As February arrives, marking the closure of the festive season and initiating a more focused period, it prompts an opportunity to assess the current landscape of privacy and data management, and more critically, what knowledge still remains to be uncovered.
Privacy experts vividly recall the contentious journey leading to the passage of the Privacy and Other Legislation Amendment Act (POLA) on the final day of parliament in December 2024. While some of its provisions are set to take effect in December this year—particularly those concerning the reporting of automated decision-making—others have progressed at a slow pace. This discrepancy raises questions about ongoing developments that could provide clarity and best practices for businesses and privacy professionals in managing personal data.
In light of the persistent threat of data breaches, it is essential to evaluate what definitive measures are available for securing data and the expected responses from organizations in the event of a breach.
Significantly, the Federal Court’s ruling in the Australian Clinical Labs (ACL) case from October 2025 offered crucial insights into the reasonable steps necessary for data security and the appropriate responses to security incidents. This case also marked a turning point for the Australian Information Commissioner in exercising its authority to levy fines.
The breach in question occurred in 2022, raising pertinent questions about additional significant breaches from that year and the lessons that can be drawn. Two cases that stood out—those of Optus and Medibank—provoked widespread public outrage and a call for transformation. Although the Office of the Australian Information Commissioner’s (OAIC) new enforcement powers provide some progress, clarity remains limited regarding what constitutes acceptable data security practices.
In August 2025, the Commissioner initiated proceedings against Optus, yet the case is not set for hearing until 2027, leaving businesses without immediate guidance. Unfortunately, the particulars of the allegations against Optus will not be unveiled in the near future. In contrast, the Medibank case is advancing more quickly. The Commissioner’s action against Medibank in June 2024 has resulted in a concise statement delineating the bare minimum standard for protecting information, offering some direction to organizations.
Even though the Medibank incident predates the POLA amendments—requiring that Australian Privacy Principle 11 (APP 11) mandates reasonable steps for data security through organizational and technical measures—it provides valuable insights into essential protective measures. These include implementing multi-factor authentication for accessing sensitive networks, ensuring stringent change management, establishing privileged access management controls, and enforcing password complexity and monitoring protocols to safeguard user accounts.
These recommendations deliver a framework for organizations to follow while awaiting the Court’s resolution, although many already align with recognized standards. The Court has mandated that mediation must conclude by September 30 this year, presenting an opportunity for a public statement ahead of the year’s end.
Additionally, the use of facial recognition technology in retail environments remains a crucial area where clarity is needed. The OAIC’s determinations regarding Bunnings and Kmart have implications for consumer privacy through mandated public notifications when employing such technology. Bunnings’ reliance on permitted exceptions has been challenged, and their appeal is currently under consideration by the Australian Review Tribunal.
Although this decision pertains to events from 2020 and 2021, the eventual ruling will carry immediate relevance as retailers navigate employee safety concerns alongside customers’ rights to privacy.
As technological advancements continue and businesses increasingly integrate automation into customer interactions, the landscape in 2026 is likely to present both challenges and new considerations in data security.
If your organization seeks further information on available guidance or requires support with privacy concerns, please contact us here.
Disclaimer
This article is intended for informational purposes only and does not reflect the specific circumstances of any individual or entity. While we strive to provide accurate and timely information, we do not guarantee the continued accuracy of the contents as situations evolve.