What is data privacy and why is it important?
To get to the root of the matter, let’s start at the beginning: what’s privacy?
At its most fundamental, “privacy” refers to the idea that we can restrict access to information about ourselves as individuals. It can refer to information about our bodies, our thoughts, speech and opinions, our relationships, our communications, or specific environments (like our homes).
The right to privacy is acknowledged as a human right both locally, in Australia, and internationally in agreements like the UN’s International Covenant on Civil and Political Rights.
What is data privacy?
Data privacy is the application of this principle to data that is about an individual. This might include information like health data, sensitive data like our political views or religion, financial data like credit history, transactions or payment card information, or other personally identifiable information.
Why is data privacy important?
For individuals, data privacy underpins our right to avoid harms associated with the exposure of information which we would otherwise restrict. These harms might be identity-related harms like fraud, financial losses, reputation damage, harassment, discrimination or just plain embarrassment.
There are regulations that safeguard the privacy of individuals in Australia. Because legislation is built through an iterative process, evolving with our culture and technologies, privacy legislation in Australia is famously (or infamously) complicated, but the most significant piece of legislation relating to privacy is the Privacy Act 1988. This Act lays out the Australian Privacy Principles as well as who needs to comply. It refers mostly to personally identifiable information, which is information that can be used to learn who you are or how to find you.
Why is data privacy important for organisations?
For companies or non-profit organisations, data privacy is just as important as it is for individuals — but in a different way.
Firstly, when we hold data about our donors, customers, or service recipients, we are being trusted with information that could be used to cause harm, were it exposed. That means such organisations have a positive ethical duty to ensure any data we’re holding is stewarded with due care.
Secondly, there are significant legal penalties associated with cavalier treatment of others’ personal information. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, in particular, sharply raised the cost of a privacy breach in Australia — an act that lifted the penalty for corporate interference with privacy from a cap of $2.2 million up to $50 million.
News media and political parties are often exempt from specific privacy regulations in Australia. However, non-profit organisations, including registered charities, don’t enjoy these exemptions. Given that non-profits often use third party organisations for face-to-face data collection and fundraising, that can put them in a complicated position with regard to their privacy obligations.
What’s the difference between data privacy and data security?
Sometimes the difference between keeping data secure and preserving data privacy is not completely clear to organisations.
Data security is the process of keeping data safe from external exposure, theft or damage, such as through hacks or exploits. It includes techniques like encryption, network segregation and segmentation, access management, backups, and so forth.
In contrast, data privacy relates to the capture, storage, use and management of personal information specifically.
These concepts overlap, but they are not the same. While the techniques used in data security contribute to data privacy, data security encompasses a wide range of data, including that which is irrelevant in the privacy context.
For example, a staff member entering proprietary information relating to a business’s intellectual property into a public-facing generative AI product would represent a breach of data security. However, the same activity would be unlikely to constitute a breach of data privacy.
How can we safeguard individuals’ data to ensure data privacy is maintained?
Robust data governance is essential for compliance with privacy legislation.
‘Data governance’ is a term that refers to the collection of policies and frameworks that direct the day-to-day management of the data held by an organisation.
Best practice data governance for an organisation means a strong, organisation-wide understanding of data collection, storage, maintenance, use, access and purpose. At any given moment, data asset owners should have a complete understanding of how data flows throughout the business.
With regard to privacy-related compliance, an organisation should be able to answer questions like:
- What types and categories of data do we store? Does it relate to people? Who?
- Where are we storing it?
- What format is it in? How does it move throughout the business?
- What purpose do we use the data for?
- Who accesses it?
- What are our compliance obligations with regard to this data? Are we meeting them? By what process?
If an organisation holds 100 records, these questions may be easy to answer, but modern organisations typically manage data at scale, and generally have thousands or hundreds of thousands of records, each of which contains information of different types, and for which there may be differing obligations. This can present more of a challenge.
Key elements of a robust data governance framework include:
A data strategy
A data strategy is more than a mission statement — a mission statement is broad and general; a strategy is specific. It should recognise long-term goals, but also the prerequisite resources to manage data assets in accordance with those goals.
Oversight and measurable metrics
With reference to the data strategy, clearly-defined performance metrics and milestones can show whether or not the goals set out in the data strategy are being met. Over time, and with iterative review, metrics can be used as a benchmark for progress.
Policies and procedures
People who access and handle the organisation’s data should be equipped with the information they need to be active and engaged stewards of that data. This means having clear, formal rules about what to do (and not to do) with the organisation’s data, as well as defined roles and responsibilities.
Issues management
Having defined roles and responsibilities laid out in policy documentation means that, when something changes or perhaps goes wrong, staff know who to go to. Equip staff to identify and address the most common data problems the organisation sees day to day.
Data quality and integrity
Flawed data means flawed outputs. Maximise data quality to the best of the organisation’s ability via cleansing, deduplication, verification and validation.
A cavalier approach to data governance invites data breaches. Good data governance means having a unified, well-understood and coherent approach to how your organisation’s data assets are handled. This protects the people about whom you hold data, and it protects your business.
Privacy changes to watch out for in 2026
Legislative changes from 2024 expanded the potential consequences of violating the Privacy Act for businesses. Now, commencing in 2026, the OAIC is conducting a compliance sweep targeting business’s policies. Non-compliant policies may cost organisations up to $66,000.
Furthermore, APP entities will soon have obligations to disclose where artificial intelligence and other automated decision-making processes are used in relation to personal information.
This change was introduced in the Privacy and Other Legislation Amendment Act 2024. Obligations will be in force from the 10th of December 2026.
The major components of this change are found in APP 1.7 — APP 1.9. In brief, any scenario in which an organisation uses a computer program that uses personal information to contribute to making decisions that could affect the rights or interests of that individual must be disclosed in a privacy policy. APP 1.8 lays out the types of information the policy must contain, and APP 1.9 lays out the types of decisions that fall within the purview of this new obligation.
The legislative change refers to “a computer program,” an intentionally broad term that captures any potential current or future technology that could contribute to automated decision-making. It includes AI and machine learning programs.
Generally speaking, the trend of using artificial generative intelligence in business processes continues on an upwards trajectory. Because it is a novel area of technology development, tensions between AI and organisations’ legal obligations are still being discovered.
Areas of contest include questions about use of personal information as training data, use of personal information within public-facing generative AI systems, and how to regulate the generation or inference of personal information via generative AI systems.
The OAIC offers guidance as to how APP entities should use commercially available AI products with respect to privacy.
What are the risks of noncompliance with privacy regulations?
Breaches of regulatory compliance attract sanctions. In 2022, the Privacy Act was amended to include new penalties. Corporate bodies in breach of the Privacy Act can now either be fined three times the value of the benefit received by means of the breach, 30% of its turnover, or up to $50,000,00.
Aside from the risk of such penalties, there are additional harms associated with abrogating responsibilities to individuals’ privacy.
Breaches of privacy can result in the compromise of identities. Identity theft is a serious problem and causes real, lasting harm to individuals whose identities are stolen. For victims of identity theft, the most benign outcome is hours or days spent changing credentials and contacting organisations to have documents reissued.
This kind of harm is concerning in its own right, but the erosion of trust has flow-on effects for businesses. Those whose practices leave them open to privacy breaches risk alienating their customers and disincentivising new customers from engaging with them. For example, after its infamous 2022 data breach, Medibank’s share price fell 14% in a week. On the other hand, organisations with robust privacy policies enjoy high public trust and may receive a competitive advantage accordingly.
Where can I find out more?
If you’re looking for specific information about your data privacy obligations, the Office of the Australian Information Commissioner is always a good place to start. Or, if you’d like to improve your own data governance practices, you can always contact our data specialists for a free, no-strings chat about your data.
