We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Privacy concerns are widespread and increasing in Australia, yet relatively few people take action when issues arise, often due to low confidence in outcomes and perceived complexity of complaints processes. Experiences are commonly linked to direct marketing, unnecessary data collection, and limited transparency, with complaint processes frequently seen as difficult and rarely leading to satisfactory outcomes. Confidence in how organisations handle privacy complaints is stronger in traditional sectors such as banking, health, and government than in social and digital platforms.

Although fewer people know about or have personally experienced data breaches, most people who are affected still report harm. The most common harms are more scams and spam, as well as loss of trust, less control, and ongoing concern about how their personal information is used.

Australians prioritise limiting data collection and timely deletion as the most important ways organisations should protect personal information, and place primary responsibility for privacy risks on organisations. There is strong expectation that organisations should lead in preventing issues, while responsibility for addressing problems is more shared with government and regulators.

Experiences of privacy concerns

About 2 in 3 Australians (64%) have had concerns about how an organisation handled their personal information. This ranges from relatively minor issues, such as being asked for unnecessary information, to more serious incidents like data breaches. However, only around one in 8 (12%) say they raised the issue with the organisation. Australians who had concerns but didn’t raise them are more likely to be men (56% vs 49% of women) and live in metropolitan areas (55% vs 46% of those outside capital cities).

When asked separately about a list of specific privacy-related experiences (Figure 16) in the past 12 months, around 3 in 4 (73%) Australians report experiencing at least one issue, up from 64% in 2023. This measure captures a broader range of experiences, which respondents may not necessarily view as a broader concern about how an organisation handled their personal information.

The most common experiences relate to direct marketing, including difficulties unsubscribing and receiving unsolicited communications, followed by being asked to provide unnecessary personal information. A substantial proportion also report issues relating to data breaches, limited ability to access or manage their information, and being required to identify themselves when it was not necessary. Experiences of unauthorised collection, use, or disclosure of personal information, as well as difficulties accessing privacy policies, are also reported by a notable minority.

Experiencing at least one privacy-related issue is more likely among:

  • those with tertiary or vocational qualifications (77% vs 60% of those with no qualification)
  • those who are more concerned about their privacy than 5 years ago (75% vs 59% of those with the same or lower level of concern)
  • those who have concerns about how organisations handle their personal information (82% vs 58% of those with no concern)
  • those aware of data breaches in Australia in the past 12 months (79% vs 57% of those unaware).

Figure 16 Problems experienced with the handling of personal information

A grouped stacked bar chart shows problems experienced with the handling of personal information, comparing 2020, 2023 and 2026 data. I was not able to unsubscribe from marketing communications: 41% (2026), 25% (2023), 29% (2020). My personal information was used for unsolicited direct marketing without my consent: 38% (2026), 21% (2023), 30% (2020). I had to provide personal or sensitive information to a business when I preferred not to, and this was not required to deliver the service: 26% (2026), 14% (2023), 16% (2020). My personal information was stolen from an organisation by hackers or other criminals: 24% (2026), 29% (2023), 11% (2020). I was not able to access, update or delete personal information held about me: 24% (2026), 11% (2023), 14% (2020). I had to identify myself to a business when I preferred to remain anonymous, and my identity was not required to deliver the product or service: 23% (2026), 12% (2023), 15% (2020). My personal information was collected by a business without my consent, and this was not required to deliver the service: 17% (2026), 9% (2023), 15% (2020). My personal information was disclosed accidentally without my consent: 15% (2026), 13% (2023), 7% (2020). My personal information was kept for longer than needed by an organisation: 15% (2026), 10% (2023), Not measured in 2020. I couldn't find or access an organisation’s privacy policy: 13% (2026), 7% (2023), 7% (2020). My personal information was disclosed intentionally by a business without my consent, and this was not required to deliver the service: 12% (2026), 7% (2023), 10% (2020). None of the above: 26% (2026), 36% (2023), 41% (2020).

P3. Have you experienced any of the following in the past 12 months?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626, 2020: n=1,509)

Notes: Don’t know (1%) and refused (<0.5%) not displayed.

Barriers to raising privacy complaints

Many people who were worried about how an organisation handled their personal information didn’t end up making a complaint. The main reasons were that they:

  • didn’t think it would change anything (56%)
  • thought it would be too hard or take too long (51%)
  • weren’t sure how to complain (40%).

These barriers were even more common for people aged 18–49. Compared with people aged 50+, younger Australians were more likely to say they didn’t complain because:

  • it felt too hard or time‑consuming (58% vs 41%)
  • they didn’t know what to do or where to start (48% vs 31%).

People with a university qualification were also more likely to feel the process was too difficult or time-consuming (63%), compared with those with vocational qualifications (46%) or no qualifications (42%). And people who speak a language other than English at home were more likely to say the process felt too hard (60% vs 47%).

Lower complaint rates may also reflect broader challenges around awareness, confidence and perceived ability to exercise privacy rights. Australians who are unaware they can request access to their personal information from organisations are more likely not to raise a complaint after experiencing a concern (56% vs 48% of those aware of this right). More broadly, Australians who do not pursue complaints are also more likely to report limited understanding of how organisations use their personal information, lower perceived control over how their data is collected and used, and a belief that consent and data sharing are rarely genuine choices. They are also more likely to perceive current data practices as unfair in practice. Combined with concerns about effort, complexity and ineffective outcomes, these findings may reflect broader feelings of low agency and limited confidence that engaging with complaint processes or exercising privacy rights will lead to meaningful resolution or change.

Figure 17 Reasons for not pursuing a privacy complaint

A bar chart shows reasons for not pursuing a privacy complaint. I didn’t think it would make a difference: 56%, It seems too hard or time consuming: 51%, I didn’t know how to complain: 40%, The issue didn’t feel serious enough: 25%, I was worried about the negative consequences: 10%, I kept getting passed between the organisation and an external body or between departments within the organisation: 9%, Other (Please specify): 4%.

COM2. If you decided not to pursue a privacy complaint, what were the main reasons?

Base: Had a concern about how personal information was handled but did not raise it with the organisation (n=790)

Notes: Don’t know (<0.5%) and refused (<0.5%) not displayed.

Perceived effectiveness of complaint handling

Perceived effectiveness of privacy complaint handling varies sharply by sector.

Australians most commonly identify banks and financial institutions (46%), health services (42%) and government agencies (41%) as handling privacy complaints fairly and effectively, while confidence is very low in online retailers (4%) and social media platforms (3%). Taken together, the results suggest that perceived ‘effective complaint handling’ is largely associated with a small set of essential or institutionally familiar sectors, whereas many Australians do not see strong pathways for redress in more commercial or digital environments. This is reinforced by the fact that almost 3 in 10 (29%) believe that none of the listed organisations handle privacy complaints fairly and effectively.

Men are more likely than women to perceive the following sectors handle privacy complaints fairly and effectively, which may indicate slightly higher confidence (or lower scepticism) among men in the responsiveness of these sectors.:

  • government agencies (43% vs 38%)
  • telecommunications companies (16% vs 10%)
  • online retailers (6% vs 3%).

Australians aged 65 and over are more likely than younger people to say that some sectors handle privacy complaints fairly and effectively, including:

  • banks and financial institutions (55% vs 39% of those aged 18–34)
  • health services (50% vs 38% of those aged 25–64)
  • utilities (23% vs 12% of those aged 18–49).

This may reflect greater familiarity with traditional service providers, or a stronger sense that these organisations are accountable, rather than higher confidence in complaint handling overall

Figure 18 Organisations perceived to handle privacy complaints fairly and effectively

A bar chart shows which organisations are perceived to handle privacy complaints fairly and effectively. Banks and financial institutions: 46%, Health services: 42%, Government agencies: 41%, Insurance companies: 17%, Utilities: 16%, Non-for-profit organisation (e.g. charities): 14%, Telecommunication companies: 13%, Online retailers: 4%, Social media platforms: 3%, None of these: 29%.

COM3. Which types of organisations do you think generally handle privacy complaints fairly and effectively?

Base: All Australians aged 18+. (n=1,504)

Notes: Don’t know (2%) and refused (<0.5%) not displayed.

Experiences of making privacy complaints are often challenging, difficult to navigate and rarely result in satisfactory outcomes. For many complainants the process may feel more like an information exchange than an effective pathway to resolution. This suggests that people judge complaint handling not just by the final outcome, but also by how easy the process is to deal with. For example, being passed around, having to repeat information, and long delays may help explain why few people report a positive experience from start to finish.

The most common experiences include:

  • receiving an explanation without a meaningful outcome (24%)
  • giving up before the process was completed (19%)
  • being passed between organisations or departments (15%).

Relatively few Australians report positive experiences:

  • having their issue was resolved to their satisfaction (9%)
  • it was clear who to contact (5%)
  • the process was straightforward (3%).

Figure 19 Experience of the most recent privacy complaint

A bar chart shows experiences of the most recent privacy complaint. I received an explanation but no meaningful outcome: 24%, I gave up before the process was completed: 19%, I kept getting passed between the organisation and an external body or between departments within the organisation: 15%, I had to repeat my story or provide the same information multiple times: 13%, The process took a long time; 11% The issue was resolved to my satisfaction: 9%, It was clear who to contact: 5%, The process was straightforward: 3%.

COM4. Thinking about the most recent time you complained about how your personal information was handled, which of the following best describes your experience?

Base: Raised a concern with the organisation about how personal information was handled (n=173)

Notes: Don’t know (2%) and refused (0%) not displayed.

Awareness and experience of data breaches

For the purposes of evaluating data breaches, respondents were provided with the following definition of a data breach:

A data breach is a type of privacy breach that occurs when personal information held by an organisation is accessed or disclosed without authorisation, or is lost. Data breaches may result from malicious action (e.g. cyber criminals), human error (e.g. personal information being emailed to the wrong person) or errors in business or technology processes.

Awareness and experience of data breaches in Australia has declined since 2023.

  • Around 7 in 10 (72%, down from 90% in 2023) Australians say they heard of a data breach in the past 12 months before the survey.
  • Under 2 in 5 (38%, down from 47% in 2023) say they were directly notified by an organisation that their personal information was involved in a breach.
  • One in 3 (34%, down from 42% in 2023) reports being aware of breaches but not personally affected.

Figure 20 Awareness and impact of data breaches in the last 12 months

A bar chart compares awareness and impact of data breaches in the last 12 months in 2026 and 2023. Data has been involved in a breach 38% (2026), 47% (2023); Aware of data breaches, but not impacted 34% (2026), 42% (2023); Unaware of data breaches 28% (2026), 10% (2023); Aware of data breaches in the past 12 months: 72% (2026) versus 90% (2023).

P9. Are you aware of any data breaches occurring in Australia in the last 12 months? P10. In the past 12 months, has an organisation told you that your information was involved in a data breach?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626)

Notes: Don’t know (<0.5% in 2026, 5% in 2023) and refused (0%) not displayed.

It is worth noting that the 2023 survey was conducted in the immediate aftermath of the Optus and Medibank data breaches (September–October 2022), 2 of the largest and most publicly reported data breaches in Australian history. The extraordinary level of media and public attention these incidents generated may have artificially inflated awareness levels at that point in time.

According to OAIC data, reported data breaches in Australia have increased since 2022, with 2024 recording the highest number of notifications since the Notifiable Data Breaches (NDB) scheme commenced in 2018. In 2022, the OAIC received a total of approximately 890 notifications, rising to 1,113 in 2024 – a 25% increase.[1],[2]The most recent reporting period (January to June 2025) recorded 532 notifications, which, while representing a 10% decrease on the preceding 6 months, remains consistent with the levels seen throughout 2024.[3] It is worth noting, however, that the second half of 2022 saw a marked spike in notifications, up 26% on the first half of that year, which the OAIC itself attributed in part to the high public profile of the Optus and Medibank breaches, noting that significant public interest in those incidents 'may have raised awareness of the requirement for entities covered by the Privacy Act to notify the OAIC’.[4] This suggests that the period immediately following those landmark breaches represented an atypical peak in reporting activity, and that any comparisons between 2022–23 survey data and later periods should take this into account.

Around 3 in 4 (77%) Australians whose data was involved in a breach report experiencing at least one form of harm, consistent with 2023 (76%). The most common impact is increased exposure to scams and spam, reported by 3 in 5 (62%), marking a notable rise from 2023 (52%). More serious direct impacts are less prevalent but have increased in some cases, including:

  • financial or credit fraud (16%, up from 11% in 2023)
  • email account hijacked (12%)
  • the need to replace key identity documents (12%, down from 29%)
  • emotional or psychological harm (10%).

The finding that breach-related harm is increasingly experienced as ongoing digital exposure (such as scams and spam) alongside a smaller but material share experiencing more acute impacts lends support to cross-portfolio collaboration being increasingly relevant.

Figure 21 Personal experiences following an organisational data breach

A bar chart compares personal experiences following an organisational data breach in 2026 and 2023. An increase in scams, spam text or emails 62% (2026), 52% (2023); Financial or credit fraud 16%, 11%; Email account hijacked 12%, 10%; A need to replace key identity documents e.g. driver's licence, passport 12%, 29%; Emotional or psychological harm 10%, 12%; Identity theft 8%, 10%; Credit rating affected 4%, 4%; Blackmail 3%, 3%; Physical harm or intimidation 1%, 2%; Family violence 1%, 1%; Other (please specify) 3%, 1%; None of these 23%, 24%.

P12. Which, if any, of the following have you personally experienced because of a data breach of an organisation?

Base: All Australians aged 18+. (2026: n=566, 2023: n=760)

Notes: Don’t know (1% in 2026) and refused (<0.5% in 2026) not displayed.

Harms resulting from privacy breaches

Among Australians who experienced a problem with how their personal information was handled in the 12 months prior to the survey, 9 in 10 (91%) report at least one type of harm, a slight decline from 2023 (96%).

The most common and increasing impact is an increase in scams or spam (70% vs 55% in 2023), consistent with experiences following data breaches, suggesting that privacy problems are often experienced as sustained digital exposure rather than a one-off event.

Other common impacts include:

  • loss of trust in the organisation’s information handling (46%, down from 53% in 2023)
  • loss of control over their personal information (39%)
  • unable to find out how data is used (35%)
  • feeling disempowered (30%)
  • having information used in unexpected ways (28%).

This indicates that impacts of privacy breaches extend beyond nuisance contact to broader confidence in how organisations handle and explain personal information. When viewed overall, findings suggest that privacy harms can shape not only people’s exposure to risk (such as scams and spam), but also their expectations of organisational accountability and willingness to engage.

Experiences of harm from privacy breaches vary by age, which may reflect different exposure points and expectations about acceptable data handling.

  • Australians aged 25+ are more likely than those aged 18–24 to report increased scams or spam (72% vs 54%).
  • Those aged 18–64 are more likely than those aged 65+ to report loss of trust in organisations (49% vs 33%).
  • Younger Australians aged 18–24 are also more likely to report their personal information being used in unexpected ways (46% vs 26% of those aged 25+), suggesting that “unexpected use” may be a particularly important driver of concern for younger people.

Figure 22 Personal experiences resulting from poor handling of personal information by organisations

A bar chart compares personal experiences resulting from poor handling of personal information by organisations in 2026 and 2023. An increase in scams or spam text or emails 70% (2026), 55% (2023); Loss of trust in the organisation's information handling practices 46%, 53%; Loss of control of how my personal information was handled 39%, 37%; Inability to find out how my personal information was being used 35%, 31%; Feeling disempowered 30%, 27%; My personal information was used in a way that I had not expected it to be used 28%, 28%; Psychological harm, such as stress or anxiety 21%, 24%; Disruption to my ability to use services 18%, 15%; Economic harm (e.g. fraudulent transactions on my account or affecting my credit rating) 17%, 13%; Identity theft 10%, 19%; Loss of human dignity 8%, 9%; Discrimination 6%, 5%; Reputational damage 5%, 8%; Harm to my relationships with others 4%, 5%; Physical harm (e.g. through someone who wanted to hurt me learning my address) 3%, 3%; Other (please specify) 1%, 1%; None of these 9%, 4%.

P6. Which of the following have you experienced because of a problem with how your personal information was handled by an organisation?

Base: All Australians aged 18+. (2026: n=1,099, 2023: n=540)

Notes: Don’t know (0%) and refused (<0.5% in 2026) not displayed.

Ways for organisations to protect personal information

Australians place greatest importance on limiting data collection and ensuring timely deletion as key ways organisations should protect personal information. The top 3 priorities are collecting only the minimum necessary information, deleting data when no longer needed, and only collecting what is required to provide a service.

Compared to 2023, there is reduced emphasis on several measures, including necessary data collection, proactive protection, transparency, helping individuals protect their privacy, and using information in expected ways.

Figure 23 Most important ways organisations can protect personal information

A ranking chart compares the most important ways organisations can protect personal information in 2026 and 2023. Only collect the minimum personal information necessary ranked 1 in 2026 and not measured in 2023; Delete personal information when it’s no longer needed and confirm when this has been done ranked 2 (2026), 3 (2023); Only collect personal information when it’s necessary to provide a product or service ranked 3 (2026), 1 (2023); Give people a clear right to delete or have their personal information erased when it is no longer needed ranked 4 in 2026 and not measured in 2023; Take proactive steps to protect the personal information they hold ranked 5 (2026), 2 (2023); Be transparent about how they use personal information ranked 6 (2026), 4 (2023); Help individuals to protect their privacy when using their product or service ranked 7 (2026), 5 (2023); Only use personal information in ways individuals would expect ranked 8 (2026), 6 (2023); Consider upfront the impact their activities have on individuals’ privacy ranked 9 (2026), 7 (2023); Help individuals to understand complex data practices ranked 10 (2026), 8 (2023).

P8. There are many ways an organisation can protect your personal information, which of these do you think is the most important?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626)

Responsibility for privacy risk prevention and data breaches

Australians overwhelmingly place responsibility for data breaches on organisations that collect and hold personal information.

  • 9 in 10 (91%, up from 87% in 2023) say organisations are responsible
  • over half (56%) say third-party providers or contractors are responsible
  • almost 3 in 10 (29%, up from 15% in 2023) say government or regulators are responsible
  • very few (3%) believe individuals are responsible.

This suggests strong community expectations that accountability should sit primarily with entities that control data collection and custody, with a growing expectation that oversight bodies also have a role when breaches occur. This is an expectation that can shape trust in organisations’ capacity to manage risk and respond effectively.

Views on responsibility vary across groups and levels of breach awareness.

  • Older Australians aged 50+ are more likely to say organisations are responsible (95% vs 89% of those aged 18–49).
  • Those who speak a language other than English are more to say government or regulators are responsible (39% vs 26% of English-only speakers).

Awareness of data breaches also influences views on responsibility, with those aware of breaches in the past 12 months prior to the survey more likely to hold both organisations (94% vs 86%) and third-party providers (60% vs 46%) responsible. This pattern reflects a heightened sensitivity to shared accountability across the ‘data handling chain’ among those with greater exposure to breach information, reinforcing expectations for clearer lines of responsibility beyond the individual.

Figure 24 Responsibility for a data breach affecting personal information

A bar chart compares responsibility for a data breach affecting personal information in 2026 and 2023. The organisation that collected and held my personal information 91% (2026), 87% (2023); Any third-party providers or contractors that were used to store, process or handle my personal data 56%, not measured (2023); The government or regulators 29%, 15%; Me 3%, 4%; No one 3%, 1%; Someone else (please specify) 2%, 2%.

P16. If an organisation that you used was affected by a data breach and your information was affected, who do you think should be held responsible?

Base: All Australians aged 18+. (2026: n=1,504, 2023: n=1,626)

Notes: Don’t know (1% in 2026, 5% in 2023) and refused (<0.5% in 2026) not displayed.

Australians consistently place primary responsibility for minimising privacy risks to organisations that collect, use or share personal information, even when no immediate harm has occurred. Nearly all respondents (98%) say organisations should be responsible, with a substantial majority viewing this responsibility as very strong (86%).

This expectation is more pronounced among:

  • older Australians aged 50+ (92% vs 82% of those aged 18–49)
  • those aware of data breaches in the past 12 months prior to the survey (90% vs 77% of those unaware)
  • English-only speakers (88% vs 81% of those who speak another language at home).

These patterns suggest broadly held norms of organisational accountability, alongside variation that may reflect differences in perceived exposure, familiarity with privacy risks, or expectations about institutional responsibility.

Similarly, organisations are primarily seen as responsible for managing privacy risks, particularly in relation to prevention, while responsibility appears more shared when it comes to responding once problems arise. Very few believe individuals should be responsible for either preventing or addressing privacy problems.

  • For preventing privacy problems from occurring: just under half (46%) say organisations should have primary responsibility, 35% favour a shared model led by organisations, and 16% say government should be responsible.
  • For addressing privacy problems after they have occurred: responsibility is evenly split between organisations (34%) and government or regulators (34%), with 29% preferring a shared approach led by organisations.

Together, these distributions suggest a distinction in how responsibilities are understood across the privacy lifecycle, with prevention more firmly associated with organisations and post‑incident responses seen as requiring a broader institutional role.

Some demographic differences are evident:

  • Men are more likely than women to believe organisations should carry primary responsibility for preventing privacy problems (51% vs 41%).
  • Those aware of data breaches in Australia in the 12 months prior to the survey are more likely to favour a shared responsibility model led by organisations for both preventing (38% vs 28%) and addressing (32% vs 24%) privacy problems.
  • Those unaware of any data breaches are more likely to believe government and regulators should take greater responsibility for prevention.
Previous chapter
Next chapter
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia