Privacy and Data Protection

The privacy and data protection regulatory framework in Australia is shifting fast, driven by major law reform, increased regulatory scrutiny and growing public concern about how personal information is handled.  

Organisations that collect, use or share personal information, whether private sector or government, are custodians of individuals’ personal information. This comes with a responsibility to respect the privacy of these individuals and handle their information with care by enacting strong  privacy, data governance, information management and cybersecurity practices.  

Done well, compliance can make data one of your organisation’s greatest assets – enabling better service delivery, sharper insights and reducing risk of reputational, regulatory or financial harm – while poor practices can expose organisations to serious consequences including data breaches, complaints, investigations, fines, enforceable undertakings by regulators and loss of public trust.

Key contacts Related insights

Our team's expertise

The Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) have both stepped up enforcement activity in response to major breaches and non-compliance.  

In a data-driven world, earning trust through strong privacy practices isn’t just good compliance, it’s essential to building enduring relationships with customers, users and stakeholders.  

HWLE’s Privacy and Data Protection team provide market leading advice to government agencies, private sector organisations, financial institutions and Australia’s leading credit reporting bodies. 

Our team advises on the Privacy Act, State and Territory privacy and information laws, the Spam Act, the Do Not Call Register Act and emerging AI and data governance frameworks.  We also assist with advising clients with respect to sector-specific cyber security requirements, such those associated with the Security of Critical Infrastructure (SoCI) Act, the Consumer Data Right (CDR) scheme, and relevant prudential standards from the Australian Prudential Regulation Authority (APRA) like CPS 234.

Our clients value our expertise, commercial mindset, risk-based approach and track record of delivering clear, tailored solutions that stand up to regulatory scrutiny and support long-term organisational trust.  

Our team includes members of the Privacy Law Committee of the Law Council of Australia (Business Law Section); the Editorial Panel of the LexisNexis Privacy Law Bulletin and the International Association of Privacy Professionals – Australia and New Zealand. 

We deliver practical and actionable advice and support our domestic and international clients with privacy impact assessments, data mapping, cross-border and offshore data transfer advice, direct marketing compliance and internal governance frameworks.  

We also assist organisations with handling data security incidents, including ransomware, phishing emails, business email compromises, false payment directions, human error breaches and privacy breaches.  In those cases, we assist clients in reporting to regulators, such the OAIC, ASIC, APRA and industry specific regulators. 

Privacy and Data Protection

Our experience

  • State Government Department Advised on legal remedies in respect of a high level data breach, liaising with the Incident Response Team including forensic experts, the AFP and other agencies.
  • Australian Taxation Office Conducted a privacy impact assessment for the introduction of Streamlined Individual Income Tax Returns, known as SIITR or myTax, and accessible through myGov.
  • National sporting organisation Acted on an OAIC own motion investigation into a data breach. The breach was the subject of a television report. We negotiated with the OAIC around penalties and remediation.
  • Major bank Advised in relation to a privacy breach involving the mailing of a spread sheet of high net worth private clients to those private clients. We advised on the wording for the notification of the incident given by the bank to its clients and provided follow up advice on the bank’s legal position.
  • Credit reporting bureau Acted in relation to various claims in different jurisdictions by consumers and businesses alleging breach of the Privacy Act and inaccurate data.
  • Various insurers Advised in relation to policy wordings for cyber risk insurance products and advised on privacy law reform and other regulatory changes and their effect on risks underwritten.