Data Privacy Statistics Australia (2025)

From online scams to phishing, data breaches to malware attacks, you must never let your guard down when using the web.

These days, personal data is the most precious commodity. Each time you go online, you put yourself at risk. Everyone must understand how to promote data privacy, especially in our interconnected digital world.

In Australia, people value their privacy by considering how their personal information is kept confidential and secure and ensuring their data is not collected without permission. 

The latest Australian Community Attitudes to Privacy Survey in 2023 revealed that 3 out of 5 Australians, or 62% of all Australians surveyed, recognise the importance of protecting their personal information. This is a good start towards improving privacy awareness and protection in the country.

This post will discuss how Australia promotes data privacy, covering key statistics, consumer perspectives, and the role of legislation in promoting data privacy. We will also highlight the key emerging trends in data privacy within Australia and the rest of the world. 

The Current Landscape of Data Privacy in Australia

Historical Context and Key Regulations

The Privacy Act 1988 promotes and protects the privacy of Australians and regulates how government agencies and various organisations handle information. 

The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to organisations and government agencies or “APP entities.” It also regulates the privacy of the consumer credit reporting system, tax file numbers, and health and medical data.

The 13 Australian Privacy Principles state how personal information must be collected, used, stored, disclosed, and accessed. These principles ensure transparency, accuracy, security, and individual access rights.

Role of OAIC (Office of the Australian Information Commissioner)

The Office of the Australian Information Commissioner (OAIC) is Australia’s primary data privacy regulator. It enforces the Privacy Act by investigating complaints, conducting audits, and taking enforcement actions against organisations that violate data privacy laws.

The OAIC investigates complaints from individuals who believe an organisation has violated their privacy and issues warnings or initiates legal proceedings against non-compliant entities.

The commission clearly explains the Privacy Act through guidelines, publications, and advice. These help businesses and individuals comply with data privacy regulations with best practices for collecting, storing, and using personal information.

The Largest Data Breaches in Australia

Several major data breaches have affected Australians in different aspects of their lives. The following were the most controversial.

Latitude

Date of Incident: March 2023

14 million clients of the Australian personal loan and financial organisation were affected by a data breach. The attack compromised customer data, including their full names, addresses, email addresses, phone numbers, dates of birth, passport numbers, and driver’s license numbers.

Latitude’s data breach led to the extension of federal agencies’ ability to intervene in private cyber attack cases. The financial company was also investigated for its lack of preventive actions and sued in a class action lawsuit.

Optus

Date of Attack: September 2022

9.8 million Optus customers were affected by a data breach that was so significant that it triggered doubts about the government’s data security policies. The number of victims was staggering, equivalent to 40% of Australia’s population!

Cybercriminals were believed to be from a state-sponsored operation, compromising records as far back as 2017. Personal data was compromised, including customer names, birth dates, addresses, phone numbers, passport information, driver’s license numbers, government ID numbers, and medical records.

Optus revealed this was an extremely sophisticated attack as hackers published data samples on online forums a few days after the attack. The hackers also demanded A$1.5m ransom in cryptocurrency but changed their minds a few days later due to pressure from law enforcement. 1.2 million customers filed a class-action lawsuit against Optus in April 2023.

Medibank

Date of Attack: December 2022

9.7 million Medibank customers were victims of a major data breach in December 2022. Reports claimed that the attack was organised by a popular Russian ransomware group called the REvil gang.

The breach was initially discovered after REvil posted on the dark web that they had 6GB of raw data samples and demanded a $10 million ransom. The attack compromised customer names, birthdates, passport numbers, medical claims information, and medical records.

The Medibank attack was one of the biggest data breach incidents in the country, but despite this, Medibank refused to pay REvil the ransom. The OAIC is investigating Medibank regarding its information-handling processes and may fine it $50 million if it does not have sufficient security practices.

ProctorU

Date of Attack: July 2020

ProctorU, an online tutoring service, suffered a data breach that affected 444,000 students. Their data was leaked for free on the dark web, and experts believe that the incident was part of a major leak that affected 18 companies and compromised 386 million records.

Australian Parliament House

Date of Attack: February 2019

The 2019 Australian Parliament House cyberattack affected multiple political party networks, including the Liberal, Labor, and Nationals. Experts believed a nation-state cybercriminal group made the attack, which was speculated to be China.

The incident breached Australian Parliament House networks, possibly in retaliation for Australia’s banning Huawei and ZTE from its 5G network. The attackers used phishing tactics to steal credentials using an infected external website. While some data was stolen, the Australian Signals Directorate reported that none was classified as sensitive.

Data Breach Incidents by Sector in Australia

The OAIC’s Notifiable Data Breaches Report from July to December 2023 revealed the agency received 483 notifications of data breaches, an increase of 19% from the previous period.

104 of the reported data breaches came from the health service sector, while 49 were from the finance industry. Insurance, retail, and government entities were other sectors that were notified of data breaches within the period.

The report further revealed sources of data breaches. 67% of attacks had malicious or criminal natures, while 30% were due to human error. Only 3% of the incidents were due to an organisation’s security system faults.

The three major reasons for human error breaches were the following:

• 33% due to personal information sent to the wrong recipient email
• 20% due to unauthorised disclosure or unintentional release or publication of personal information
• 10% were due to personal information being sent to the incorrect recipient mail

Source: OAIC

Out of the 211 data breach notifications, 44% were cyber security incidents. 29% were from phishing, 27% were due to compromised or stolen information, 27% were ransomware attacks, 10% were hacking, and 2% were malware attacks.

Key Data Privacy Statistics

Consumer Attitudes and Fears

Data Privacy in Australia According to Gender and Age 

The OAIC further dissected how Australians value their data privacy by considering demographics such as age and gender. 

According to Australians’ Awareness and Understanding of Personal Information Protection, younger Australians are more likely to practice strategies to protect their personal information than older individuals. Also, male respondents are more likely to consider protecting their personal information than females.

The latest OAIC survey revealed that 18- to 24-year-old Australians are more likely to understand the importance of protecting their personal information than older individuals. Meanwhile, males are more likely to secure their personal information (54% of ”agree” and ”strongly agree” males compared to 48% of females).

The survey also mentioned that the proportion of people who understand the need to protect their data increased from 85% in 2020. 

Australians’ Top Priorities in Data Privacy

Some Australians may not prioritise data protection, while others consider it a critical part of their online and offline activities. The latest OAIC survey considered these differences and revealed the following results.

16% of respondents said the most important element of privacy was “My information is kept secure by whomever I share it with”, and 16% answered, “My personal information is kept confidential.”

Meanwhile, 15% said, “My personal information is protected against hackers and cybercriminals” as the most important aspect of data privacy. These three answers make up 47% of Australians showing consistent views of privacy with no variation in age and gender.

Australians’ Views on Personal Information Control

The Australians’ Awareness and Understanding of Personal Information Protection further examined Australians’ views on controlling their personal information.

The OAIC reports that 4 out of 5 (84%) Australians want more control over how their personal information is collected and used. This view is noticeably consistent in all demographics.

Notably, this proportion is slightly lower than in 2020, when 87% wanted more control over personal data. Also, 3 out of 5 (62%) respondents said protecting their personal information is a major concern.

Focusing on demographics, younger respondents are most likely to feel they are in control over their personal information (0% 18–34 years ”agree” or ”strongly agree”) but added that they find it too much effort to do so. 

On the other hand, older Australians are least likely to feel they are in control over their personal data (25% 55+ years ”agree” or ”strongly agree”) and are less likely to think that it is too much effort to do it.

Business Compliance Rates

Australian businesses value data privacy, which safeguards sensitive information and builds trust with their customers and partners. The latest Cyber Security and Australian Small Businesses report highlights how small businesses view cyber security.

The report revealed that 62% of Australian small to medium-scale businesses have experienced a cyber security incident; however, only 1 out of 5 companies know how phishing works. These findings indicate a low level of understanding and poor data security practices in almost half of SMBs 

Regarding the budget allotted for data security, almost half of the SMBs surveyed said they spend less than $500 annually.

Impact on Businesses and Marketers

Consumer Trust and Brand Reputation

A data breach can severely damage a business’s reputation. Research shows that up to a third of retail, finance, and healthcare customers will leave after a breach.

Additionally, 85% will share their experience, and 33.5% will voice their frustration on social media.

News spreads fast, and a data breach can make global headlines in just a matter of hours. Negative press and loss of consumer trust can cause lasting damage to businesses. Consumers will switch to competitors if they think their security isn’t a priority. 

Breaches can also lead to identity theft, enabling hackers to commit fraud. The long-term impact extends beyond customers, affecting investment and hiring.

Regulatory Fines and Penalties

Non-compliance with the Australian Privacy Principles (APPs) has significant financial consequences for businesses and organisations.

• Civil Penalties

The maximum penalty for corporations for serious or repeated interferences with privacy is $50,000,000.

Meanwhile, knowingly or recklessly unauthorised use or disclosure of healthcare information can result in a maximum civil penalty of $939,000 for corporations and $187,700 for individuals.

Misusing a My Health Record or breaching the requirements of the MHR Act can lead to a maximum civil penalty of $2,347,500 for corporations and $469,500 for individuals.

• Criminal Penalties

The use or disclosure of false or misleading credit reporting information, credit information, or credit eligibility information is an offence under the Privacy Act. This is subject to a maximum penalty of $62,600.

Unauthorised use or disclosure of healthcare information is an offence under the Healthcare Identifiers Act and comes with a maximum penalty of imprisonment for two years or $37,560.

For criminal breaches of the My Health Record Act, the maximum penalty is up to five years in prison and/or a fine of $93,900.  

The Privacy Commissioner may issue notices requiring businesses to handle breaches, including hiring independent advisors. They may also order compensation for affected individuals.

Emerging Trends and Future Outlook

Technological Shifts

• Artificial Intelligence (AI)

According to recent research, 77% of companies are using or considering AI (such as ChatGPT) in their business operations, while 83% said AI is a top priority.

AI privacy will involve encryption, anonymisation, and data protection. As the volume and complexity of data continue to rise, there will be an increased need for stronger security measures to protect personal information.

• Internet of Things (IoT)

The consumer sector is expected to have the most IoT-connected devices in 2030, with more than 24 billion connected devices worldwide.

IoT will influence data privacy but highlight user empowerment through advanced encryption, edge computing, decentralised data storage (blockchain), and threat detection. These techniques will safeguard personal information collected by connected devices, allowing greater control over data across IoT. 

• Big Data Analytics

Around 2.5 quintillion bytes of data are created daily, and 70% of this is user-generated content. This vast data generation highlights the importance of big data analytics, which is about extracting valuable insights from massive datasets.

However, balancing data-driven innovation with privacy protection can be challenging, as analysing sensitive personal information may conflict with privacy regulations and ethical considerations. Therefore, ensuring responsible data use maintains consumer trust while benefiting from big data.

Legislative Updates

• The Privacy Act Review Report of 2023

The Attorney-General’s Department released the Privacy Act Review Report in February 2023, with 116 recommendations coming from stakeholders.

This report highlighted the benefits and privacy risks, and by September, the government had supported reforms but required further consultations.

• Privacy and Other Legislation Amendment Bill 2024

The Australian government introduced the Privacy and Other Legislation Amendment Bill 2024 in February 2023, implementing 23 of the 25 legislative proposals it had agreed to. The remaining proposals will be addressed through guidance development.

• Multi-Tiered Civil Penalty System

The bill aims to lower-tier civil penalties for privacy breaches, which may not be severe, such as noncompliance to privacy policies.

The OAIC will have the authority to issue infringement notices, with penalties of up to $3.3 million for corporates, $330,000 for lower-tier breaches, and $66,000 for every violation for listed corporations.

• Children’s Online Privacy Code

The OAIC must develop a Children’s Online Privacy Code within 24 months of the bill’s enactment. This regulation will apply to online services accessed by children but excludes health services. A public consultation aims to collect recommendations from relevant stakeholders, including children’s welfare organisations.

Global Influences

The European Union’s GDPR applies to EU member states. However, its effect extends worldwide. In Australia, regulations are in place to help organisations align with GDPR. 

Source: Captain Compliance

GDPR and Australia’s Privacy Act safeguard personal data, but the main difference is their scope. GDPR has a broader reach and applies to organisations handling EU residents’ data. Meanwhile, Australia’s law applies only to local companies and selected foreign businesses.

To comply with GDPR, Australian organisations must consider the following:

• Lawful Basis for Processing – Data must be processed under legal grounds, which include consent, contractual necessity, or legitimate interests.
• Data Subject Rights – Individuals must be able to access, change, delete, or restrict the processing of their personal data. Businesses must provide mechanisms to uphold user rights.
• Data Breach Notification – Organisations must notify affected individuals and the OAIC of data breaches.

• VPN Statistics Australia
• ChatGPT Statistics Australia
• Mobile Phone Statistics Australia
• eCommerce Statistics Australia
• NBN Statistics Australia
• Internet Statistics Australia

Frequently Asked Questions

1. Do small businesses need to comply with the Australian Privacy Act?

Small businesses in Australia with an annual turnover of $ 3 million or less are not required to comply with the Privacy Act. However, businesses providing health services or trading in personal information must abide by the Act regardless of turnover size. 

2. What constitutes a notifiable data breach under OAIC guidelines?

Under the Notifiable Data Breach scheme, an eligible data breach occurs if

• there is unauthorised access, unauthorised disclosure or loss of personal information
• the data breach is likely to lead to serious harm to one or more individuals
• the organisation has prevented serious harm with remedial action

3. How can consumers protect their personal data online?

Consumers can protect their personal information online by:

• Creating complex passwords and avoiding reuse on multiple sites.
• Adding an extra layer of security to accounts through two-factor authentication.
• Avoid accessing sensitive information over unsecured public networks.
• Checking and updating privacy settings on social media and other online platforms.
• Being wary of unsolicited emails or messages asking for personal information.

4. Are Australian data privacy laws similar to GDPR?

Australian data privacy laws apply only to local entities and certain overseas businesses, while GDPR protects the personal data of European residents across the world.

5. Which industries face the most data privacy scrutiny?

The health services sector faces the most data privacy scrutiny as it reported the highest number of data breaches at 104 incidents. This industry handles patient health information and other personal data, which, when compromised, may lead to disastrous effects. Other sectors that may face scrutiny are the finance, insurance, retail, and government sectors.