Share
Author
In this article
In this cyber threat landscape, trust is what really counts. With data breaches in the news almost every week, your customers and your insurers are asking a simple but pretty pressing question: “Is my data safe with you?”
For business leaders, IT types and compliance officers around Australia, the answer is becoming more and more dependent on how you approach Privacy by Design.
Here’s what this article will help you with:
- What Privacy by Design actually is and why it’s a big deal at the moment
- The 7 key principles of Privacy by Design and how to put them into practice in your organisation
- How to implement Privacy by Design to gain a competitive edge in compliance, trust and business growth
For many Australian organisations privacy has been a bit of an afterthought, something that gets thrown in at the last minute by the legal team just before a product launch. Sometimes privacy enhancing technologies (PETs) get bolted on to the existing IT systems, but relying on them as some kind of add-on tool just isn’t good enough. You need to integrate it from the start.
But with the Privacy Act Reforms having gone through and the small business exemption now likely to be modified or completely removed in a second tranche of privacy law reform, the old tick-the-boxes approach isn’t going to cut it any more. Thousands of Aussie businesses that used to be exempt are now going to have to get on board, and the deadline is coming up fast.
And it’s not just about the regulators; it’s about the tech too. With AI increasingly being exposed to your corporate data, privacy by design is what stops your internal AI from going and showing all your HR or payroll data to the whole company, or worse the public.
At TechBrain, we think that good security shouldn’t be some kind of big surprise – it should be invisible, automatic and embedded. Privacy by Design is the way to do that – get the privacy and security thinking into the design of your systems right from the off, so that it’s all built in from day one.
Businesses need to adopt best practices and a proactive approach, building the necessary safeguards into the design of their systems. That way they are sure to be meeting all the regulatory requirements and securing all stakeholders at the same time.
What does “privacy” mean in Australia?
When the Office of the Australian Information Commissioner (OAIC) talks about privacy, it is largely talking about information privacy: how an organisation collects, uses, discloses, stores, secures, retains, and disposes of personal information.
The OAIC defines personal information broadly as information or an opinion that identifies an individual, or makes them reasonably identifiable (and what counts can depend on the context).
In practice, that can include obvious things like names and contact details, but also things like account identifiers, HR records, customer numbers tied to a person, correspondence, and in many cases metadata that can be linked back to an individual.
Where do the Australian Privacy Principles (APPs) fit?
The Privacy Act includes 13 Australian Privacy Principles (APPs) which govern standards, rights and obligations around personal information, including collection, use and disclosure, governance and accountability, and access and correction rights.
For IT and security leaders, two APPs show up again and again:
- APP 1: you must manage personal information in an open and transparent way, which is about accountability and trust, and includes having a privacy policy and internal practices and systems that support compliance.
- APP 11: you must take reasonable steps to protect the personal information you hold from misuse, interference, loss, and unauthorised access, modification or disclosure, and you must actively consider whether you are permitted to retain it.
APP 11 also includes a practical data minimisation requirement: when you no longer need personal information for a permitted purpose (and you’re not required to keep it), you are expected to take reasonable steps to destroy it or de-identify it (with some exceptions).
This is why privacy is not just a legal policy issue. It is a systems design issue.
Does the OAIC recognise Privacy by Design?
While the “7 principles” originated overseas, the OAIC explicitly publishes guidance titled Privacy by Design, and describes privacy by design as building privacy into the design specifications of technologies, business practices and physical infrastructure.
The OAIC also makes the practical link that matters for Australian organisations:
- To build privacy in, you need to understand privacy impacts, and a Privacy Impact Assessment (PIA) is framed as “the best way” to do that.
- In its security guidance, the OAIC also points to privacy by design as an important element of integrating privacy into risk management strategies.
Mapping the 7 Principles to the Australian Reality
Privacy By Design (PbD) is a way of thinking that involves building privacy right into the very heart of your systems from the very start. It’s focused on embedding privacy into the early stages of developing IT projects.
The concept of Privacy by Design was born out of a set of seven key principles, first proposed back in the 1990s by Ann Cavoukian, the former Privacy Commissioner for Ontario. These principles are the foundation for creating a framework that helps you weave privacy into every part of your IT systems and companies’ processes.
Businesses can use the 7 Privacy By Design principles as a strategic tool to give their data extra protection and make sure they’re meeting all the rules and regulations they need to follow. Below, were outlining how these 7 principles map directly to the key data protection rules in Australian Privacy Principles (APPs), Essential 8 & ISO 27001 controls.
But with Privacy by Design, there’s an important balance to strike, putting the needs of your organisation alongside the need for compliance, regulations and desire to protect sensitive customer information.
1. Proactive not Reactive; Preventative not Remedial
The first principle of Privacy by Design is proactive not reactive, meaning you anticipate and prevent privacy invasive events before they happen. You can’t wait for a Notifiable Data Breach (NDB) to fix a vulnerability in 2025.
Key Steps:
- Raise privacy awareness early in the system development lifecycle.
- Implement privacy from the get go to support a proactive approach to data protection.
The TechBrain Standard: Vulnerability Management & Threat Hunting.
Actionable Insight:
- Through security governance and a variety of technical controls including Managed XDR, vulnerability management and threat hunting techniques to detect anomalous behaviour, such as a user exporting data from SharePoint, before the exfiltration happens.
2. Privacy as the Default Setting (The “Copilot” Rule)
The second principle of Privacy by Design is privacy as the default setting, a simple yet powerful idea: protecting personal info in IT systems and business practices from the get go. This is the golden rule of user trust: if the user doesn’t do anything, their privacy should just remain intact. They shouldn’t have to go searching for a setting just to make sure their data stays safe.
The TechBrain Standard: M365 Permissioning & “Just Enough Access”.
The Risk: “Default Open” SharePoint sites are a massive headache waiting to happen. Enable Microsoft 365 Copilot without first tightening up permissions and the AI will just follow the access controls you’ve got in place and for most businesses, those controls are way too loose.
That means even junior staff can end up accessing sensitive information like executive strategies or payroll data… probably not what you intended.
The Fix:
- Use Microsoft Purview to apply sensitivity labels (e.g., “Confidential – Finance”) to documents.
- Ensure that even if permissions are loose, the data itself is encrypted and invisible to unauthorised AI queries.
By making privacy the default, users are given more control over their personal data and are empowered to actively manage their privacy settings, supporting both compliance and user trust.
3. Privacy Embedded into Design
The third key principle of Privacy by Design is to make sure privacy is a fundamental part of any system or service right from the get-go.
It means that we need to bake in privacy measures such as encryption, access controls, and keeping data to an absolute minimum so they become an integral part of the design and infrastructure of any IT system or business practice, rather than just embedding them afterwards as an afterthought.
Key Steps to Take:
- Get privacy built in from the very start to your systems and business practices by integrating all the necessary safeguards encryption, access controls, data minimisation so they become a key part of the fabric of how they work.
The TechBrain Standard: We look at the ISO 27001 (specifically, Annex A 5.23 regarding information security for use of cloud services) as the benchmark.
Actionable Insight:
- Make sure you run a vendor risk assessment before you sign any SaaS contract. The moment you put PII up on a non-compliant offshore vendor you’re locked in with a design flaw that can’t be fixed.
4. Full Functionality – Positive-Sum, not Zero-Sum
The fourth principle of Privacy by Design is full functionality, which emphasises a win-win approach where privacy and security can coexist without trade-offs. A common myth is that you must choose between privacy and security, or between privacy and functionality. PbD rejects this “zero-sum” trade-off. You can have both.
The TechBrain Standard: Zero Trust / SSO.
Actionable Insight:
- Implement Passwordless Authentication (FIDO2) and Single Sign-On (SSO) to improve the user login experience (no more forgotten passwords) while significantly enhancing privacy by stopping credential theft.
5. End-to-End Security – Full Lifecycle Protection
End-to-end security means building privacy into every process that handles personal data, from the moment you collect data, through storage, processing and finally to destruction. Data protection follows the data, so security is continuous at every stage.
Key Points:
- Only collect data for specific purposes.
- Have safeguards in place for the whole data lifecycle.
The TechBrain Standard: Essential 8 (Backups & Encryption).
Actionable:
- Set up automated data retention policies, like configuring your systems to delete CVs from rejected applicants after 6 months. So you’re not holding onto sensitive data longer than needed.
6. Visibility and Transparency – Keep it Open
The sixth principle of Privacy by Design is all about visibility and transparency, which means your business practices have to live up to the promises you’ve made to everyone. For trust to exist, there needs to be some proof that you’re keeping your word.
Which means your stakeholders want to be able to see that whatever approach or technology you’re using is actually doing what you said it’d do.
The TechBrain Standard: Data Sovereignty & Immutable Logging (SIEM).
Actionable Insight:
- Deploy a SIEM (Security Information and Event Management) system to provide tamper-proof audit trails.
- Configure Azure and M365 tenants to enforce Australian Data Residency, ensuring your data satisfies sovereignty requirements.
7. Respect for User Privacy – Keep it User-Centric
The seventh principle of Privacy by Design is respect for user privacy, which keeps the interests of individuals paramount in the design and implementation of any system or service. Above all, architects must keep the interests of the individual uppermost. The Privacy Act’s proposed “Fair and Reasonable” test requires objective fairness in how you handle data, and whether it is “reasonable” for you to store it in the first place.
The TechBrain Standard: Automated DSAR Workflows.
Actionable Insight:
- Architect systems to handle Data Subject Access Requests (DSAR) programmatically.
- If a user asks for their data to be deleted (Right to Erasure), entities are not entitled to comply, however steps should be made to sanitise that user’s data across backups and archives, replacing error-prone manual hunting.
Transition: With a clear understanding of the seven principles and their practical application, let’s explore how modern technologies like AI are reshaping the privacy landscape.
The New Battleground: AI Governance
The next battleground for safeguarding our personal data is AI Governance. It’s the emerging tech beast that is driving progress, but also putting the brakes on traditional ways of keeping our data private.
The Risk: Shadow AI
“Shadow AI” occurs when well-meaning employees paste client PII (Personally Identifiable Information) into public tools like ChatGPT to write emails or summarise reports. This inadvertently trains public models on your private data.
The TechBrain Fix: Data Loss Prevention
- Implement Data Loss Prevention (DLP) policies at the endpoint level.
- Block sensitive data strings (like credit card numbers, TFNs, or Medicare numbers) from being pasted into unapproved AI web forms.
- Allow data to flow freely into approved, enterprise-grade tools.
The fact is, as big organisations are launching new systems and adopting advanced tech like AI & quantum computers, they need to beef up their privacy by design strategies to keep personal info safe and adapt to the increasingly complicated web of data sharing that’s emerging.
Proactive Privacy for Emerging Tech
- Integrate privacy by design principles from the very beginning of a new project.
- Involve cross-functional teams early and conduct privacy impact assessments to establish robust privacy standards.
- Prepare for quantum computing, which will pose new data security challenges that privacy by design frameworks will need to address.
People are both the strongest and weakest line of defence in any organisation. Security education and awareness remains one of the most effective ways to build a strong security culture, improve decision-making, and strengthen understanding of privacy risks; ultimately reducing risk in a practical and measurable way.
– Ashish Srivastava (Head of Cyber Security)
Success Metrics & Audit-Ready Evidence
How to Prove Privacy by Design
How do you prove “Privacy by Design” to a Board or an auditor? You need metrics that matter. Following best practices, such as conducting Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs), is an important privacy measure and one of the most effective ways to identify and minimize privacy risks early in new projects.
When a new project starts getting underway, bake-in privacy considerations as part of the design and planning from the get go, involving the relevant teams and setting out clear privacy. These assessments are essential for organizations to ensure compliance and demonstrate their commitment to privacy by design.
Key Metrics to Track
- Data Minimisation Rate: Work out what percentage of old data just gets archived or deleted automatically, the less data you’ve got lying around, the less risk you’re taking on.
- PIA Coverage: How many new projects had a proper Privacy Impact Assessment done before any code got written?
- DPIA Implementation: Of all the new projects you’re working on, how many included a Data Protection Impact Assessment to help smooth out any potential risks from the get go?
- Access Review Frequency: How long has it been since you took a good hard look at who’s got access to what?
Looking ahead, developing advanced notice and consent models will be key in the future of privacy by design. These models will help organisations stay ahead of evolving privacy expectations and regulatory requirements.
Common Pitfalls of Implementation
Even with the best of intentions, loads of businesses fall short of achieving true Privacy by Design due to these all-too-common mistakes:
- “Bolt-on” Privacy: Retrofitting encryption on a database after the app’s already built can end up causing major problems and a heap of costly refactoring. To get Privacy by Design right, you need to bake data privacy into your whole company culture, and planned out and integrated into every single process from day one.
- The “Legalese” Trap: Thinking a strict Privacy Policy on the website is enough to qualify as “Privacy by Design”. Newsflash, a legal document won’t stop a hacker; it’s the architecture that does the work.
- Ignoring Physical Privacy: Leaving hard drives just sitting out in unlocked server rooms or sticking backup tapes right on your desk. That’s basically ignoring Principle 5 (End-to-End Security) and just asking for trouble.
By cultivating a genuine culture of privacy, you’re not just ticking boxes to fill out legal and regulatory obligations, you’re flipping the script, turning the focus from risk avoidance to a genuine proactive stance.
Don’t Just Comply, Design Your Competitive Edge
Privacy is at the very heart of trust in the modern digital economy, and for businesses, it can be the key that unlocks access to a real competitive edge when it comes to government contracts and high-value partnerships with big enterprises.
When a company makes a commitment to proper, transparent data practices and gets on board with Privacy by Design principles, it sends a clear message that they’re in this for the right reasons.
At TechBrain, we don’t just sit down with you and tell you what to do – we actually get hands-on and configure our privacy solutions to fit your exact needs, working privacy considerations into every step of the design process from the very beginning. We take you from abstract theory down to actual working architecture.
Our Approach Looks Like This:
- vCIO Strategic Review: We take a hard look at your IT roadmap and make sure it’s aligned with the most recent amendments of the Privacy Act, then we help you put a privacy program in place that’ll keep you on the right side of compliance.
- ISO 27001 Alignment: We build you an Information Security Management System that has privacy baked right in – that way you can just get on with running your business, knowing the principles are being put into practice day to day.
- Managed XDR: We provide the “Proactive” monitoring required by Principle 1, helping you demonstrate accountability and transparency.
Is your data architecture ready for the new Privacy Act? Don’t wait for a breach to find out. Book a Cyber Maturity Review with TechBrain today.
Sources & References
- The Foundational Framework Privacy by Design: The 7 Foundational Principles (Ann Cavoukian) The original paper outlining the seven principles referenced in this article.
- Australian Regulatory Context Government Response to the Privacy Act Review Report Details on the removal of the small business exemption and upcoming reforms.
- Compliance Guidelines OAIC Guidelines: Chapter 11 (Security of Personal Information) The official guide to meeting “reasonable steps” for security under APP 11.
- AI & Future Risks Microsoft Cloud: Securing AI – Navigating Risks and Compliance Best practices for managing data privacy in the age of AI and Copilot.
