DATA HOARDING IS OUT – THE CASE FOR DATA MINIMISATION IN AUSTRALIA

What if holding too much data becomes a liability, not an asset? Recently, Qantas Airways made headlines in June 2025 when criminals dumped 5.7 million customer records on the dark web.

The incident exposed Qantas to potential penalties under Australia’s strengthened privacy laws: the greater of A$50m, three times the benefit gained or 30 percent of domestic turnover.

The traditional data hoarding approach, namely, collecting and storing as much data as possible indefinitely, now exposes organisations to significant liability as cyber security breaches become rampant.

Future data-rich businesses should consider prioritising trust over scale and embracing data minimisation as a core governance principle. The critical question is whether Australian executives and boards will abandon the data-hoard to become lean custodians of only genuinely needed data.

The regulatory reset

Australia’s Privacy Act 1988 has long set standards for personal information management, but recent reforms are fundamentally changing the risk profile.

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 marked Australia’s sharpest pivot toward deterrence, introduced after major data breaches. It significantly increased penalties and granted the Office of the Australian Information Commissioner (OAIC) new investigative powers, signalling the end of the low-consequence era.

The government’s response to the Privacy Act Review Report and the Privacy and Other Legislation Amendment Act 2024 further signal increased power of enforcement, introducing new civil penalties commensurate with privacy interference and expanding enforcement powers.

Jan-Mar 2026 Issue

Spruson and Ferguson Lawyers

Join our free mailing list to read the full article