Across 2-3 December, the IAPP ANZ Summit was held in Sydney – the largest ever gathering of privacy professionals in our region, with more than 500 attendees. The Helios Salinger team was out in force, catching up with old friends, making new connections, and welcoming young professionals into the fold.
For our final blog of the year, this is our wrap of highlights from the presentations, and the impressions we took away.
While ‘AI slop’ was recently announced as Macquarie Dictionary’s 2025 Word of the Year, the Summit featured plenty of tight and meaty discussions about all things privacy, AI and data governance – quite the opposite of slop.
Australian Information Commissioner Elizabeth Tydd kicked off proceedings, offering trust as the element that unifies the three functions of her Office, being privacy, freedom of information, and information governance. She highlighted how the OAIC is using its broad canvas of regulatory powers strategically, to change behaviour for the better. With significant enforcement actions or progress in the past 12 months against companies such as Meta, Australian Clinical Labs, Bunnings, Kmart, Optus and Medibank, the OAIC’s recent organisational restructure to support its more pro-enforcement posture appears to be paying off for the regulator.
In a pitch perfect keynote, Professor Sally Cripps from the UTS Human Technology Institute spoke about both the “hype and hope” around AI. She illustrated hope with reference to the Thrive: Finishing School Well research program, which is utilising data and innovative and evidence-based methodologies to drive better educational and life outcomes for children. Human-centred AI projects like Thrive don’t succeed without robust data governance and respect for privacy built into their foundations.
Speaking of AI governance, which was the focus of a number of sessions, Lauren Solomon from the National AI Centre (NAIC) was at pains to point out the AI governance need not involve reinventing the wheel. “Normal governance applies”, she said, meaning you need data governance and a framework for managing accountability and risk – but what is different about AI is the speed at which teams need to respond, and it is that need for speed which creates challenges for traditional governance structures.
Sarah Carney from Microsoft noted that “the things we care about don’t change” just because we are using AI: fairness, ethics, accountability and transparency still apply.
Hitting us with a home truth, Sarah Hosey from NBN described data hygiene as “hard, boring and expensive”. But, she argued, to have successful AI governance, “data hygiene must come first”. This means you need solid foundations like access controls, data cleansing, data segregation, data custodianship, and clarity about data use rules. Otherwise, your AI project “will just be garbage in, garbage out”.
This ‘focus on the fundamentals’ message had much in common with a later panel session on privacy maturity. Our Director Anna Johnston gave a run-through of the results from our groundbreaking survey into privacy maturity across Australian entities, and the benchmarking data available in our Measuring Maturity report, ahead of a discussion with Greer Harris from CBA and Keith Eyre from Westpac about how to uplift maturity within organisations.
The ‘you can’t skip past the hard work’ message was reinforced by another panel session, this time on Privacy Impact Assessments (PIAs). Peter Leonard from Data Synergies argued that PIAs are not about “papering your way to compliance”, while Annan Boag from the OAIC offered the regulator’s perspective: “it’s the process behind the document” that matters. Olga Ganopolsky from Macquarie Group agreed, describing the power of “the conversations you have that sit behind” and inform a written PIA report as what ultimately drives better outcomes.
Impressive given that the new National AI Plan was released by the Australian Government only half an hour before she went on stage, Lauren Solomon from NAIC pulled out three themes for us: equal sharing of the benefits of AI across the Australian population, keeping all Australians safe, and the need to build a national infrastructure and ecosystem to support the adoption of AI.
That’s so last year: released in September 2024, the Voluntary AI Safety Standard has already been ‘evolved’. Its replacement, the October 2025 Guidance for AI Adoption, was described by Lauren Solomon as intending to make AI guidance from the Australian Government more accessible and actionable. The guidance has therefore been split into two: Foundations and Implementation practices, reflecting the differing levels of maturity of Australian entities needing guidance.
So Day 1 covered off plenty of trust and hope.
(Though for anyone relying solely on trust or hope to govern their AI projects, Sarah Carney from Microsoft offered this sage advice, which surely deserves to be printed on an IAPP sticker for next year’s conference: “If you don’t ask the question, you own the risk”.)
Day 2 kicked off with story-telling.
New Zealand Privacy Commissioner Michael Webster noted that his Office’s survey data is evidencing increasing community privacy concerns over time, and that there is particular “caution and concern” about AI. However he has also found an increasing acceptance of some privacy-invasive technology if it is effective to reduce theft, or improve public safety. Commissioner Webster said that his test for using biometrics is twofold: it must be “necessary, effective and proportionate”; and “the benefits must outweigh the risks”. This is similar to the test articulated by Australian Privacy Commissioner Carly Kind earlier this year in what we dubbed the privacy pub test.
Commissioner Webster also noted that what he suspects some privacy officers face internally is “resistance behind the mask of willingness”. His advice for privacy officers is to lean into story-telling. To shift focus away from the cost of developing or maturing your privacy program, privacy pros should “tell the story” about the cost of not having a robust privacy program. Webster exhorted privacy officers to practice an elevator pitch for when they bump into the CEO and need to justify their role: “I build and keep our customers’ trust and preserve our business’s value”.
This sentiment segued perfectly into a keynote address from IAPP CEO and President Trevor Hughes, who told the story of pivotal points in time when innovation challenged norms, disrupting society and driving progress. He demonstrated how consumer uptake and productivity gains from technology innovations, like electricity and automobiles, are dependent on trust and safety. Just as a huge amount of technical complexity, licensing, regulation and enforcement goes into making it safe for us to switch on a light bulb, our profession is now contributing to the “hard work” of making AI safe and trustworthy, which benefits society because “trust and safety allow innovation to move faster”.
Supporting the argument that hard work is needed in order to achieve safe, effective, responsible and trustworthy AI, the Helios Salinger team then hosted a workshop on how to avoid or defuse 12 landmines in AI projects. First our Director Anna Johnston introduced the Four D’s Framework, which allows risk assessment to work through the AI lifecycle phases of Design, Data, Development, Deployment. Then we ran through each of the four D’s, using our team’s war stories, and published examples, to illustrate the landmines to avoid or defuse at each phase. Our Director of Learning Andrea Calleia peppered the workshop throughout with quiz questions about the AI landmines, with the game winners those who could best clear a safe path ahead.
(Missed our workshop? You can find out more about the Four D’s Framework, and download a free copy of the handout, here: 67 Questions to Ask About AI.)
Finally, a panel discussion on neurotechnology (meaning: technology which can read or write brain activity, such as a cochlear implant) was edifying, stimulating and terrifying in equal measure. Australian Human Rights Commissioner Lorraine Finlay spoke passionately about the ability of neurotechnology innovations to have positive and transformative impacts for people with disabilities, further examined in the AHRC report Peace of Mind. Kate Bower from the OAIC noted that while the medical device use case for neurotechnology is well regulated, emerging risks will be in the consumer device space, such as gaming headsets used by children and young people. UTS Associate Professor of Neuroscience and Behaviour Kiley Seymour confirmed that gaming developers have products that are close to ‘writing to’ the brain; researchers in this field can already reconstruct what someone is thinking, or ‘see’ a decision a second before a person becomes conscious of it themselves.
The challenges are, well, mind-bending. Commissioner Finley noted that while freedom of thought has been protected in human rights instruments for generations, there has been very little understanding of what that meant in practice until now, because there was no practical way to infringe upon that right. But with developments in neurotechnology we now face two distinct risks. The first is policing the outputs of thoughts – in other words, realising George Orwell’s dystopian vision of ‘thoughtcrime’. The second is the ability to create, generate or insert thoughts directly onto the brain, which will undermine individual autonomy and agency. Harms will include misinformation, manipulation, AI hallucinations, and interference in elections. Our team left the IAPP ANZ Summit in emphatic agreement with Kate Bower’s conclusion: the need to better regulate this space is urgent and critical.
The view from the Summit of what 2026 has in store for our profession is clear: hope and trust, caution and concern, and a great deal of hard work.
See you next year.
Photo by Alessandro Erbetta on Unsplash
