12 June 2025
3 min read
Published by:
The theme of Privacy Awareness Week 2025 is “Privacy: It’s Everyone’s Business” – a reminder that protecting personal information is not just the job of privacy professionals or IT departments, but a shared responsibility across all sectors of society. The flip side? If it’s everyone’s business, then it’s not everyone else’s business.
Traditionally, many organisations viewed privacy compliance primarily through the lens of the Office of the Australian Information Commissioner (OAIC). Although the OAIC has limited resources and funding, it doesn’t mean the risk of regulatory action is low. In fact, privacy risks are expanding far beyond the OAIC’s remit.
We are now seeing increasing regulatory convergence, with other powerful regulators stepping into the privacy and cybersecurity space. As technology integrates more deeply into how we live and work, and as surveillance becomes increasingly embedded in both corporate and government systems, regulators are responding with coordinated and multi-disciplinary enforcement.
The corporate regulator, the Australian Securities and Investments Commission (ASIC), has launched multiple enforcement actions against Australian Financial Services Licence (AFSL) holders for failing to meet their cybersecurity obligations. In these cases, ASIC’s claims often overlap with obligations under the Privacy Act, particularly Australian Privacy Principle 11, which requires entities to take reasonable steps to protect personal information from misuse, interference, and loss. The court documents ASIC prepared clearly state what it considers are reasonable steps for AFSL holders.
The Australian Prudential Regulation Authority (APRA) has also weighed in, particularly through Prudential Standard CPS 234. This standard places strict obligations on regulated entities to maintain information security and manage third-party risk, especially when outsourcing data handling. In short, if you are handling sensitive data, multiple regulators may be watching. If you are part of another regulated business’ supply chain, you will be aware of organisations ensuring you are contractually bound to meet their standards.
There’s a clear trend toward regulatory collaboration. Where data breaches or poor security practices raise compliance concerns across multiple regimes – privacy, financial services, corporate governance – regulators are increasingly sharing information and coordinating their response. This means businesses may be subject to investigation or enforcement not just by the OAIC, but by whichever regulator is best placed to act.
We’re also seeing broader societal shifts toward surveillance and data-driven control. From biometric surveillance in public spaces to real-time employee monitoring in the workplace, these developments are triggering a broader regulatory response. Privacy is no longer just about data protection – it’s a frontline issue for trust, governance and accountability.
Ultimately, businesses need to reassess their risk exposure. It is no longer sufficient to comply narrowly with the Privacy Act. A robust privacy and cybersecurity posture should reflect the broader regulatory environment and societal expectations.
At Holding Redlich, we work with businesses to review their privacy and cyber risk appetite and to develop internal policies, frameworks, and governance structures that align with emerging regulatory requirements. We help organisations operationalise privacy – embedding it not just in compliance, but in culture.
In 2025, privacy really is everyone’s business, and that includes our Australian regulators.
Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.
Published by:
