Australians are losing trust in AI and privacy practices

Privacy is no longer a back-office issue; it is a social licence and trust issue, that sits right at the centre of how your organisation is judged.

The OAIC’s 2026 Australian Community Attitudes to Privacy Survey shows Australians are increasingly concerned about privacy, while trust in Artificial Intelligence (AI) remains extremely low.

30 Second Take

The survey also points to stronger community expectations for transparency, fairness, proportional collection of information, and better complaints handling.

For organisations, the message is important:

Privacy governance is becoming a visible test of operational discipline, customer trust and board oversight.

Enterprise wide understanding and governance are critical

People, and your regulators, are telling you they want to know what data is being collected, why it is needed, how it is used, and what happens when something goes wrong.

That matters because even where a practice is technically permitted, it may still be seen as unfair, unnecessary or hard to understand. Those perceptions can quickly become a conduct, reputational and regulatory risk.

The impact is not limited to the obvious, being the privacy teams. It also affects boards, executives, product owners, digital transformation programs, marketing teams, customer experience functions, complaints handlers, information security teams and those accountable for data-driven growth.

What should you ask

Key questions boards should be asking are:

  • Do we know our most critical risks and why they matter?
  • Can we clearly explain our use of personal information and AI in a way customers actually understand?
  • Can we evidence our testing and clarity on management accountability?
  • If a privacy complaint landed on the CEO’s desk tomorrow, could we evidence our decisions and response times?
  • Have we prioritised focus across AI, process management, enterprise risk, culture and risk in change?

Boards should be asking whether privacy controls are designed for real-world use, whether complaint trends are being reported as risk signals, and whether the organisation can demonstrate fairness, accountability and improvement over time.

What next

Next steps should focus on maturity, evidence, ownership and uplift. That means testing management on privacy and data collection, whether AI and biometric use is clearly disclosed, whether retention and deletion are working, whether complaint handling is timely, and whether responsibilities sit with named owners.

Bottom line: this is a reminder that trust is earned through everyday governance and risk practice, not policy statements.


To learn more about where to focus on in your governance, our Board Risk Snapshot provides you a secure tool to help you focus on the key areas.

More from the Reading Room

Using AI Risk Management to Accelerate Innovation

New Diligent Institute / Governance Institute of Australia data shows 61% of Australian boards restrict employee AI use while only 13% have an AI-literate director — proof that restriction and real governance are pulling apart. NIST's expanding AI Risk Management Framework and the EU AI Act's 2 August 2026 third-party accountability deadline show how structured, evidence-based workflows are what actually let AI adoption move faster, safely.

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.