We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Privacy concerns are widespread and increasing in Australia, yet relatively few people take action when issues arise, often due to low confidence in outcomes and perceived complexity of complaints processes. Experiences are commonly linked to direct marketing, unnecessary data collection, and limited transparency, with complaint processes frequently seen as difficult and rarely leading to satisfactory outcomes. Confidence in how organisations handle privacy complaints is stronger in traditional sectors such as banking, health, and government than in social and digital platforms.

Although fewer people know about or have personally experienced data breaches, most people who are affected still report harm. The most common harms are more scams and spam, as well as loss of trust, less control, and ongoing concern about how their personal information is used.

Australians prioritise limiting data collection and timely deletion as the most important ways organisations should protect personal information, and place primary responsibility for privacy risks on organisations. There is strong expectation that organisations should lead in preventing issues, while responsibility for addressing problems is more shared with government and regulators.

Experiences of privacy concerns

About 2 in 3 Australians (64%) have had concerns about how an organisation handled their personal information. This ranges from relatively minor issues, such as being asked for unnecessary information, to more serious incidents like data breaches. However, only around one in 8 (12%) say they raised the issue with the organisation. Australians who had concerns but didn’t raise them are more likely to be men (56% vs 49% of women) and live in metropolitan areas (55% vs 46% of those outside capital cities).

When asked separately about a list of specific privacy-related experiences (Figure 16) in the past 12 months, around 3 in 4 (73%) Australians report experiencing at least one issue, up from 64% in 2023. This measure captures a broader range of experiences, which respondents may not necessarily view as a broader concern about how an organisation handled their personal information.

The most common experiences relate to direct marketing, including difficulties unsubscribing and receiving unsolicited communications, followed by being asked to provide unnecessary personal information. A substantial proportion also report issues relating to data breaches, limited ability to access or manage their information, and being required to identify themselves when it was not necessary. Experiences of unauthorised collection, use, or disclosure of personal information, as well as difficulties accessing privacy policies, are also reported by a notable minority.

Experiencing at least one privacy-related issue is more likely among:

  • those with tertiary or vocational qualifications (77% vs 60% of those with no qualification)
  • those who are more concerned about their privacy than 5 years ago (75% vs 59% of those with the same or lower level of concern)
  • those who have concerns about how organisations handle their personal information (82% vs 58% of those with no concern)
  • those aware of data breaches in Australia in the past 12 months (79% vs 57% of those unaware).

Figure 16 Problems experienced with the handling of personal information

P3. Have you experienced any of the following in the past 12 months?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626, 2020: n=1,509)

Notes: Don’t know (1%) and refused (<0.5%) not displayed.

Barriers to raising privacy complaints

Many people who were worried about how an organisation handled their personal information didn’t end up making a complaint. The main reasons were that they:

  • didn’t think it would change anything (56%)
  • thought it would be too hard or take too long (51%)
  • weren’t sure how to complain (40%).

These barriers were even more common for people aged 18–49. Compared with people aged 50+, younger Australians were more likely to say they didn’t complain because:

  • it felt too hard or time‑consuming (58% vs 41%)
  • they didn’t know what to do or where to start (48% vs 31%).

People with a university qualification were also more likely to feel the process was too difficult or time-consuming (63%), compared with those with vocational qualifications (46%) or no qualifications (42%). And people who speak a language other than English at home were more likely to say the process felt too hard (60% vs 47%).

Lower complaint rates may also reflect broader challenges around awareness, confidence and perceived ability to exercise privacy rights. Australians who are unaware they can request access to their personal information from organisations are more likely not to raise a complaint after experiencing a concern (56% vs 48% of those aware of this right). More broadly, Australians who do not pursue complaints are also more likely to report limited understanding of how organisations use their personal information, lower perceived control over how their data is collected and used, and a belief that consent and data sharing are rarely genuine choices. They are also more likely to perceive current data practices as unfair in practice. Combined with concerns about effort, complexity and ineffective outcomes, these findings may reflect broader feelings of low agency and limited confidence that engaging with complaint processes or exercising privacy rights will lead to meaningful resolution or change.

Figure 17 Reasons for not pursuing a privacy complaint

COM2. If you decided not to pursue a privacy complaint, what were the main reasons?

Base: Had a concern about how personal information was handled but did not raise it with the organisation (n=790)

Notes: Don’t know (<0.5%) and refused (<0.5%) not displayed.

Perceived effectiveness of complaint handling

Perceived effectiveness of privacy complaint handling varies sharply by sector.

Australians most commonly identify banks and financial institutions (46%), health services (42%) and government agencies (41%) as handling privacy complaints fairly and effectively, while confidence is very low in online retailers (4%) and social media platforms (3%). Taken together, the results suggest that perceived ‘effective complaint handling’ is largely associated with a small set of essential or institutionally familiar sectors, whereas many Australians do not see strong pathways for redress in more commercial or digital environments. This is reinforced by the fact that almost 3 in 10 (29%) believe that none of the listed organisations handle privacy complaints fairly and effectively.

Men are more likely than women to perceive the following sectors handle privacy complaints fairly and effectively, which may indicate slightly higher confidence (or lower scepticism) among men in the responsiveness of these sectors.:

  • government agencies (43% vs 38%)
  • telecommunications companies (16% vs 10%)
  • online retailers (6% vs 3%).

Australians aged 65 and over are more likely than younger people to say that some sectors handle privacy complaints fairly and effectively, including:

  • banks and financial institutions (55% vs 39% of those aged 18–34)
  • health services (50% vs 38% of those aged 25–64)
  • utilities (23% vs 12% of those aged 18–49).

This may reflect greater familiarity with traditional service providers, or a stronger sense that these organisations are accountable, rather than higher confidence in complaint handling overall

Figure 18 Organisations perceived to handle privacy complaints fairly and effectively

COM3. Which types of organisations do you think generally handle privacy complaints fairly and effectively?

Base: All Australians aged 18+. (n=1,504)

Notes: Don’t know (2%) and refused (<0.5%) not displayed.

Experiences of making privacy complaints are often challenging, difficult to navigate and rarely result in satisfactory outcomes. For many complainants the process may feel more like an information exchange than an effective pathway to resolution. This suggests that people judge complaint handling not just by the final outcome, but also by how easy the process is to deal with. For example, being passed around, having to repeat information, and long delays may help explain why few people report a positive experience from start to finish.

The most common experiences include:

  • receiving an explanation without a meaningful outcome (24%)
  • giving up before the process was completed (19%)
  • being passed between organisations or departments (15%).

Relatively few Australians report positive experiences:

  • having their issue was resolved to their satisfaction (9%)
  • it was clear who to contact (5%)
  • the process was straightforward (3%).

Figure 19 Experience of the most recent privacy complaint

COM4. Thinking about the most recent time you complained about how your personal information was handled, which of the following best describes your experience?

Base: Raised a concern with the organisation about how personal information was handled (n=173)

Notes: Don’t know (2%) and refused (0%) not displayed.

Awareness and experience of data breaches

For the purposes of evaluating data breaches, respondents were provided with the following definition of a data breach:

A data breach is a type of privacy breach that occurs when personal information held by an organisation is accessed or disclosed without authorisation, or is lost. Data breaches may result from malicious action (e.g. cyber criminals), human error (e.g. personal information being emailed to the wrong person) or errors in business or technology processes.

Awareness and experience of data breaches in Australia has declined since 2023.

  • Around 7 in 10 (72%, down from 90% in 2023) Australians say they heard of a data breach in the past 12 months before the survey.
  • Under 2 in 5 (38%, down from 47% in 2023) say they were directly notified by an organisation that their personal information was involved in a breach.
  • One in 3 (34%, down from 42% in 2023) reports being aware of breaches but not personally affected.

Figure 20 Awareness and impact of data breaches in the last 12 months

P9. Are you aware of any data breaches occurring in Australia in the last 12 months? P10. In the past 12 months, has an organisation told you that your information was involved in a data breach?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626)

Notes: Don’t know (<0.5% in 2026, 5% in 2023) and refused (0%) not displayed.

It is worth noting that the 2023 survey was conducted in the immediate aftermath of the Optus and Medibank data breaches (September–October 2022), 2 of the largest and most publicly reported data breaches in Australian history. The extraordinary level of media and public attention these incidents generated may have artificially inflated awareness levels at that point in time.

According to OAIC data, reported data breaches in Australia have increased since 2022, with 2024 recording the highest number of notifications since the Notifiable Data Breaches (NDB) scheme commenced in 2018. In 2022, the OAIC received a total of approximately 890 notifications, rising to 1,113 in 2024 – a 25% increase.[1],[2]The most recent reporting period (January to June 2025) recorded 532 notifications, which, while representing a 10% decrease on the preceding 6 months, remains consistent with the levels seen throughout 2024.[3] It is worth noting, however, that the second half of 2022 saw a marked spike in notifications, up 26% on the first half of that year, which the OAIC itself attributed in part to the high public profile of the Optus and Medibank breaches, noting that significant public interest in those incidents 'may have raised awareness of the requirement for entities covered by the Privacy Act to notify the OAIC’.[4] This suggests that the period immediately following those landmark breaches represented an atypical peak in reporting activity, and that any comparisons between 2022–23 survey data and later periods should take this into account.

Around 3 in 4 (77%) Australians whose data was involved in a breach report experiencing at least one form of harm, consistent with 2023 (76%). The most common impact is increased exposure to scams and spam, reported by 3 in 5 (62%), marking a notable rise from 2023 (52%). More serious direct impacts are less prevalent but have increased in some cases, including:

  • financial or credit fraud (16%, up from 11% in 2023)
  • email account hijacked (12%)
  • the need to replace key identity documents (12%, down from 29%)
  • emotional or psychological harm (10%).

The finding that breach-related harm is increasingly experienced as ongoing digital exposure (such as scams and spam) alongside a smaller but material share experiencing more acute impacts lends support to cross-portfolio collaboration being increasingly relevant.

Figure 21 Personal experiences following an organisational data breach

P12. Which, if any, of the following have you personally experienced because of a data breach of an organisation?

Base: All Australians aged 18+. (2026: n=566, 2023: n=760)

Notes: Don’t know (1% in 2026) and refused (<0.5% in 2026) not displayed.

Harms resulting from privacy breaches

Among Australians who experienced a problem with how their personal information was handled in the 12 months prior to the survey, 9 in 10 (91%) report at least one type of harm, a slight decline from 2023 (96%).

The most common and increasing impact is an increase in scams or spam (70% vs 55% in 2023), consistent with experiences following data breaches, suggesting that privacy problems are often experienced as sustained digital exposure rather than a one-off event.

Other common impacts include:

  • loss of trust in the organisation’s information handling (46%, down from 53% in 2023)
  • loss of control over their personal information (39%)
  • unable to find out how data is used (35%)
  • feeling disempowered (30%)
  • having information used in unexpected ways (28%).

This indicates that impacts of privacy breaches extend beyond nuisance contact to broader confidence in how organisations handle and explain personal information. When viewed overall, findings suggest that privacy harms can shape not only people’s exposure to risk (such as scams and spam), but also their expectations of organisational accountability and willingness to engage.

Experiences of harm from privacy breaches vary by age, which may reflect different exposure points and expectations about acceptable data handling.

  • Australians aged 25+ are more likely than those aged 18–24 to report increased scams or spam (72% vs 54%).
  • Those aged 18–64 are more likely than those aged 65+ to report loss of trust in organisations (49% vs 33%).
  • Younger Australians aged 18–24 are also more likely to report their personal information being used in unexpected ways (46% vs 26% of those aged 25+), suggesting that “unexpected use” may be a particularly important driver of concern for younger people.

Figure 22 Personal experiences resulting from poor handling of personal information by organisations

P6. Which of the following have you experienced because of a problem with how your personal information was handled by an organisation?

Base: All Australians aged 18+. (2026: n=1,099, 2023: n=540)

Notes: Don’t know (0%) and refused (<0.5% in 2026) not displayed.

Ways for organisations to protect personal information

Australians place greatest importance on limiting data collection and ensuring timely deletion as key ways organisations should protect personal information. The top 3 priorities are collecting only the minimum necessary information, deleting data when no longer needed, and only collecting what is required to provide a service.

Compared to 2023, there is reduced emphasis on several measures, including necessary data collection, proactive protection, transparency, helping individuals protect their privacy, and using information in expected ways.

Figure 23 Most important ways organisations can protect personal information

P8. There are many ways an organisation can protect your personal information, which of these do you think is the most important?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626)

Responsibility for privacy risk prevention and data breaches

Australians overwhelmingly place responsibility for data breaches on organisations that collect and hold personal information.

  • 9 in 10 (91%, up from 87% in 2023) say organisations are responsible
  • over half (56%) say third-party providers or contractors are responsible
  • almost 3 in 10 (29%, up from 15% in 2023) say government or regulators are responsible
  • very few (3%) believe individuals are responsible.

This suggests strong community expectations that accountability should sit primarily with entities that control data collection and custody, with a growing expectation that oversight bodies also have a role when breaches occur. This is an expectation that can shape trust in organisations’ capacity to manage risk and respond effectively.

Views on responsibility vary across groups and levels of breach awareness.

  • Older Australians aged 50+ are more likely to say organisations are responsible (95% vs 89% of those aged 18–49).
  • Those who speak a language other than English are more to say government or regulators are responsible (39% vs 26% of English-only speakers).

Awareness of data breaches also influences views on responsibility, with those aware of breaches in the past 12 months prior to the survey more likely to hold both organisations (94% vs 86%) and third-party providers (60% vs 46%) responsible. This pattern reflects a heightened sensitivity to shared accountability across the ‘data handling chain’ among those with greater exposure to breach information, reinforcing expectations for clearer lines of responsibility beyond the individual.

Figure 24 Responsibility for a data breach affecting personal information

P16. If an organisation that you used was affected by a data breach and your information was affected, who do you think should be held responsible?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626)

Notes: Don’t know (1% in 2026, 5% in 2023) and refused (<0.5% in 2026) not displayed.

Australians consistently place primary responsibility for minimising privacy risks to organisations that collect, use or share personal information, even when no immediate harm has occurred. Nearly all respondents (98%) say organisations should be responsible, with a substantial majority viewing this responsibility as very strong (86%).

This expectation is more pronounced among:

  • older Australians aged 50+ (92% vs 82% of those aged 18–49)
  • those aware of data breaches in the past 12 months prior to the survey (90% vs 77% of those unaware)
  • English-only speakers (88% vs 81% of those who speak another language at home).

These patterns suggest broadly held norms of organisational accountability, alongside variation that may reflect differences in perceived exposure, familiarity with privacy risks, or expectations about institutional responsibility.

Similarly, organisations are primarily seen as responsible for managing privacy risks, particularly in relation to prevention, while responsibility appears more shared when it comes to responding once problems arise. Very few believe individuals should be responsible for either preventing or addressing privacy problems.

  • For preventing privacy problems from occurring: just under half (46%) say organisations should have primary responsibility, 35% favour a shared model led by organisations, and 16% say government should be responsible.
  • For addressing privacy problems after they have occurred: responsibility is evenly split between organisations (34%) and government or regulators (34%), with 29% preferring a shared approach led by organisations.

Together, these distributions suggest a distinction in how responsibilities are understood across the privacy lifecycle, with prevention more firmly associated with organisations and post‑incident responses seen as requiring a broader institutional role.

Some demographic differences are evident:

  • Men are more likely than women to believe organisations should carry primary responsibility for preventing privacy problems (51% vs 41%).
  • Those aware of data breaches in Australia in the 12 months prior to the survey are more likely to favour a shared responsibility model led by organisations for both preventing (38% vs 28%) and addressing (32% vs 24%) privacy problems.
  • Those unaware of any data breaches are more likely to believe government and regulators should take greater responsibility for prevention.
Previous chapter
Next chapter
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia