How quickly could your organisation explain where data came from, how it was used, and what happened next?

With Privacy Awareness Week starting Monday, it’s a good time to consider how your organisation handles the moments where individuals question how their information is managed and expect clear, confident answers in return.

Recent findings from the Office of the Australian Information Commissioner show that while 82% of Australians care about protecting their personal information, the majority still lack clarity on what to do about it. At the same time, only around a third feel they have control over how their data is handled.

Individuals are paying attention, but they are relying on organisations to get it right. Trust is no longer assumed but assessed through experience. Those moments where questions are raised are often the first-time privacy becomes visible. They shape how trust is formed, but they are not isolated events. Every interaction involving data contributes to how prepared an organisation is when those questions arise. Trust is built in how data is handled, not just when something goes wrong, but in how organisations operate every day.

 

When does privacy actually become visible to individuals?

Privacy becomes visible when something feels off. A notification about account access from an unfamiliar location. A marketing email that references a conversation you thought was private. A form asking for information that seems unrelated to the service.

From an individual perspective, the expectation is simple. What happened, why it happened, and what it means.

What sits behind that expectation is growing awareness and concern. More than 60% of Australians consider the protection of their personal information a major issue in their lives, and data breaches are consistently identified as one of the biggest risks they face.

This concern is not abstract. Australian guidance from the Office of the Australian Information Commissioner highlights that AI tools, including chatbots, involve the collection, storage, and use of personal information, often in ways that are not fully understood by those using them.

Once information is entered, visibility can drop. It becomes harder to track how that data is retained, used, or disclosed, particularly when tools are publicly available or externally hosted.

For organisations, the expectation does not change.  The difference is how quickly those expectations are tested in practice.

These are the moments where privacy obligations move from documentation into operation, and where the ability to respond properly becomes critical.

Australian organisations using these same tools face the same questions about transparency and consent. These are the moments where privacy obligations move from documentation into practice, and where the ability to respond properly becomes critical.

 

What does a privacy complaint reveal about an organisation?

 A complaint rarely exists in isolation. It reflects how data is collected, stored, accessed, and shared across the organisation.

Only two in five Australians believe organisations are transparent about how their data is handled, and more than half say they do not understand how their information is used.

That gap between expectation and experience is where complaints originate. And how an organisation responds in that moment often matters more than the issue itself.

 

What would close that gap?

Three questions worth asking before the next complaint arrives:

Can you explain, in plain language, why you collected the data you hold? Not the legal basis. The actual reason a person would understand and accept.

If someone asked where their data has been shared, could you answer within 24 hours?

When was the last time you tested your breach response with the people who would actually deliver it? Not the policy. The people.

Privacy Awareness Week is a prompt to revisit these questions. Not because a complaint is incoming, but because how you handle data today shapes whether one ever needs to.

 

This is exactly where Privacy Awareness Week matters – not as a reminder, but as a reality check.

At ctrl:cyber, we’re using this week to focus on the part most organisations struggle with: what happens when privacy stops being theoretical and becomes operational.

This Privacy Awareness Week, we’re actively contributing through a series of practical sessions and conversations, including:

  • A dedicated Privacy Awareness Week webinar for Local Governments on balancing privacy, AI, and risk in real-world service delivery
  • A new podcast release with the Australian Privacy Commissioner as a special guest
  • Moderation by our Director of Privacy, Data & AI Governance, Melanie Marks, of the OAIC’s own PAW webinar event
  • Additional insights from our privacy and AI governance specialists on how organisations can better operationalise decision-making under regulatory and public scrutiny

 

Need help getting there?

ctrl:cyber work with organisations to build privacy frameworks that hold up under pressure. From data mapping and policy review to breach response planning and staff training, our privacy services are designed to turn compliance into confidence.

Learn more about our involvement in Privacy Awareness Week, or get in touch with our team to improve your organisation’s privacy journey.