Privacy Awareness Week: Good Privacy Starts with Knowing Your Data

Published on 16 June 2025 by:
David Cleary, Senior Manager, Privacy, Strategy & Consulting
Eliot Soo-Burrowes, Manager, Strategy & Consulting
Katherine Walsh, Consultant, Strategy & Consulting 

Privacy remains a critical issue for Australian organisations, shaping how they earn and maintain trust, manage risk, and compete in a digital-first economy.

It’s no longer enough to focus solely on compliance. Top organisations recognise that knowing what data they hold, where it lives, and how it’s used is foundational to building resilient, customer-centric operations.

As privacy sits increasingly at the intersection of data strategy, cyber security, and operational risk, it’s evolving into a core business capability.

This Privacy Awareness Week is a timely opportunity for organisations to step back, assess, and identify practical steps to strengthen data practices, because how organisations manage the data they’re entrusted with is more visible, and consequential, than ever.

Here are five focus areas to strengthen your organisation’s privacy maturity.

1. Data discovery: what’s out of sight is still at risk

Data that can’t be seen, can’t be protected. Many organisations have lost track of where their data is stored.

Whether it’s legacy systems, unstructured archives, or backups, data can sprawl across digital and physical formats, including cloud storage, removable media, magnetic tape, paper, and geographical locations.

Enforcing security standards is challenging when data exists in unknown locations. In the event of a breach, identifying and containing the incident is more difficult if the extent of exposed data is unclear.

As such, conducting regular data discovery exercises is essential to maintaining strong privacy practices, and can support organisations in transitioning to cloud environments, implementing system upgrades, uplifting breach response processes, and assisting with regulatory compliance obligations.

2. Data labelling: what’s undefined is unprotected

A strong privacy and security posture starts with defining what is included in your organisation’s data holdings. It’s important to know what kind of information it contains, how sensitive it is, and how it should be handled.

Many organisations lack consistent approaches to data labelling and classifying data, making it difficult to apply appropriate controls or understand where the greatest risks lie.

Clear definitions and effective classification assist both with aligning data policies and protections, and with staff education and decision-making for the correct handling, storage, and destruction of sensitive data.

Establishing or updating a fit-for-purpose data classification scheme is a foundational, organisation-wide privacy measure.

3. Data retention: what’s kept could be costly

Most organisations know they need to retain data, but few are confident they’re retaining the right data for the right amount of time.

A data retention strategy should not be simply “keep everything for seven years”. Requirements are complex and vary by data type, such as health records, financial records, customer details, and regulatory context. Different retention periods apply for different data types, across different states, with maximum limits applying in some cases.

Holding onto unnecessary data can introduce legal risk, inflate storage requirements, increase back up and security costs, and create the added challenge that future regulatory changes may need to be applied to all data across all storage platforms retrospectively.

Getting retention right can reduce risk and costs and strengthen privacy.

4. Emerging data types: what’s new is not exempt

Biometric data, including facial images, video, and audio, can be considered personal information if it can be used to reasonably identify an individual. Video or audio files may also contain information that fits the Office of the Australian Information Commissioner’s (OAIC) description of sensitive personal information if they include health information, sexual preferences, or opinions.

These emerging technologies raise not only compliance challenges, but also ethical concerns, such as misidentification, bias, and wrongful action against individuals. This highlights the need for adopters of technologies that collect biometric data to inform – and obtain consent from – individuals when collecting facial recognition or biometric data.

Along with adopting a privacy-by-design approach, organisations should aim to proactively conduct privacy impact assessments to understand the risks and potential privacy impacts of the emerging technology they use.

5. Artificial intelligence and analytics: what’s collected may not be useful

As organisations increasingly adopt artificial intelligence (AI) and advanced analytics, there’s a temptation to hold onto more data “just in case” it might be useful. But holding large volumes of personal data for potential use in AI models is risky. Along with greater storage requirements and compliance obligations, it also increases the impact of a breach and heightens privacy risk, including non-compliance with data minimisation obligations.  

Much of this data may never be used and should be minimised or securely disposed of to reduce risk. Data that is retained and useful can be anonymised to generate insights without compromising privacy.  

Data quality also matters. Poor inputs can lead to unreliable AI outputs, bias, and reputational harm, as demonstrated in the case of Amazon’s automated resume screening tool.  

As emerging technologies become more embedded in business operations, organisations need to proactively assess which data is necessary to support AI and analytics, and identify what can be removed, minimised, and de-identified. 

Privacy Awareness Week is a chance for organisations to take stock, not just of privacy law reforms, but of how data is managed day to day. From classification and retention to biometrics and AI, privacy and data practices impact trust, risk, and resilience. In this dynamic context, organisations that act now will be better prepared for what’s next.