Why should you make privacy your business? Privacy Awareness Week 2025

Lander & Rogers is proud to support Privacy Awareness Week (PAW) 2025, an initiative of the Office of the Australian Information Commissioner (OAIC). This year's theme, "Privacy – it’s everyone’s business", serves as a reminder that we all have a role to play in promoting good privacy practices and advancing the privacy rights of individuals.

So, why should you make privacy your business?

Privacy regulation is rapidly developing

Top tips

• Establish a robust privacy management framework and regularly review and update your privacy procedures and policies for compliance with changes in the law.
• Appoint a privacy officer to oversee privacy compliance and act as a point of contact for consumers and regulatory bodies.
• Foster a culture where privacy is understood and valued by all employees through training, open communication, and clear expectations.

- Data protection and privacy laws are now in effect in 144 countries.

- In Australia, the first tranche of significant reforms to the Privacy Act 1988 (Cth) were passed in December 2024, with the A-G's Department expected to start consulting on the second tranche of privacy reforms this year.

Cyber-attacks and data breaches are on the rise

Top tips:

• Adopt a privacy-by-design approach to the development and deployment of new technologies to embed strong privacy practices into the design of products and services.
• Undertake privacy impact assessments when developing and deploying new technologies, or when making significant changes to your business practices.
• Be vigilant when engaging third-party providers and implement appropriate and robust contractual safeguards.
• Implement robust security measures to protect personal information from unauthorised access, use, or disclosure.
• Ensure you have a clear and comprehensive data breach response plan; be responsive and act fast if you suspect a data breach has occurred.
• Mandate regular cyber security and privacy awareness training for all staff members who are required to handle personal information.
• Regularly review and update your privacy management and data breach response plans to ensure they remain current and fit for purpose.

- The OAIC Notifiable Data Breaches Report July to December 2024 shows the number of data breaches notified to the OAIC in the second half of 2024 was at its highest in three and a half years.

- 42% of these data breaches resulted from cyber security incidents.

Consumers are demanding transparent privacy practices

Top tips:

• Transparency builds trust and helps consumers feel valued and respected. Be clear and open about why and how your organisation collects personal information, and how you will use it.
• Ensure you have a clear and up-to-date privacy policy that explains how your organisation collects, holds, uses and discloses personal information.
• Ensure your privacy collection notices are unambiguous and accurate.
• Seek informed consent when collecting sensitive personal information.
• Regularly review and update your privacy policies and practices to reflect changing business practices, technologies and laws/regulations.

According to the Office of the Australian Information Commission 'Australian Community Attitudes to Privacy Survey 2023':

- Three in five (62%) Australians see the protection of their personal information as a major concern in their life.

- Three-quarters (74%) of Australians feel data breaches are one of the biggest privacy risks they face today.

- After quality and price, data privacy is the third most important factor for Australians when choosing a product or service.

Data retention

Top tips:

• Conduct a comprehensive audit of the personal information your organisation collects and stores; map the information life cycle, including personal information held by third-party providers.
• Establish clear and appropriate data review, retention and destruction policies, having regard to your organisation's needs and applicable legal and regulatory requirements. Regularly review and update these policies to address changes in the law and in your organisation's needs.
• Implement secure disposal methods for data that has reached the end of its retention period, such as shredding physical documents or securely deleting digital data.
• Provide periodic training to employees on your organisations data review, retention and destruction policies, including on how to securely delete or destroy personal information.
• Conduct regular audits to verify compliance with your organisations data retention policies and proactively identify potential issues.

- Unnecessarily retaining personal information may be a breach of the Australian Privacy Principles and increases your risk exposure in the event of a data breach.

- If there is no legal requirement or justification for retaining personal information, your organisation must take reasonable steps to destroy or de-identify that personal information.

If you’d like more information or support with your organisation’s privacy obligations, please get in touch with our experienced technology and digital team. You can also view CyberSight 360 - the latest legal insights on cyber security and cyber insurance.