The Office of the Australian Information Commissioner's latest Australian Community Attitudes to Privacy Survey released 8 Aug. provides a comprehensive overview of Australians' privacy attitudes and experiences and how they have been impacted by recent events.

ACAPS is a longstanding study commissioned by the OAIC, published approximately every three years to evaluate Australians' awareness, understanding, behavior and concerns about privacy.

The research has evolved since the first survey in 1990 to reflect the changing environment. ACAPS 2023 tested attitudes on topics such as data practices, privacy legislation, data breaches, biometrics, artificial intelligence and children's privacy.

This year's ACAPS provides important insights to increase community trust and confidence in the protection of Australians' personal information. Among the key themes are:

• Australians care about their privacy. Nine in 10 Australians surveyed have a clear understanding of why they should protect their personal information, and 62% see the protection of their personal information as a major concern in their life.
• Australians don't feel in control of their privacy and don't know what to do about it. Only 32% feel in control, and half believe if they want to use a service, they have no choice but to accept what the service does with their data. Three in five care about their data privacy, but don’t know what to do about it.
• Most Australians have had a negative privacy experience. Forty-seven percent were told by an organization their personal information was involved in a data breach in the year prior, and three-quarters said they experienced harm because of a data breach.
• Australians have strong feelings about certain data practices. Nine in 10 are concerned about organizations sending customers' information overseas. Ninety‑six percent want conditions in place before artificial intelligence is used to make decisions that might affect them.
• There are high levels of distrust. Only four sectors (health, federal government, finance and education) are more trusted than not by Australians to handle their personal information. Less than half of people trust organizations to only collect the information they need, use and share information as they say they will, store information securely, give individuals access to their information and delete information when no longer needed.
• Australians want more done to protect their privacy. Eighty‑four percent want more control and choice over the collection and use of their information. Around nine in 10 Australians would like businesses and government agencies to do more to protect their personal information.

The OAIC will use the findings to inform its ongoing input into the review of the Privacy Act 1988 and to target its activities at areas of high concern among the community.

Electronic Frontiers Australia, of which I am a board member, is a not-for-profit organization representing internet users concerned with digital freedoms and rights. The organization strives to protect and promote the civil liberties of users of digital communications systems, and of those affected by their use, and to educate the community at large about the social, political, privacy and civil liberties issues involved in the use of digital communications systems.

The key takeaways from EFA's perspective:

• Australians continue to remain particularly uncomfortable with personal data aggregators or platforms that track their location and surreptitiously siphon off their personal data from their mobile or web browser for either unrelated or unwanted internal use or worse, external monetization.
• Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear, with a high proportion of Australians considering an organization asking for information that doesn't seem relevant to the purpose of the transaction as a significant misuse.
• Community concerns regarding data privacy remain high and the survey data indicates quite clearly that numerous organizations either routinely collect more personal information than is needed to provide a product or service, are using that data in unexpected ways, or are selling off personal data for profit, making Australians extremely uncomfortable and creating a significant trust deficit.

Given the heightened number of data breaches reported and especially the significant data breaches that captured government, regulator and public attention — like Optus, Medibank and Latitude Financial — it is clear that our personal data is no longer the "new oil" forming the basis of our digital economy.

Call to action

Australian consumers are becoming increasingly aware of their privacy risks, they are developing a better understanding of what privacy means to them in the digital environment, and how an organization manages consumer privacy may be a make-or-break factor when deciding to deal or continue dealing with an organization.

The privacy landscape is rapidly shifting globally as new laws seek to close the gap between consumer privacy protections and technological advancements. The final report into review of the Privacy Act by the Australian Attorney-General's Department was published in February. It is likely we will see a detailed bill making wholesale and wide changes to this law in the first half of 2024. 

An organization's mismanagement or lack of appropriate investments for privacy and data protection risks can result in serious financial and nonfinancial loss, reputational and brand harm and the loss of consumer trust. Now is the time to start planning for the impact of these regulatory changes and mapping out your future state privacy strategy.