Why Privacy Matters?

Privacy has moved from a compliance “tick-box” to a national enforcement priority. With the OAIC launching its first-ever 2026 Privacy Policy Compliance Sweep, regulators are checking whether businesses clearly explain how they collect and use personal information, especially during in‑person interactions. Staff must understand that privacy breaches can now trigger infringement notices, escalated investigations, and large civil penalties, even for unintentional mishandling. Protecting privacy is now central to maintaining trust with customers, tenants, buyers, suppliers and internal staff alike.

The Australian Privacy Principles (APPs) – Your Day‑to‑Day Responsibilities

APP requirements have been strengthened through legislative reforms.

Staff must:

• Collect only the minimum data necessary for an activity
• Collect information directly from the person unless impractical
• Offer pseudonymity where appropriate
• Ensure data is accurate, current, and relevant before using it

Additionally, from 2026, privacy policies must now disclose where automated decision-making is used, what kind of decisions are automated, and what personal data is involved.

Handling Personal Information Across Giuliano Group

The OAIC has specifically flagged industries involving property and rental interactions as high‑risk for over‑collection. This directly affects your group.

Staff must:

• Never share personal information between group businesses unless explicitly permitted
• Only rely on documented consent, such as signed forms, opt‑ins, or recorded permissions
• Avoid collecting identity documents or sensitive information unless absolutely required

Incorrect handling, even by well‑meaning staff, may now attract regulatory scrutiny due to increased enforcement powers.

Data Breaches – Reporting Must Be Immediate

Under the newly strengthened Privacy Act framework, organisations must show they are taking “reasonable steps” to protect personal information — which now includes technical and organisational safeguards.

Staff must immediately report:

• Personal information sent to the wrong person
• Unauthorised access events
• Lost devices, documents, or files
• Suspicious system activity

Immediate reporting is critical because regulators now issue infringement notices and may impose penalties for failing to act promptly.

Individual Rights Are Stronger Than Ever

2026 changes include moves toward:

• "Right to be forgotten"-style deletion requests
• More robust rules around corrections
• Greater transparency obligations
• A requirement to say how long personal information will be retained

Staff must escalate any access, correction, or deletion requests immediately, and follow documented procedures precisely — delays can now constitute non‑compliance.

Everyday Privacy Mistakes to Avoid

High-profile data breaches have driven regulators to tighten expectations.

Staff must avoid:

• Discussing private information in public, open, or shared areas
• Storing data in personal email, WhatsApp, or other unauthorised apps
• Collecting personal ID documents unnecessarily
• Keeping information longer than required

In 2026, regulators are actively searching for signs of “over‑collection” and “unjustified retention”, especially in property and rental sectors.

Business Unit Responsibilities for Privacy Compliance

The first tranche of reforms requires privacy policies to:

• Clearly disclose automated decision-making
• Be fully transparent about cross‑border data flows
• Include updated enforcement and penalty information
• Align with the OAIC's 2026 compliance focus

Each Giuliano Group business unit must ensure its privacy statements, collection forms, digital touchpoints, and staff onboarding processes reflect the 2026 changes.

Please watch the short video below:

Classification of Information – What Staff Need to Know

Classification of information is a system that helps the Giuliano Group protect data according to its sensitivity and the impact it could have if mishandled. It ensures everyone treats information properly and prevents accidental exposure, data breaches, or regulatory issues.

1. Why We Classify Information

Classification ensures that all data—documents, emails, client records, financial files, project plans, tenancy information, P&C files, etc.—is protected at a level appropriate to its sensitivity. Correct classification supports:

• Confidentiality: Only the right people can access information.
• Integrity: Information stays accurate and unaltered.
• Availability: Information can be accessed by authorised staff when needed.

2. Common Classification Levels (as used in your training)

Your training file links to the official Document & Email Classification workflow. While the file itself isn’t included in the snippet, classification schemes typically include:

• Internal
  Information meant only for Giuliano Group staff.
  Examples: internal newsletters, non-sensitive procedures, induction info.
• Confidential
  Sensitive information requiring restricted access.
  Examples: tenant records, P&C files, project financials, legal documents.
• Highly Confidential / Restricted
  Information where unauthorised disclosure would cause major harm—financial, reputational, legal, or operational.
  Examples: sensitive P&C investigations, legal disputes, acquisition plans, system credentials.

The colour‑coding is referenced in your training:

3. What Classification Determines

Once something is classified, it dictates:

• Who may access it
• Where it may be stored
• Whether it can be emailed externally
• Whether encryption is required
• How long it must be retained
• How it must be disposed of (shredding, secure delete, etc.)

4. How Staff Should Apply Classification

Every time you create or handle information, ask:

• Who should be allowed to see this?
• Would it cause harm if the wrong person accessed it?
• Does it include personal information, financial info, legal records, or system data?

Then apply the correct classification label (colour / tag) on:

• Documents
• Spreadsheets
• PDFs
• Emails
• Shared folders

5. Classification in Email

The linked workflow (OPS‑ICT‑WF‑00039) includes classification for outgoing emails. Generally:

• Internal = safe to circulate inside the group
• Confidential = send only to authorised recipients
• Restricted = never send externally unless encrypted and approved

This helps prevent accidental leaks.

6. What Staff Must Never Do

This is reinforced in ICT Information Security Guidelines:

• Do not send classified data to personal emails.
• Do not store company data outside Giuliano systems.
• Do not use WhatsApp or other third‑party apps for work discussions.

7. Why Classification Matters for Audits & Compliance

Classification supports:

• Privacy Act & APP compliance
• ISO 27001
• ISO 9001
• Internal ISMS requirements
• Incident reporting and breach management

Correctly classified information is easier to monitor, protect, and audit.

8. When in Doubt – Classify Higher

If unsure, default to Confidential to ensure protection.