Privacy Awareness Week 2025: From Awareness to Action

This year’s Privacy Awareness Week (PAW) continued to fuel the national privacy conversation, driving it from surface-level awareness to deeper, systemic action. The week was a flurry of activity by all supporters. Notable standouts included a series of thought-provoking webinars hosted by the OAIC, IAPP, OVIC and Helios Salinger. Each webinar provided a consistent and powerful message that privacy is no longer just an individual concern or a compliance checkbox. Rather it is a strategic, organisational and societal imperative.

A nation ready but uncertain

At the opening IAPP keynote, OAIC Commissioner Carly Kind underscored the shift in public sentiment. Australians overwhelmingly understand the importance of privacy. In fact, nine in ten say they know why it matters. But only half feel confident in how to protect it.

The culprit? A digital environment plagued by complexity, frictionless data collection, and passive surveillance. Kind argued that “Privacy settings are the plastic straws of the privacy world” – symbolic gestures that do little to address the systemic structures eroding individual autonomy. Just as switching to a paper straw might feel like environmental action but fails to tackle industrial-scale pollution, tweaking privacy settings or clicking 'manage cookies' creates an illusion of control. The real decisions in how data is collected, processed, shared, and monetised are embedded deep within the infrastructure of platforms and business models. Individuals are left adjusting the dials on a machine they can’t meaningfully stop or rewire.

Kind’s message was clear: the burden of privacy protection should not rest on individuals navigating complex policies and deceptive design. Instead, meaningful reform must target the root causes: shifting accountability to the organisations building and profiting from data ecosystems and empowering regulators to enforce boundaries that uphold privacy as a fundamental right, not just a configurable preference.

Moving the needle on responsibility

With the theme of “Privacy is Everyone’s Business” PAW 2025 sessions across IAPP and OVIC made it unmistakably clear that privacy can no longer be relegated to legal teams or buried in fine print. Instead, it must be embedded across organisational culture.

Organisational responsibility sits at the heart of the proposed Tranche 2 Privacy Act reforms, which aim to hardwire accountability into boardrooms and operational processes. These reforms reflect a maturing view of privacy as a whole-of-business issue, not just a compliance obligation.

The OAIC’s strengthened and proactive regulatory approach reflects this broader shift in focus. With new powers to issue infringement notices, mid-tier penalties, and enforce transparency around automated decision-making by 2026, the regulator is clearly moving from education to enforcement. Yet the OAIC remains committed to guidance and partnership, offering practical tools to help entities meet their obligations.

Recognising the momentum of PAW, the OAIC used the week to launch its new Privacy Foundations self-assessment tool, a timely resource designed for businesses who want to embed a culture of privacy, and who want to establish or improve privacy practices, procedures and systems. It's a signal that while regulatory pressure is rising, so too is support for organisations willing to build privacy into the way they work.

Maturity matters

Helios Salinger’s launch of its Privacy Pulse 2025 report provided the clearest window into how Australian organisations are tracking on privacy maturity. Surveying 119 organisations across sectors, the report revealed an average score of just 2.46 out of four—midway between “developing” and “defined” maturity. 

Key insights included:

• Retail leads in privacy maturity, driven by strong training and breach response frameworks.

• Human services, while managing highly sensitive data, showed lower maturity scores, highlighting a key area for development.

• Small businesses continue to face challenges due to limited resources and evolving process structures.

• Staff training emerged as the single most influential factor for lifting privacy maturity.

Woolworths Group’s privacy lead, Roslyn Vadala, stressed that privacy maturity isn’t about perfection—it’s about embedding privacy into decision making, planning, and values. “You can’t build trust if you don’t have the foundations,” she noted. 

The operational edge: access controls and governance

OVIC’s sessions brought the spotlight to practical risk areas often overlooked, such as access controls and system governance. In the “Access Only What You Need” webinar, OVIC illustrated how poorly managed access permissions can lead to serious and preventable breaches, ranging from ex-employees retaining access to sensitive systems to staff inappropriately browsing personal data without a legitimate business need.

These cases reflect systemic governance gaps that many organisations still underestimate. Under the Privacy and Data Protection Act 2014, Information Privacy Principle (IPP) 4.1 sets out that organisations must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Reasonable steps under IPP 4.1 aren’t limited to firewalls and passwords. They include well-documented governance processes, robust offboarding protocols, access audits, and clear lines of accountability across teams. Privacy protection isn’t just about securing data, it’s about structuring access in a way that reflects risk, necessity, and organisational responsibility.

Common threads and key takeaways

Despite the diversity of topics, from automated decision making and tracking pixels to training shortfalls and leadership buy-in, a few common threads emerged throughout the week:

• Privacy is strategic. It supports trust, enables innovation, and mitigates reputational and legal risk.

• Organisational culture is decisive. Leadership tone, dedicated privacy roles, and tailored training are critical enablers.

• Tools and frameworks now exist. From self-assessment tools to OAIC guidance, organisations no longer have an excuse not to act.

• Compliance is not enough. True privacy resilience requires maturity, foresight, and systemic change.

As PAW 2025 came to a close, the message was clear: Australians don’t need convincing that privacy matters. What they need are organisations willing to treat privacy not as a cost, but as a commitment. The challenge is not awareness. The challenge is action. And the time is now.