Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

Data & Privacy

Data is a crucial part of every business environment. It is imperative that all organisations have systems and procedures in place to manage local and international legal requirements as well as maintaining the confidence of all stakeholders as to their data practices

Data & Privacy

Data and privacy regulation in Australia in 2022 is in a state of flux. There is a review into the Privacy Act 1988 to determine if it remains fit for purpose as well as an Online Privacy Bill to better regulate social media and the digital platforms.


The Consumer Data Right continues to expand beyond banking into utilities with an increasingly co-regulatory approach between the Office of the Australian Information Commissioner and the Australian Competition and Consumer Commission to implement and enforce privacy safeguards. These are in addition to a number of initiatives to advance Australia’s digital economy. The European General Data Protection Regulation (GDPR) continues to have extraterritorial operation affecting Australian businesses directly or through their supply chain obligations and contractual obligations.

Your data is an asset

Our lawyers understand that how your business handles data, including both personal and non-personal information, is critical to its success. We understand that the regulation of data extends to the various technologies used to deploy it and how it is shared with third parties.

Our practice covers data in many forms, including business information, big data sets and personal and sensitive information. While we spend significant time advising on the Privacy Act and the Spam Act, the issues around data often crossover into competition law, technology and complex commercialisation arrangements.

Increasingly, customers and contractual counterparties are demanding transparency into data practices and robust data governance practices are being required of businesses at all levels.

We also understand managing data and privacy risk involves a range of stakeholders within an organisation and we often work not only with general counsel but internal executive teams including chief data officers, chief security and technology officers, chief risk officers and the regulatory and communications executives.

We can assist with your privacy and data protection concerns by:

  • reviewing current policies and underlying data practices
  • training management and frontline staff
  • preparing and implementing policies, codes of conduct, and internal procedures
  • providing advice in crisis situations – such as breaches
  • preparing compliance plans and conducting privacy impact assessments.


Information and data governance frameworks

We work with boards and senior managers to develop and implement information governance frameworks. This encompasses risk management strategies and often overlaps with other areas of risk and compliance, including anti-corruption. Our primary concern is Privacy Act compliance as well as relevant international requirements so that group policies can align with all relevant jurisdictions.

Harmonising compliance

Many organisations operate under GDPR and need to streamline their Australian compliance practices with their international processes and procedures. We have experience in undertaking these reviews and assisting in drafting both internal and client facing documentation to support and enable this.

Consumer Data Right (CDR)

We have experience advising participants in the CDR system in relation to the Privacy Safeguards and the relevant documentation to support various compliance obligations.

Digitising business

We have advised many clients as they take their businesses into the digital age, finding new ways to leverage their data assets, embracing new technologies and collaborating with third parties to provide and develop new services. We can assist in ensuring contractual obligations supporting these offerings are compliant with privacy and other laws.

Data breach planning, investigation and response

How you respond to a data breach can be critical to your continued success and survival. We can assist you to develop breach response plans, rehearse and scenario plan and prepare in advance your response and investigation planning methodology and team. We also assist in responding to privacy complaints, access requests and liaising with the Office of the Australian Information Commissioner.

Data insights

We have extensive experience advising organisations about the collection and use of various elements of personal information in Australia, including the ability to use personal information to create derivative statistical and risk assessment products for use in and out of Australia.

Data security and critical infrastructure

We have experience drafting privacy, right to information and data security provisions for commercial contracts for local, State and Federal government agencies, Government owned corporations and statutory authorities. If you are impacted by the critical infrastructure rules, we can advise you in relation to data processing and storage and notification obligations.

Regulator investigations and enquiries

We have experience:

  • acting for both corporations and individuals in regulatory investigations and prosecutions
  • assisting clients in managing regulators’ monitoring and enforcement visits
  • advising on and creating compliance and risk management policies and programs tailored to the particular risks faced by different corporations and individuals
  • advising companies, directors and officers involved in external investigations and prosecutions brought by Commonwealth and state agencies.

Open data frameworks and information access (FOI)

We regularly act on behalf of applicants and respondents to Freedom of Information (FOI) requests. We advise on the validity (or otherwise) of the scope of a request, and assist clients in refusing requests for documents that are either too voluminous or seek only documents that are exempt under the FOI Act. We also assist in the processing of FOI requests, including the review of documentation and assessment for exemption. Once a decision is made, we assist the decision-maker to communicate the basis of their decision. We have successfully defended appeals and complaints made to the FOI Commissioner in respect of those decisions.

Secrecy advice

We advise Commonwealth and State governments (and contractors) on the application of secrecy provisions in agency-specific legislation such as the Health Insurance Act.

Recent Posts

13 July 2022 - Knowledge

Security of Critical Infrastructure Act 2018 – where are all the compliance timeframes?

#Corporate & Commercial Law, #Data & Privacy

We discuss the SOCI Act’s timeframes for compliance and when certain obligations under the legislation begin applying to your business.

29 June 2022 - Knowledge

New and improved SOCI Act: Initial observations

#Corporate & Commercial Law, #Data & Privacy

As the dust finally settles on the suite of amendments to the Security of Critical Infrastructure Act, we share some initial observations about how the regime impacts critical infrastructure entities and what these entities need to be mindful of when managing critical infrastructure assets in Australia.

11 May 2022 - Knowledge

Takeaways from Privacy Awareness Week

#Data & Privacy

Following our discussions during Privacy Awareness Week 2022, we look back at three cases from the past year that have highlighted how technology can be used to erode trust and how it can be used to enhance trust in the future.

10 May 2022 - Knowledge

Cyber security becomes a regulatory concern

#Dispute Resolution & Litigation, #Regulatory, #Data & Privacy, #Superannuation, Funds Management & Financial Services

ASIC brings its first case against a financial services licencee for failures of authorised representatives to adequately manage their cyber risk.

04 May 2022 - Knowledge

Why conduct a privacy audit of your organisation?

#Data & Privacy

It is highly recommended that organisations consider taking part in a privacy audit where possible, to ensure that their data storage and policies comply with the Privacy Act, safeguarding them from future complications.

06 April 2022 - Knowledge

Regulators team up to tackle Big Tech

#Data & Privacy, #Technology, Media & Telecommunications

Four of Australia’s key regulators have joined forces to set up a national forum to share best practices and streamline digital platform regulation in Australia.

02 March 2022 - Knowledge

NSW Government Bulletin

#Government, #Data & Privacy

Recent and proposed amendments to Commonwealth critical infrastructure legislation will bolster New South Wales Government efforts to protect key New South Wales data.

08 December 2021 - Knowledge

Playing hard to get: What are your notification obligations in the event of a data breach?

#Data & Privacy

we discuss a business’ obligation to notify affected individuals of a data breach and explore possible ways to cut through notification fatigue.

24 November 2021 - Knowledge

Security of Critical Infrastructure Act – the past, present and future

#Corporate & Commercial Law, #Data & Privacy

The passage of the Security Legislation Amendment (Critical Infrastructure) Bill 2021 in Parliament this week will see key amendments made to the Security of Critical Infrastructure Act 2018. We consider the likely impact of these changes on owners and operators of relevant critical infrastructure assets.

08 September 2021 - Knowledge

COVID-19 privacy principles for handling personal data

#Data & Privacy, #Technology, Media & Telecommunications, #COVID-19

Australia’s key privacy authorities have jointly issued five privacy principles to guide policymakers and businesses in a universal approach to handling personal information during the pandemic.

24 August 2021 - Knowledge

Peering into Google’s state of mind: Potential penalties in the ACCC’s location data misleading and deceptive conduct case

#Technology, Media & Telecommunications, #Data & Privacy

The Australian Competition & Consumer Commission and Google are contesting the penalties that will be imposed on Google for breaching the Australian Consumer Law in relation to its location data collection practices.

21 July 2021 - Knowledge

NSW Government Bulletin

#Government, #Data & Privacy

In a report released last week, the NSW Auditor-General found that Transport for NSW and Sydney Trains are not effectively managing their cyber security risks.