Customer Privacy and Data Protection: ESG Responsibilities for Australian Businesses
Privacy is a fundamental right. Customers increasingly expect organisations to protect their personal information and use it only for disclosed purposes. In Australia, the Privacy Act 1988 and Australian Privacy Principles (APPs) set the legal framework for data protection. Beyond compliance, privacy protection is an ESG commitment—protecting customers’ fundamental right to privacy and dignity.
This guide explores privacy protection as an ESG responsibility, from Privacy Act compliance to data security and upcoming reforms. For context on governance and ethics, see our guide to anti-bribery and corruption compliance.
Australia’s Privacy Framework
Privacy Act 1988 (Cth)
The foundational privacy legislation in Australia. Key points:
- Applies to most Australian organisations handling personal information
- Organisations with annual turnover under AUD$3 million may be exempt (small business exemption)
- Health organisations are covered under separate Health Records provisions
- Sets out Australian Privacy Principles (APPs) that organisations must follow
- Overseen by the Office of the Australian Information Commissioner (OAIC)
Australian Privacy Principles (APPs)
Thirteen principles that guide privacy protection:
APP 1 – Open and transparent management of personal information: Clear privacy policies and transparent practices
APP 2 – Anonymity and pseudonymity: Allow people to deal with you anonymously where practicable
APP 3 – Collection of solicited personal information: Collect information only where reasonably necessary, with consent
APP 4 – Dealing with unsolicited personal information: Determine whether unsolicited information should be retained or destroyed
APP 5 – Notification: Notify individuals when collecting personal information about how it will be used
APP 6 – Use or disclosure: Use or disclose personal information only for primary purpose or related secondary purpose with consent
APP 7 – Overseas disclosure: Only disclose personal information overseas if recipient has adequate privacy protections
APP 8 – Data quality and data security: Take reasonable steps to ensure accuracy and security of personal information
APP 9 – Access and correction: Provide individuals access to their personal information and correct inaccuracies
APP 10 – Unique identifiers: Don’t adopt, use, or disclose unique identifiers assigned by government unless necessary
APP 11 – Security of personal information: Take reasonable steps to protect personal information from misuse, loss, or disclosure
APP 12 – Access to personal information: Individuals have right to access their personal information
APP 13 – Correction of personal information: Individuals have right to request correction of inaccurate personal information
Privacy Risks and Incidents
Common Privacy Breaches
- Unauthorised access: Hackers or insiders accessing personal information without permission
- Data loss: Unsecured devices, cloud storage, or physical documents containing personal information lost or stolen
- Oversharing: Disclosing personal information to third parties without consent
- Inadequate consent: Using personal information without clear, informed consent
- Retention beyond necessity: Keeping personal information longer than required
- Inadequate security: Failing to implement reasonable security measures
Consequences of Privacy Breaches
- Legal liability: OAIC investigations, potential proceedings, civil claims
- Financial penalties: Enforceable undertakings, compensation orders
- Reputational damage: Loss of customer trust, negative media coverage
- Operational impact: Customer loss, regulatory action, operational disruption
- Notification obligations: Requirement to notify affected individuals of serious data breaches
Building a Privacy-Protective Organization
1. Develop a Privacy Policy
Create a clear, accessible privacy policy that explains:
- What personal information you collect and why
- How information is used, stored, and protected
- Who has access to personal information
- Rights individuals have (access, correction, complaints)
- How complaints are handled
- Contact details for privacy inquiries
Ensure privacy policy is in plain language, accessible, and regularly updated.
2. Implement Privacy by Design
Build privacy into systems and processes from the start, rather than as an afterthought:
- Privacy impact assessments for new systems or projects
- Data minimisation: collect only necessary information
- Purpose limitation: use information only for disclosed purposes
- Retention limits: delete information when no longer needed
- Privacy-friendly defaults (e.g., opt-in rather than opt-out)
3. Obtain Informed Consent
Ensure customers understand and explicitly consent to how their information is used:
- Consent must be informed: customers understand what they’re consenting to
- Consent must be voluntary: not a condition of service unless necessary
- Separate consents: different consents for different uses
- Easy withdrawal: customers can withdraw consent easily
- Documented: maintain records of consent given
4. Implement Data Security
Reasonable security measures to protect personal information:
- Access controls: Limit access to personal information to those with need
- Encryption: Encrypt personal information in transit and at rest
- Authentication: Strong passwords and multi-factor authentication
- Monitoring: Monitor for unauthorised access or unusual activity
- Incident response: Procedures for responding to data breaches
- Vendor management: Ensure contractors and service providers protect personal information
- Staff training: Train staff on privacy and security obligations
5. Facilitate Individual Rights
Enable customers to exercise their privacy rights:
- Access rights: Provide personal information upon request
- Correction rights: Allow correction of inaccurate information
- Deletion rights: Delete information when no longer needed (subject to legal obligations)
- Complaint mechanisms: Easy process for raising privacy complaints
- Response timeframes: Respond to access and complaint requests promptly
6. Manage Overseas Disclosure
When disclosing personal information overseas (e.g., to cloud service providers):
- Ensure recipient country has adequate privacy protections (or recipient has privacy safeguards)
- Obtain consent before overseas disclosure
- Monitor ongoing compliance of overseas recipients
- Have contractual commitments ensuring privacy protection
7. Respond to Data Breaches
If you experience a data breach affecting personal information:
- Immediate response: Investigate, contain, and remediate
- Assessment: Determine whether breach is “serious” (likely to result in serious harm)
- Notification: If serious, notify affected individuals and OAIC without unreasonable delay
- Record-keeping: Document incident and response
- Communication: Be transparent with customers about what happened and steps taken
Upcoming Privacy Act Reforms
The Australian government has proposed reforms to the Privacy Act to strengthen privacy protection:
- Stronger consent requirements: Clearer, more explicit consent for data collection and use
- Enhanced rights: Expanded rights to access, correct, and delete personal information
- Penalty increases: Significantly higher penalties for serious privacy breaches
- Stronger security requirements: Mandatory security standards for personal information
- Breach notification: Mandatory notification of individuals and OAIC for serious breaches
- Privacy impact assessments: Requirement to conduct PIAs for high-risk data processing
Organisations should monitor reform progress and prepare for stricter requirements.
Privacy as ESG Commitment
Privacy protection demonstrates respect for customer rights and dignity. For ESG purposes, organisations should:
- Commit publicly to privacy protection as a core value
- Include privacy metrics in ESG reporting (breaches, complaints, response times)
- Demonstrate board-level accountability for privacy
- Invest adequately in privacy protection infrastructure
- Be transparent about privacy practices and incidents
Frequently Asked Questions
Do we need consent for every use of customer information?
Not necessarily. You can use information for primary purpose without fresh consent. Secondary uses require consent unless clearly related to primary purpose. The key is that customers must understand how their information will be used when providing it.
What’s a data breach and when must we notify the OAIC?
A data breach is unauthorised access or disclosure of personal information. Notification to OAIC is required if the breach is “serious”—likely to result in serious harm to individuals. You must notify OAIC and affected individuals without unreasonable delay.
Can we use personal information for marketing purposes?
You can use information for marketing if it’s a related secondary purpose or if you have explicit consent. You must provide an easy opt-out mechanism for unsolicited marketing communications. Some individuals (e.g., those in the Do Not Call Register) have opted out entirely.
What about cloud storage and overseas data processing?
You can use cloud services, including overseas providers. However, you’re responsible for ensuring they protect personal information adequately. Have contracts in place ensuring they comply with privacy principles. Only disclose if recipient country or recipient has adequate privacy protections.
How often should we review our privacy practices?
At minimum annually. More frequent review is needed when your systems, processes, or privacy laws change. Use privacy impact assessments to identify and address emerging risks.
Privacy as Competitive Advantage
In an era of increasing data collection and privacy concerns, organisations that genuinely prioritise privacy build customer trust and competitive advantage. Privacy isn’t a constraint on business—when managed effectively, it’s a strength that customers value and reward.
Ready to Strengthen Your Privacy Protection?
Book a Free ESG Strategy Session
Our specialists can help you assess privacy risks, implement Privacy Act compliance, and develop effective data protection strategies.