllers and processors to help allocate responsibilities between organisations and service providers; and
- a right of erasure – data may be de-identified rather than deleted.

Take action now

The Privacy Bill was assented to on 10 December 2024. Most provisions have come into effect immediately however, other notable timeframes include:

Reform / Obligation	Commencement / Timing
Information handling practices
(APP 1.7) Inclusion of the use of automated decision making in privacy policies.	Effective on 10 December 2026
(APP 11.3) Security and retention of personal information to include both technical and organisational measures.	Immediately
(APP 8) Overseas data flows – disclosure of personal information to jurisdictions prescribed by regulations.	Immediately
Codes, powers and enforcement
Simplified process for developing additional privacy codes.	Immediately
Childrens Online Privacy Code.	To be developed and registered by 10 December 2026
New civil penalty provisions for interferences with privacy that do not reach the threshold of ‘serious’.	Immediately
Monitoring and investigation powers under the Regulatory Powers (Standard Provisions) Act 2014.	Immediately
Emergency and eligible data breach declarations
Emergency declarations	Immediately
Eligible data breach declarations	Immediately
New causes of action and offences
Statutory tort for serious invasions of privacy	A day fixed by proclamation or by 10 June 2025
Anti-doxxing offences	Immediately

What you should be doing now

With the amendments to the Privacy Act in force now, there are a number of key practical steps organisations can take to prepare for the ongoing reforms.

Tranche 1 Task List

Ensure your leadership, management and board have good privacy risk management and oversight.
Review your privacy risk management framework – consider whether further changes to your privacy practices, procedures and systems can be done. Now is the time to be benchmarking your privacy compliance maturity and ensuring your have a clear roadmap of what needs to be addressed.
Regularly update and review your Privacy Policy, being particularly considerate of administrative types of privacy breaches.
Many organisations are relying on Privacy Policies which have not been validated and do not reflect actual practices. Now is the time to be conducting a whole of business review to understand your handling of personal information.
(APP 1.7) Identify whether your organisation uses automated decision making practices in relation to the handling of personal information. If so, determine what will need to be added to your APP Privacy Policy. Automated decision making extends well beyond AI.
(APP 8) Conduct a data mapping exercise to understand and record:
- the information your organisation holds, such as personal, sensitive and technical information (including information held by service providers);
- how this information is collected, used and disclosed, and whether how it is handled reflects what was notified to individuals at the point at which it was collected from individuals; and
- what systems / third parties store personal information across all organisational systems.
- (APP 11.3) Review compliance with the APPs and Privacy Act across all business practices, ensuring adequate technical and organisational measures to protect the security of personal information you hold and to destroy or deidentify information when it is no longer required or at the data subject’s request.
Critically consider people centric measures and the PAW theme ‘Privacy – it’s everyone’s business’. What organisational measures are you taking and are they actually effective?
Revisit practices concerning privacy information – while the introduction of the new statutory tort requires invasions of privacy to be intentional or reckless, it does not require proof of damage.
Consider whether your organisation will like to engage in ongoing reform and consultation efforts, including the development of the new privacy codes.

We have also prepared a more high-level, general checklist in our article here.

"…. don't take your foot off the gas, because we're going to be looking to take a more enforcement-based approach to regulation in the interim, even notwithstanding those reforms."

Privacy Commissioner, Carly Kind

In the spirit of Privacy Awareness Week we have developed a poster of our top privacy tips that you can share across your organisation.

Download here.

Double Trouble – Cyber Security Act 2024 in force

The Cyber Security Act 2024 is also now in force. The Government has also released subordinate legislation in the form of Rules to implement the below measures.

A summary of the key measures introduced in the Cyber Security Legislative Package include:

Mandatory security standards for smart devices: establishes a baseline level of security, incl. measures like prohibiting universal default passwords. The Rules define what qualifies as a relevant connectable product (e.g., a smartphone or laptop is excluded), outline the requirements for statements of compliance and establishes security standards including those related to passwords, security issue reports and updates.
Mandatory reporting of ransomware payments: as of 29 May 2025, businesses are required to report ransomware payments, helping the government better understand the scope of these attacks. The Rules confirm that this measure will apply to organisations with an annual turnover exceeding $3 million (this is pro-rated if the business operated for only part of the previous FY). The Rules also clarify the requirements for a ransom payment report, including details about the cybersecurity incident and its impact on the reporting business entity.
Obligations on National Cyber Security Coordinator and Australian Signals Directorate: restricts how these two bodies can use information provided to them by businesses and industry about cyber security incidents, ensuring that businesses can seek help without fear of misuse.
Creation of the Cyber Incident Review Board: an independent body will conduct post-incident reviews of major cybersecurity breaches to identify lessons and provide recommendations. This is aimed at improving cyber resilience across both government and industry, inspired by the U.S. Cyber Safety Review Board. The Rules govern the appointment of board members and the expert panel, as well as the administrative aspects of reviews, including timing, notifications and key considerations.

It is critical for organisations to ensure they are taking a holistic, “whole of business” approach to the privacy and cybersecurity reforms and not considering them in isolation.

For more on the Cyber Security reforms see our article here.