ASFA National Legislation Group Webinar – September 2025

At our recent ASFA Legislation Discussion Group, Anna Johnston of Helios Salinger delivered a timely update on the evolving privacy landscape. Her presentation underscored that privacy risk is business risk and that superannuation trustees must be proactive in strengthening their privacy frameworks.

Why privacy matters now more than ever

The regulatory environment has shifted significantly in recent years. Key developments include:

• Higher penalties for serious privacy breaches (increased in 2022).

• Expanded regulatory powers, with a new Commissioner in place.

• A statutory tort of privacy commencing in June 2025.

• Automated decision-making (ADM) transparency requirements from December 2026.

• A second tranche of reforms expected in 2025, which may extend obligations to small businesses and expand the definition of personal information

For superannuation funds, this means compliance can’t stop at tick-the-box exercises. Trustees need to anticipate change, adapt governance and ensure privacy is treated as a strategic priority.

What’s coming in Tranche 2 reforms

Anna highlighted the potential impacts of Tranche 2 reforms, including:

• Expanded coverage to small businesses and employee records.

• Broader definition of personal information, explicitly including inferred or generated data.

• Stronger standards for consent (no more bundled or mandatory consent).

• A new “fair and reasonable” test for data handling.

• Proactive obligations for organisations to manage privacy risks

For trustees, these reforms will fundamentally change how personal information is collected, stored, and disclosed.

Seven steps to prepare now

1. Anna outlined seven practical steps super funds can take to get ready:

2. Update your enterprise risk framework to explicitly integrate privacy risks given the substantial penalties now in place.

3. Assess your organisation’s privacy maturity against regulator expectations and peers.

4. Update data asset inventories so you know exactly what member information you hold.

5. Nominate a senior employee to take clear responsibility for privacy.

6. Revise policies and procedures to align with upcoming reforms.

7. Implement change management to embed privacy awareness in daily operations.

8. Conduct a gap analysis, focusing on areas of high privacy impact (such as member data handling, third-party providers, and automated systems).

Where the sector stands today

Findings from Privacy Pulse 2025 show that the financial services and insurance sector scores an average of 2.55 out of 4 for privacy maturity, with most organisations still in the “developing” stage rather than “defined” or “leader” categories.

For super funds, this indicates significant room for improvement, particularly in risk identification and governance practices.

How to benchmark your fund

Anna recommended that trustees:

• Use Helios Salinger’s self-assessment tools to measure privacy maturity

• Compare results against industry peers, using the Privacy Pulse 2025 report data, to identify strengths and weaknesses.

• Brief boards and executives on current maturity levels and areas requiring investment.

• Consider commissioning an independent privacy maturity assessment for a more objective view

Key takeaways for super funds

• Privacy reforms are real, imminent, and material to business operations.

• Treating privacy as a core governance issue (not just a compliance obligation) reduces risk and builds member trust.

• Start preparing now using Anna’s seven steps to ensure your fund is positioned ahead of the reforms.

Further information:

Steps to prepare for Privacy Act reform

Privacy Pulse – Measuring Maturity