About Katherine

Katherine has a highly regarded and dynamic practice in information law, with a particular focus on privacy and data protection. She regularly advises on the operation and application of the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and has led numerous privacy impact assessments (PIAs) for Australian Government and other clients. Katherine is highly experienced in analysing information flows across the full data governance lifecycle, identifying privacy risks and existing controls, and working collaboratively with clients to develop practical, proportionate recommendations that support the appropriate handling of personal information.

A significant aspect of Katherine’s practice involves advising government agencies on projects that introduce new or materially changed ICT arrangements for the collection, use, storage or disclosure of personal information, including the deployment of artificial intelligence (AI) tools and systems. She draws on extensive experience advising on major procurement and funding programs and brings a strong understanding of ICT infrastructure, cloud-based software and other platforms, and various supplier service delivery models, to her assessment of data protection and security risks. 

Katherine also supports clients with broader data governance and data sharing activities, including advising on compliance with the Data Availability and Transparency Act 2022 (Cth).

Katherine frequently assists clients to assess and manage privacy implications associated with legislative reform and new policy initiatives. She applies her knowledge of the legislative process and statutory interpretation to ensure that privacy recommendations are legally robust, operationally workable and aligned with policy intent.

In addition, Katherine regularly designs and delivers training and facilitates workshops for clients, helping build internal capability and confidence in identifying and managing privacy, data and other information law issues.

Experience

• Foundational PIA for use of generative AI tool across Australian Government agencies

  Katherine led our team to conduct a Whole‑of‑Australian‑Government privacy impact assessment (PIA) in relation to the proposed use of a generative AI‑enabled productivity tool across Australian Government agencies. The assessment addressed complex privacy and secrecy issues arising from the deployment of emerging AI technology in a government context.

  Katherine advised on the information flows associated with the technical operation of the AI tool, analysed compliance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles, and relevant Commonwealth legislation secrecy provisions, with a focus providing recommendations designed to assist agencies to deploy the tool in a lawful and privacy enhancing manner.  As part of the PIA, the team also developed practical implementation tools, including privacy guardrails questions for assessing proposed AI use cases and a ‘go‑live checklist’ to ensure that issues such as data quality, information security and governance controls would be properly addressed by agencies before deploying the tool.

• PIA for new transport ticketing system

  Katherine led our team to undertake an urgent privacy impact assessment (PIA) as an assurance measure to support the delivery and operation of a new government ticketing system for public transport. 

  The project involved complex analysis of personal information flows across a wide range of interconnected ICT systems and contracted suppliers. Katherine ensured that the PIA focused on ensuring privacy risks were appropriately identified and mitigated, while carefully balancing system functionality, operational practicalities and the high level of community expectation associated with this significant reform of an essential public service.

• Data sharing arrangements between Australian and State/Territory governments

  Katherine and her team completed a PIA in relation to a new health initiative arising from an election commitment, involving the provision of health care to the public across Australia. This considered critical privacy issues to inform policy development and intergovernmental engagement, and supported a privacy‑by‑design approach to implementation. It included advice on patient consent, re‑identification risks and data linkage arrangements

  Following this, Katherine and her team worked with Maddocks commercial law team members to draft and negotiate suitable data sharing agreements (DSAs) to govern the extensive multi‑party data sharing arrangements between the Australian Government and each State and Territory government, in order to support the necessary monitoring, evaluation and health planning purposes.

• Helping to effectively manage actual/suspected data breaches

  Katherine has supported numerous Australian Government agencies to prepare for, and respond to, potential data breaches involving the unauthorised access, use, disclosure or loss of personal information. She regularly assists agencies to assess incidents, understand their legal obligations, and manage responses in accordance with their data breach response plans. This work includes urgent reviews of relevant material, consideration of the factual circumstances, and the provision of clear, independent advice to support decision‑making. Her advice is focused on minimising actual or potential impacts on affected individuals while ensuring compliance with applicable privacy and notification requirements. 

• Advice and assistance for complex and politically sensitive FOI matter

  Katherine was engaged by an Australian Government statutory authority to provide strategic advice and guidance about a highly sensitive freedom of information (FOI) request (at the primary decision making, internal review, and Information Commissioner review stages). The matter involved complex legal, reputational and stakeholder considerations, and Katherine managed a coordinated stakeholder engagement process to support robust and defensible decision‑making. She also supported complex consultation process with the applicant and affected third parties, and her team prepared draft decisions and document packs for the relevant delegates. Following an application for review by the Information Commissioner, Katherine and her team worked with the client to prepare submissions, and then supported the agency in managing the proper release of information following the Commissioner’s decision.