Privacy and Security by Design: avoiding the risk sinkholes that can kill projects big or small

Piers Cousins
Program Delivery & Cybersecurity Specialist

Andrew Lee
Director, Horizon Point

Introduction

Our economy and government rely on larger than ever quantities of personal information being managed through digital systems. This provides the convenience and speed of transactions that people expect but carries risks too.

Managing these risks has produced two broad areas of expertise. On the one hand, IT specialists with technical expertise in systems security (cyber) and on the other, policy or legal experts whose domain is privacy standards.

Organisations need to get both sides right. So in this article we have sought to pull these two strands together by highlighting:

• the importance of considering privacy risks from the start in any data security strategy whether this applies to a project or business-as-usual operations;
• the consequences for privacy when data security risk controls fail and a breach occurs.

Data security requires a broad approach including cyber standards like the Essential Eight. It is too big a field to cover in this article so we are focusing here on privacy by design. Put simply: if you are not collecting or retaining information – it can’t be hacked. And the frequency of data breaches demonstrates the risks of holding personal information and the consequences to privacy when security fails.

When is it too late to consider privacy and cyber security in a data-sensitive app development project?

If your design is already on paper, it’s probably too late.

Legitimate privacy concerns can stop your project cold — whether you’re building a national biometric platform or simply digitising a paper form. Once your project has committed to a design, fixing privacy gaps often means costly rework, delays, or even cancellation.

Data breaches can be traced back to poor privacy and security design and it is essential to get the design and planning stage right.

Date breach = privacy breach

It is hard to check the news without seeing another story about data breaches affecting personal information held by organisations of all sizes and sectors. These are on the rise, according to the Commonwealth Information Commission, which reports that notified breaches in the first half of 2024 were the highest in three and a half years.

https://australiancybersecuritymagazine.com.au/oaic-says-data-breach-notifications-at-three-year-highs/

All of these data breaches involved privacy infringements – so cyber security and privacy are two sides of the same coin.

Recent examples of privacy and data breach issues which have hit the news include:

JULY 2025

6 million customers have personal information including names, birthdates and email addresses stolen through a breach of third-party customer contact centre used by

• Qantas https://www.aspistrategist.org.au/qantas-data-breach-shows-compliance-doesnt-always-mean-protection-and-resilience/
• Genea, Australia’s third-largest IVF provider: sensitive medical information belonging to customers posted on dark web following targeted cyber-attack on networks and servers https://www.abc.net.au/news/2025-07-23/ivf-giant-genea-confirms-sensitive-patient-information-stolen/105562042

MAY 2025

• Hackers claim to have stolen 300 gigabytes of data including limited contact details, correspondence and bank account information from the Legal Practice Board of Western Australia. https://www.cyberdaily.au/security/12158-exclusive-legal-practice-board-of-western-australia-confirms-dire-wolf-ransomware-attack
• Hundreds of documents (many containing personal information) submitted through web-based forms to the Australian Human Rights Commission were inadvertently made accessible to search engine indexes. https://www.themandarin.com.au/292160-data-breach-hits-ahrc/

APRIL 2025

• Approximately 10,000 students at Western Sydney University impacted by unauthorised access of personal information in student accounts including names, addresses and subject results, among others. https://www.cyberdaily.au/security/11966-breaking-10-000-students-impacted-by-new-western-sydney-uni-data-breach

MARCH 2025

• An estimated 9,000 court files accessed in a data breach of the Department of Communities and Justice’s NSW Online Registry website.https://www.news.com.au/technology/online/hacking/police-investigating-major-breach-on-nsw-government-website/news-story/9b49829c144f497fd7aa9c0e12694cf7

MAY 2024

• E-script provider MediSecure, contracted to provide e-script services for the Pharmaceutical Benefits Scheme (PBS) affected by ransomware data breach https://www.abc.net.au/news/2024-05-16/health-organisation-part-of-large-scale-ransomware-data-breach/103856582

OCTOBER 2023

• Public service superannuation fund Superannuation South Australia – hackers steal personal data from the same contact centre the fund had contracted to handle phone calls from members affected by a previous cyber breach in 2019! (October 2023) https://www.abc.net.au/news/2023-10-18/sa-government-cyber-security-breach/102993794

2020

• The Australian National University affected by a cyber-attack allowing unauthorised access to personal information dating back 19 years. https://www.abc.net.au/news/2019-06-04/anu-data-hack-bank-records-personal-information/1117678

These risks concern all organisations

The diverse circumstances of these cases (and this is just a small sample of course) shows that such breaches can happen in any organisation.

The examples here occurred in a range of organisations – private sector, public sector, tertiary. These days most organisations manage personal information and need to include cyber and privacy in their operational risk management strategies.

And at a project level, you don’t have to be working on national initiatives to hit privacy landmines. State government projects — like introducing an online leadership development portal or digitising records — also handle personal or sensitive information. Even if the stakes feel smaller, a privacy breach or poorly designed consent process can destroy community trust and derail the initiative.

Community permission and social licence

In Australia, especially at the State Government level, projects that touch personal information operate within a broader policy environment — one shaped by the concept of community permission. If the public believes their privacy is at risk, they

may withdraw their social licence for the project. Once community support is lost, it doesn’t matter how elegant or efficient your system is — it won’t survive.

Start privacy thinking early with a Privacy Impact Assessment

Security-by-design often happens once you have tangible assets like data definitions, process maps, and access models. But privacy needs to start at the concept stage, when you can still decide:

• What data to collect (or whether you need it at all)
• How it will be transmitted, stored, and accessed
• Whether individuals have meaningful consent and control

Expert guidance in Australia points to the value of conducing a Privacy Impact Assessment (PIA) , including for projects with potential privacy issues

As the Office of the Information Commissioner puts it:

It’s more effective and efficient to manage privacy risks proactively, rather than to retrospectively alter a product or service to address privacy issues that come to light.’

Key principles to guide a Privacy Impact Assessment (PIA) include:

• Taking a broad view of privacy risks and not a narrow, box-ticking compliance approach. Doing the bare minimum to avoid legislative breaches may not be good enough to avoid reputational and/or financial damage.
• Make privacy and data security a key element of the project’s quality requirements.
• Consult with stakeholders to identify the full range of impacts.
• Understanding there is no single, correct way to do a PIA
• Understanding that a PIA does not have to be highly complex, and is not expected to identify and neutralise every conceivable privacy risk.
• Consider both the human factors side (e.g. training, awareness and culture) and the technological (physical and ICT security).

https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design

A lesson from biometrics

On the National Facial Biometric Matching Capability, early engagement with the Federal and State Privacy Commissioners exposed gaps in our understanding — gaps that could have sunk the project. A conceptual Privacy Impact Assessment (PIA) at the early planning stage helped us reshape the design before we went too far, avoiding dead ends and improving our security model.

Apply the same approach to smaller projects

The same principles work for smaller initiatives. For example:

• A project digitising a paper-based application process might limit stored data to only what’s necessary, reducing both privacy risk and system complexity. There is no need to protect personal information if it is not collected in the first place!
• An online leadership development program could build in clear, upfront consent processes and explain how participant data is used, stored, and shared.

Where to start

For smaller and medium-sized projects, you don’t need a full-scale privacy consultancy. Consider:

• Seek early engagement with your State Government’s Privacy Commissioner office to get guidance before committing to a design. For example, in Western Australia, the newly appointed (July 2025) Information Commissioner, Annelies Moens, will have responsibility for privacy, data sharing and freedom of information under WA’s new Privacy and Responsible Information Sharing Act 2024. https://www.wa.gov.au/organisation/office-of-the-information-commissioner/about-the-office-of-the-information-commissioner
• If a full-scale PIA is outside your budget, employ or consult with project staff — particularly Project Managers and Architects — who have lived experience in privacy-by-design and can help you shape your approach to avoid serious pitfalls.
• OAIC Privacy Impact Assessment Guide – Practical steps for any size project: https://www.oaic.gov.au/privacy/privacy-guidance-for-agencies/privacy-impact-assessments
• State Government privacy frameworks (e.g., NSW Privacy Management Plans, Victoria’s Privacy by Design guidance)
• Iterative reviews – revisit privacy at each stage to keep pace with design changes
• Incorporate privacy into your project risk framework – for example, as an aspect of reputational risks associated with the project. The project plan should include the risk controls that will apply to privacy issues.

The takeaway

Whether your project is a $200m national platform or a small departmental initiative, early, iterative privacy consideration will save money, protect trust, and preserve the social licence you need to deliver. Wait too long, and you may find yourself in a privacy sinkhole you can’t climb out of.

Once a data breach has spilled personal information your organisation was entrusted with, it can be hard to regain the trust of stakeholders and the confidence of the organisation’s leaders.