Government warning over doctors’ use of AI compromising privacy

July 5, 2026

The pick up in the use of artificial intelligence is not matched by the care to ensure that the user does not compromise his or her patients’/customers’/clients’ privacy.  In the health industry the AI scribe tools are becoming common.  Using AI with patient information runs real risks about that information finding its way into other person’s control.

These issue are covered in the Guardian article Doctors’ soaring use of AI scribes prompts Australian government warning over privacy which provides:

The federal health department has raised concerns about the use of AI scribes by doctors as the health regulator considers the need for safeguards around the technology.

AI scribe tools record, transcribe and summarise conversations between doctors and patients for medical notes, and have boomed in popularity in the past 18 months.

According to an online poll by the Royal Australian College of General Practitioners (RACGP), use of AI scribes by doctors in Australia nearly doubled from 22% in August 2024 to 40% in November 2025.

Companies offering the technology to practitioners say it has been used hundreds of millions of times across the globe in the past 18 months alone as doctors seek to ease the administrative burden of patient consultations. Read the rest of this entry »

The House of Representatives commences inquiry into cyber security for small to medium sized businesses and Organisations

The House Select Committee on Cyber Security for Small to Medium Sized Businesses and Organisations was established by a resolution of appointment that passed the House of Representatives on 4 June 2026.

The Committee will inquiry into:

  1. the cyber maturity of Australian small to medium sized businesses and organisations, including not-for-profit organisations;
  2. the adequacy, appropriateness and accessibility of guidance provided to small to medium sized businesses and organisations by Government in relation to cyber security;
  3. whether there are appropriate standards for small to medium sized businesses and organisations in relation to cyber security;
  4. the ease for small to medium sized businesses and organisations to procure appropriate cyber security services in Australia;
  5. the importance of training for employees on good cyber security practices to the overall cyber security of small to medium sized businesses and organisations;
  6. the impact of cyber security maturity on the feasibility for small to medium businesses and organisations to participate in Government and large corporate supply chains; and
  7. any other related matters;

The Committee will present its final report by 31 March 2027.

The relevant page on the Read the rest of this entry »

Prime Minister’s bank records accessed, breach of privacy

July 2, 2026

People looking into other peoples bank accounts without authority is a longstanding and chronic problem in banks and other financial institutions. It gave rise to a ground breaking case recognising a cause of action for breach of privacy in Canada with the case of Jones v Tsige in 2012. Often the breaches involve a person checking on the accounts of a family member, partner or neighbour.  Banks have quite good controls to detect such suspicious activity.  The almost invariable outcome is instant quiet termination.  But the unauthorised access into Prime Minister Albanese’s banking records is not low key and the result has not been quiet dismissal.  As the Australian reports with Ernst & Young graduate charged over allegedly accessing prime minister’s bank details it has been high profile and charges have been laid against the alleged snooper.  As the story notes the bank in question, the CBA, discovered the breach when its internal system triggered a flag.  That is the common method.

While the Prime Minister almost certainly has a claim for serious invasion of privacy against the EY graduate whether he does anything is another question.

The article provides:

A graduate from Ernst & Young has been charged after allegedly accessing the prime minister’s banking details.

Another person has also been charged in connection with the alleged incident, who is understood not to be employed by EY.

It is alleged they accessed the material while one of pair was on secondment at the Commonwealth Bank.

The EY graduate was terminated from their employment after an internal investigation.

CBA is believed to have alerted EY after the bank’s internal system triggered a flag.

The Australian Federal Police said they charged two Sydney men on May 6, with allegedly accessing restricted personal banking data belonging to a federal parliamentarian. Read the rest of this entry »

New South Wales Auditor General highlights inadequacy of security and privacy protections in NSW public schools

June 29, 2026

Schools are mass collectors of data, much of it very sensitive. Details of children enrolled in classes, their medical and pyschological issues are enthusiastically collected. Phone numbers and addresses of parents, guardians and other relatives are provided to schools. Today the Auditor General in New South Wales released a report highlighting the problems with the current system in NSW schools.

It is very much a mixed report card.  While the department has structures and policies in place there is a very imperfect implementation and monitoring.  There is a real problems with apps schools use with much sensitive data accessible by third party providers.

The department states there were 491 suspected data breach matters resolved from 2023 to 2025 that involved student information:

    • 435 matters were assessed as being a data breach but not an eligible data breach
    • 6 matters met the threshold to constitute an eligible data breach
    • 1 matter was assessed as a non-department data breach
    • 35 matters were assessed as not being a data breach
    • 12 were not data breaches but involved related queries from schools
    • 2 were duplicate

In 83% of cases the suspected data breaches in 2024–25 were the result of human error, such as access control errors, email errors, permission-to-publish errors and staff misconduct. Other causes included loss or theft (7%), system faults (5%) or cyber incidents (3%).

Incidents

  • The personal mobile phones of 2 department staff were compromised through SIM-swap attacks that compromised both their personal and department accounts. The threat actor accessed the personal information of students, staff and
  • This breach was classified and handled as an eligible data breach, and the department notified affected individuals (with the help of ID Support NSW) and the The department advised it took other actions in response to the breach including:
    • moving staff members who fell victim to the attack from text message multi-factor authentication to Microsoft authenticator with passkeys
    • completing an internal audit to ascertain and revise down the extent of the personal information accessed by the threat actor
    • engaging external service providers to ensure the department had met the regulatory requirements under the privacy legislation
    • implementing phishing-resistant multi-factor authentication software for all employees (currently within the pilot phase).

Unauthorised disclosure of information

  • A school shared photos of 3 students on its Facebook page without parental consent and despite enrolment forms indicating no permission. After a family raised concerns via email, the school removed the
  • A staff member used the school’s third-party school administration system to send text messages to parents about their child’s absence from school. Instead of the text messages going only to the children’s parents, they went to the children’s emergency contacts and other children’s parents. After identifying this breach, the school reverted the settings on the third-party school administration system to their correct
  • A community member found volumes of school paper records containing student information dumped at a building construction site. The department recovered and digitised the records.

The snapshot of the report provides:

Key findings

The department has established a range of controls to manage the security and privacy of student information

Over the last 3 years, the department has strengthened its controls by uplifting cyber security capability, centrally contracting key third-party IT vendors, developing specific policy frameworks, and providing professional learning and centralised supports for schools.

Technical responsibilities have been allocated to school principals without sufficient departmental oversight

The department does not clearly define the specific risks to student information that schools must manage, nor provide clear operational guidance or proactive support to monitor how legislative and policy requirements are met in practice at the school level. With principals relying on their own judgement and capacity, practices are inconsistent and in some cases non-compliant. Read the rest of this entry »

Five eyes release statement on cyber security. A call to action

The Five Eyes is a grouping of the United States, Australia, United Kingdom, New Zealand and Canada which collaborates on signals and military intelligence and most recently, cyber defence. Last Friday the Five Eyes issued a statement about dealing with cyber risk.

The AI shift in cyber risk: why leaders must act now

As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead.

A call to action

While Al will help us improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats.

Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.

In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value. We urge leaders to:

    • understand and assess risk, readiness and accountability
    • prioritize foundational cyber security practices and controls
    • empower cyber leaders with authority and resources
    • stay actively engaged as threats and guidance evolve

Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage.

The urgency is clear

AI is not a future consideration – it is already here.

It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly. At the same time, AI offers powerful tools to strengthen defence.

A whole-of-organization and whole-of-society response is required

Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence – not just improve efficiency.

Key Actions for Leaders

Core principles:

    • Secure-by-design and secure-by-default must become standard practice – not an
    • Resilience cannot depend on a single solution or Defence in depth remains essential.
    • As AI systems evolve, new and previously unknown vulnerabilities will emerge, including zero-day vulnerabilities.

Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.

Practical actions

These actions are not new, but are now urgent to reduce not only technical risk, but also operational, financial and reputational exposure:

    1. Reduce your attack surface: Limit unnecessary system access and external Challenge whether systems need to be exposed at all and isolate those that do not.
    2. Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks.
    3. Address legacy systems: Unsupported systems are easy They are not just technical debt, they are strategic liabilities.
    4. Review and strengthen identity and access controls: Limit who can access critical Enforce strong authentication and regularly review permissions.
    5. Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.

Use AI to strengthen defence

Adversaries are already using AI to move faster and more effectively. Defenders must do the same.

Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents.

Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.

We must act now

The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.

Cyber resilience is not an IT issue – it is central to operational continuity and market trust. Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk.

The above statement may be unusual and significant but the thrust of the recommendations and the concerns raised have been well known by practitioners involved with cyber security and privacy.

Frontier AI models have been identified as being adept at identifying software vulnerabilities and developing exploits on the hacking side of the ledger and with defensive activities such as patching.

The recent development of cyber-related capabilities of the latest generation of AI models, especially Anthropic’s Mythos and OpenAI’s GPT 5.4-Cyber, democratises the hacking.  Sophisticated data breaches which were previously only undertaken by skilled hackers can now to be handled by those with less expertise.

On June 2, 2026, President Trump signed an Executive Order on Promoting Advanced Artificial Intelligence Innovation and Security  to establish  a framework for secure development of frontier AI models and an “AI cybersecurity clearinghouse” to facilitate vulnerability coordination and remediation, among other initiatives. That was followed by National Security Presidential Memorandum 11, on June 5, 2026, direcdting e military, intelligence agencies, and relevant federal departments to accelerate the adoption of AI for national security applications.

It is critical to review and respond to changing cybersecurity risks. New risks and challenges will arise and organisations need to consider how to respond to and protect against threats operating at the speed and scale of advanced AI.

Notwithstanding the changing landscape fundamental governance principles and underlying controls will continue to be key risk mitigators.  That will apply even if organisations incorporate AI capabilities,including the use of agentic AI, into their cyber defenses.

In reviewing cyber defences approach the exercise methodically which means:

Determine whether existing risk management protocals align with  AI-related cyber risks: Frontier AI models accelerate and scale vulnerability discovery.  That can mean decision time frames are compressed and the scope fo threats increase.  Organisations that provide and maintain Read the rest of this entry »

Privacy Commissioner publishes investigation into Medmate Australia. The use of tracking pixels to collect and use personal information.

June 28, 2026

The Privacy Commissioner recently completed an investigation into Medmate Australia. The issue was the use of tracking pixels and their use of collecting information without consent between April 2021 and 9 December 2024.  It is a very detailed analysis of a means of data collection which has not been the subject of consideration by the regulator before.  

FACTS

Medmate is a:

  • corporation which was registered in Australia in 2018.
  • wholly owned subsidiary of Medmate Group Pty Ltd (ACN 628 464 255).
  • provider of a wide range of health services including:
    • telehealth consults,
    • online prescriptions, medical certificates, mental health support and weight loss program. Medmate owns and operates the Website, which advertises and details the services it offers and provides a means by which individuals may request telehealth appointments or purchase prescriptions.

The OAIC’s published its guidance on the application of the Privacy Act to tracking pixels in November 2024 and then undertook a preliminary scan of 50 health service provider websites and their use of tracking pixels [20]. That is both good policy and good practice.

On 9 December 2024, the Commissioner commenced an investigation under s 40(2) into Medmate’s use of tracking pixels on the Website for the period of April 2021 until 9 December 2024. 

Regarding its use of pixels Medmate:

  • commenced use of:
    • tracking pixels from April 2021;
    •  the Meta Pixel on 21 April 2021 [36].
  • engaged external media agencies to manage its use of tracking pixels on its Website [37].
  • did not undertake any privacy impact assessments prior to the deployment of tracking pixels [38].
  • utilised tracking pixels for :
    1. advertising and analytics;
    2. tracking the success of campaigns and conversions;and
    3. identifying user behaviour trends to streamline operations, improve patient engagement and enhance the provision of healthcare services through website and app improvements [39].
  • as of 9 December 2024, Medmate had 2 active tracking pixels on the Website;
    • the Meta Pixel  – page view, which tracks when an individual views a page on the Website (and includes Base Pixel Data). Purchase, which tracks when an individual completes a purchase on the Website, parameters also included order ID, value and currency.
    • TikTok Pixel [40] – Page view tracks when an individual views a page on the Website (and includes Base Pixel Data). View content tracks when an individual views content or a specific product including telehealth, express consult and medical certificate. It enables full URLs, hashed email address and phone numbers to be transmitted to TikTok when individuals browse the Website. The full URLs transmitted via the TikTok Pixel included, in some circumstances, health conditions or medication sought, based on an individual’s actions.

DECISION

A tracking pixel is a tracking tool that permits granular user surveillance across the internet and social media platforms. It allows brands to pay a premium to third-party platforms to deploy the right ad to the right person at the right time [4].

The use of tracking pixels without appropriate due diligence risks contravention of the Privacy Act and the APPs [8]

Tracking pixels take various forms including tiny, transparent images that can be embedded by entities on webpages via a broad range of HTML and JavaScript code [9] which function to collect information about individuals’ activities on a webpage.

Social media platforms  offer entities platform specific tracking pixels for integration and use [10].

A tracking pixel operates by:

  • by serving as an external channel to the Pixel Provider; with
  • having HTML or JavaScript code containing a URL pointing to the Pixel Provider’s server so that when an individual loads a webpage containing a tracking pixel, their browser triggers a request to the Pixel Provider’s server; and then
  • having the request transmit information collected by the tracking pixel to the Pixel Provider’s server;
  • the Pixel Provider’s server records the information in its log files [11].

Entities that embed Read the rest of this entry »

Singapore Personal Data Protection Commission commences consultation on guidelines regarding the use of generative artificial intelligence in the context of personal information under the Personal Data Protection Act

June 5, 2026

Generative Artificial Intelligence (GenAI) poses two major challenges/threats to organisations privacy obligations; namely the proper use and storage of personal information. The first challenge is that by using personal information of others in conjunction the GenAI it is likely that that personal information will find its way into the mass of data collected and used by GenAI in training itself. It could easily be used to assist another party using GenAI. That is a data breach. The second problem with GenAI is that it is supercharging hackers in locating weaknesses in cyber security.

The PDPC noted that the Advisory Guidelines was organized across three stages of the Gen AI lifecycle.

First, the development stage.  The PDPC addressed the application of the publicly available exception to web-scraped datasets.  Organisations are required to provide AI-specific notifications, rather than general notifications, when seeking consent to use personal data for Gen AI model training and fine-tuning.

The deployment stage.  There are Read the rest of this entry »

US President issues executive order requiring agencies to upgrade cyber defence with the assistance of AI

June 3, 2026

AI is a topical on all levels and all industries. The advantages, dangers, winners and losers. AI is particularly effective in detecting cyber weaknesses. Together with quantum computing it threatens to up end modern cyber defences. But it can also be used to enhance cyber security. Hence yesterday’s Executive order by the President of the United States titled Promoting Advance Artifical Intelligence Innovation and Security.

The Executive Order mandates that the Secretary of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), must:

  • issue directives to expedite the cyber defense of civilian federal systems;
  • expand federal programs that utilize AI-enabled defensive tools; and
  • facilitate access to cybersecurity services for state and local authorities, as well as critical infrastructure operators like rural hospitals and community banks.

The Secretary of the Treasury, the National Security Agency (NSA), and CISA will create a voluntary AI cybersecurity “clearinghouse” to coordinate the identification and remediation of software vulnerabilities.

The Director of the Office of Management and Budget (OMB) will  evaluate federal grant programs to identify funding for advanced AI vulnerability detection.

The Executive Order requires the creation of a benchmarking process to evaluate the cyber capabilities of AI models and determine which should be classified as a ‘covered frontier model.’ It outlines a voluntary framework for AI developers to:

  • collaborate with the Federal Government to identify if models under development meet the frontier model criteria;
  • grant the government access to these models for up to 30 days prior to their public release; and
  • partner with the government to select trusted entities for early access to promote secure innovation.

The Attorney General (AG) is directed to prioritise the enforcement of federal criminal laws against individuals who use AI to gain unauthorized access to or damage computer systems. This priority includes cases where AI agents are employed to unlawfully access data for criminal purposes or to breach public and private information technology systems.

The Executive Order provides:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered:

Section 1.  Purpose.  The United States continues to lead the world in Artificial Intelligence (AI) because of the enormous talent and innovation of our AI industry, and because we refuse to stifle this innovation with overly burdensome regulation.  My Administration has unleashed tremendous technological growth and economic investment in AI by slashing the bureaucratic constraints that the prior administration placed on America’s AI developers and researchers, and by instead encouraging AI innovation and accelerating responsible AI adoption across government and industry. 

Advanced AI capabilities make our Nation stronger, but also introduce new national security considerations that require coordinated action across executive departments and agencies (agencies), and components.  As these capabilities evolve, my Administration will continue to work closely with industry to ensure that the best and most secure technology is deployed rapidly to confront any and all threats to our country.  We will continue to lead an America First cybersecurity effort that enhances both our national security and our global AI dominance.

It is the policy of the United States to promote AI innovation and security by working collaboratively with the private sector to modernize government and private sector information systems and harden them against external threats; to protect American ingenuity and intellectual property from exploitation and theft by adversaries; and to cultivate America’s advanced AI-enabled capabilities.

Sec. 2.  Upgrading American Systems for Advanced AI.  (a)  Within 30 days of the date of this order, the Committee on National Security Systems shall prioritize the cyber defense of National Security Systems, as defined in 44 U.S.C. 3552(b)(6)(A), by taking appropriate and expeditious action consistent with the purpose of this order. Read the rest of this entry »

Melbourne International Film Festival suffers data breach

June 2, 2026

I was long an avid attender of the offerings of the Melbourne International Film Festival (“MIFF”) over a 2 1/2 week period. When I started attending tickets were printed out and the program was an insert in the Age and at the box office. No longer. It is all very digital now. And the MIFF has a large database, which included my details. On Monday the MIFF emailed me about a privacy incident. It has apparently affected 26,000 customers.  The means of access was through a third party provider, here a ticketing platform.

The email stated:

We are writing to inform you of a privacy incident that has affected the personal information of a small proportion of MIFF customers.

If you did not receive a separate notification email, your information was not affected.

We understand that news like this may be concerning, and we sincerely apologise for any worry or inconvenience this incident may cause. Protecting the information entrusted to us is extremely important, and we are taking this matter very seriously.

What happened

On 29 May, MIFF’s ticketing provider, Ferve, identified unauthorised access to its ticketing system. As soon as the activity was detected, access to the system was temporarily suspended while investigations commenced.

On 30 May, further unauthorised access to the Ferve ticketing system occurred, and some customers received emails or SMS messages sent directly through the system without authorisation.

MIFF and Ferve are continuing to investigate the incident, determine the full scope of the impact and implement additional security measures to help prevent a similar incident from occurring in the future. Read the rest of this entry »

The Privacy Commissioner releases a report of a survey on Australian Community Attitudes to Privacy

June 1, 2026

The Privacy Commissioner has released the 2026 survey into Australian Community Attitudes to Privacy. The Privacy Commissioner conducts  a survey annually.  As with previous years it reveals that Australians value their privacy and are concerned about modern practices which interfere with that privacy.  Not surprisingly the concerns are greater now than 5 years ago and the trust lower.

The Commissioners’ foreward provides:

Australians’ expectations about privacy continue to sharpen as the information ecosystem becomes more complex, data-intensive and difficult to navigate. The 2026 Australian Community Attitudes to Privacy Survey (ACAPS) points to a community that places a high value on privacy, but does not consistently experience privacy protections as workable in practice. Trust is uneven across sectors, and wariness of emerging technologies is increasing, particularly in terms of fairness, accountability and the practical ability to exercise rights. Australians want greater transparency, more proportionate collection of personal information, and a fairer go when using digital services.

The right to privacy and the right to access information are protected and promoted by the Office of the Australian Information Commissioner (OAIC). The ACAPS findings go to broader issues beyond privacy such as information access and encompass the full range of the OAIC’s regulatory 2025-26 priorities, which include a focus on rebalancing power and information asymmetries, and rights preservation in new and emerging technologies. This survey builds on the cross-jurisdictional 2025 Information Access Study, which showed Australians expect accountability, transparency, and clear access to government information – particularly where technology such as artificial intelligence (AI) is being used to support automated decisions.

Just as technology is proving to be a means to rapidly transmit information its deployment is impacting public trust. This is because data handling is arguably not keeping pace with community expectations, and hampering Australians’ engagement in the digital economy. Greater confidence in how personal information is handled would increase Australians’ willingness to use digital services or programs that require sharing personal information. Around two-thirds (68%) say they would be more likely to use such digital services if they felt their data was handled fairly and responsibly.

ACAPS shows that while 93% say protecting personal information is important to them and 87% say they are more concerned about privacy than 5 years ago, many do not feel able to act on that concern day-to-day. Consent is often experienced as a gateway: 65% say sharing information rarely or never feels like a genuine choice and 68% say the same about consent. A substantial proportion of the community (78%) report very little or no real control over how their personal information is collected and used, and 52% say they accept sharing because they might otherwise miss out on essential services or opportunities. This points to persistent power and information asymmetries not addressed by notice and consent alone.

Australians also draw clear fairness boundaries. Only 10% say organisations’ real-world data practices are usually fair, while 35% say they are mostly or always unfair. Fairness concerns appear to concentrate around disproportionate collection, limited or unrealistic opt-out, and situations where benefits are perceived to flow mainly to organisations. There is strong rejection of practices associated with data brokerage and advertising technology, alongside expectations for stronger limits on collection, retention and secondary uses. Australians feel that when an entity collects their personal information for one reason, it is often not fair or reasonable for them to use it for another reason. For example, 93% say it is not fair and reasonable for an entity to use the personal information they collected to provide a product or service to train AI models. The survey also indicates a strong boundary around using personal information to train AI systems after a service they have received has ended (71% say this is unacceptable), reinforcing the importance of purpose limitation and lifecycle controls.

Expectations are clear for new and emerging technologies. AI is a widely recognised privacy risk (69%), trust in AI companies is low (4%), and acceptance of AI uses involving personal information appears contingent on protections that make high impact uses transparent and contestable. Australians most frequently prioritise a right to human review (81%), limits on how personal information is retained by third-party providers (80%), and being told when AI is being used (79%). This underscores the importance of the forthcoming automated decision-making (ADM) transparency obligation, which will require regulated entities to disclose the use of AI and ADM in their privacy policies from December 2026.

As the government sector expands its use of technology to inform decision making and deliver services, preservation of information access rights is increasingly important.

This emphasis on transparency was mirrored in the 2025 Information Access Study that found a significant majority of Australians (86%) also agree that the government must publicly report on any technology used to inform freedom of information decision-making (including AI and automated decision-making). The OAIC’s January 2026 report into ADM highlighting transparency obligations under the FOI Act shows that much needs to be done to ensure Australians are aware of how their information is used by government agencies. As a responsive regulator, the OAIC is focused on strengthening the information governance of the Australian Public Service and ensuring timely access to government information. In providing the ADM Report and guidance to government agencies, the OAIC recognises the efficiency and productivity gains that can be delivered through technology to a community that is confident to engage with digital services and better equipped to exercise related rights, including seeking a review of a government agency decision.

ACAPS highlights the gap between formal rights and lived experience. Two in 5 Australians (40%) say they do not really know what data organisations hold about them or how to access it, and only 11% say they can easily access their data and request corrections or deletion. Even where concerns arise, action is not assured: 64% had concerns in the past year, but 52% did not raise them, often because they felt it would not make a difference (56%), would be too hard or time-consuming (51%), or they did not know how (40%). This reinforces the importance of clear, timely and accessible pathways for access and redress.

Australians demand transparency, both in understanding their privacy rights, how their information is used, and in embracing their right to access that information. Improving transparency will strengthen the community’s already active engagement with these systems and safeguard a healthy, informed and vibrant democracy.

Some of the findings are:

  • 93% say protecting personal information is important to them, and 87% say they are more concerned about their privacy than they were 5 years ago
  • Almost all respondents (98%) say organisations that collect, use or share personal information should be responsible for protecting privacy even if no immediate harm occurs, with 86% viewing this responsibility as very strong.
  • Around two-thirds (68%) say they would be more likely to use digital services requiring personal information if they believed their data was handled fairly and responsibly
  • Nearly all (96%) say some conditions should be in place before AI is used
  • Around 7 in 10 Australians (71%) consider it somewhat or very uncomfortable for organisations to use personal information originally provided for a service to train AI systems after that service has been completed.
  • Acceptance is lowest for automated eligibility or risk-based decisions, such as loan approvals or benefit eligibility, with only one-quarter (25%) viewing this as acceptable
  • 78% report very little or no control over how their personal information is collected and used
  • regarding consent, 65% say sharing information rarely or never feels like a genuine choice and 68% say the same about 52% say they accept sharing because they might otherwise miss out on essential services or opportunities
  • Around 9 in 10 Australians (92%) say data collection can be acceptable under certain conditions, particularly where:
    • the purpose is clear (69%),
    • consent or opt-in is available (68%),
    • collection is limited to what is necessary (66%), and
    • the ability to opt out of non-essential collection (61%).
  • 73% (vs 64% in 2023) experienced a privacy concern in the past 12 months
  • The most common concerns were being unable to unsubscribe from marketing (41% vs 25% in 2023) and having information used for unsolicited direct marketing (38% vs 21% in 2023)
  • Among those who experienced a concern, 70% (vs 55% in 2023) reported more scams/spam, 46% (vs 53% in 2023) reported loss of trust and 39% reported loss of control
  • Around three-quarters (77%) of Australians whose data was involved in a breach experienced at least one form of harm, while exposure to scams and spam increased and was the most common impact (62% vs 52% in 2023).
  • Only 10% say organisations’ real-world practices are usually fair, while 35% say they are mostly or always unfair
  • Around 9 in 10 say it is not fair and reasonable to use personal information for selling/trading personal information (96% vs 87% in 2023), online tracking, profiling and targeted advertising to children (96% vs 89% in 2023) or other vulnerable individuals (95% vs 88%), unnecessary location tracking (94% vs 87%), training AI models/products (93%), significant AI-informed decision (91% vs 70%), differential pricing (91%), or targeted advertising based on sensitive data (91% vs 84% in 2023). Around 7 in 10 (71%) consider it unacceptable for organisations to use personal information provided for a service to train AI systems after the service has been completed
  • Individuals view the provision of basic identifiers to access a service as reasonable, but 92% say there are some types of information organisations should never collect. Information about sexual orientation (72%) and biometrics (71%) feel excessive or unjustified in most situations, regardless of the organisation or purpose
  • Trust remains highest for health service providers (74%) and government agencies (68%), but has fallen across insurance, telecommunications, technology, retail and real estate sectors since Trust is lowest for social media companies (3% vs 14% in 2023), data brokers and AI companies (4%).
  • 40% do not really know what data organisations hold about them or how to access it, while 11% say they can easily access their data and request corrections or deletion
  • 64% had concerns in the past year, but 52% did not raise them. Among non-complainants, 56% said it would not make a difference, 51% said it would be too hard/time-consuming, and 40% did not know how. Among those who did complain, only 9% said the issue was resolved to their satisfaction
  • Confidence in privacy complaint handling varies by sector, with banks and financial institutions (46%), health services (42%) and government agencies (41%) rated highest, and very low confidence in online retailers (4%) and social media platforms (3%).
  • 93% support a legal right to request deletion of personal information, and there is strong support for extending equivalent privacy obligations to currently exempt sectors
  • The biggest privacy risks identified by Australians include:
    • data breaches (82%, up from 74% in 2023)
    • organisations not storing personal information securely (77%, up from 60% in 2023)
    • scammers attempting to access personal information (75%, up from 71% in 2023)
    • organisations sending information overseas (70%, up from 50% in 2023)
    • concern about AI systems using personal information (69%, up from 43% in 2023).

    Together, these findings suggest that perceived privacy risks are linked to weaknesses in organisational systems, poor information handling and security by organisations, and harmful actions by outside parties.

Read the rest of this entry »