Anna Johnston, our Founder and Principal, is one of Australia’s most respected experts in privacy law and practice.
With her qualifications in law, public policy and management, and over 25 years’ experience in legal, policy, research and consulting roles, Anna brings a breadth of perspectives and a wealth of experience to dealing with our clients’ privacy and data governance challenges.
Since establishing Salinger Privacy in 2004, Anna has provided advice on managing privacy risks to clients including tech start-ups, established businesses and government agencies. She has conducted Privacy Impact Assessments on large and highly complex cross-jurisdictional projects for government including on the launch of the NDIS and the design of the My Health Record scheme. Her private sector clients cross the economy, including the health, banking, human services, education, media, pharmaceutical, technology, insurance and professional services sectors.
Anna’s advice on data ethics and the application of privacy design strategies to complex data linkage projects has assisted clients including at the establishment of the NSW Centre for Education Statistics & Evaluation and the Victorian Centre for Data Insights. She has also guided clients grappling with privacy and data management issues in the research and data analytics space across non-profit medical research institutes, for-profit data analytics companies, health service providers, universities and governments conducting multi-agency research and evaluation projects.
Anna’s influential and widely-read Salinger Privacy blogs have been quoted in the robodebt royal commission, prompted reforms to NSW privacy laws and a boycott of the 2016 Census, won awards for privacy writing, and introduced a new concept – individuation – into the privacy lexicon. She also writes about privacy law and practice for publications including the Law Society Journal. In 2022 Anna presented as a guest lecturer in Data Privacy Law for the Faculty of Law and Justice at UNSW, and was appointed to Xero’s Responsible Data Use Advisory Council.
As the former Deputy Privacy Commissioner for NSW, Anna also knows the regulator’s perspective. Since establishing Salinger Privacy, she has also been commissioned to write privacy guidance publications, and deliver presentations and training, on behalf of other regulators including the Australian, NSW and Victorian Privacy Commissioners. Given the depth of her experience in the sector, Anna is known as ‘the’ expert on NSW privacy laws. She has read and annotated hundreds of NSW cases for our ‘PPIPA in Practice’ guide, and since 2001 has provided a pro bono caselaw update to NSW privacy practitioners at their quarterly meetings. Anna also authors most of our range of guidance publications.
Anna has been called upon to provide expert testimony before various Parliamentary inquiries, the Productivity Commission and the European Commission, spoken at numerous conferences, and is regularly asked to comment on privacy issues in the media. She is a lifetime member of the Australian Privacy Foundation, a member of the International Association of Privacy Professionals (IAPP) since 2008, and in 2019 was recognised as an industry veteran by the IAPP with the designation of Fellow of Information Privacy (FIP).
In 2022, Anna was honoured for her ‘exceptional leadership, knowledge and creativity in privacy’ with the IAPP Vanguard Award, one of five privacy professionals recognised globally whose pioneering work is helping to shape the future of privacy and data protection. While her day-to-day work involves assisting clients to develop innovative approaches to privacy protection, the Vanguard award was bestowed in reflection of Anna’s contributions to the privacy profession, and to the protection of privacy for the benefit of all. In particular, the award recognised Anna’s contributions in a voluntary capacity over 20 years, including both formal and informal advocacy on key issues, multiple pro bono advisory positions, and knowledge-sharing through speaking and writing about privacy. Her passionate pursuit of law reform to improve protection against digital harms was called out in particular.
In 2023, Anna was appointed a Senior Fellow, Global Privacy of the Future of Privacy Forum in Washington DC, in recognition of her “thought leadership and extraordinary ability to convey the state of play and foresight of data protection and privacy law developments in Australia”.
Anna’s pro bono advisory, advocacy, academic and editorial positions have included:
- Visiting Scholar at the Research Group on Law, Science, Technology and Society of the Faculty of Law and Criminology of the Vrije Universiteit Brussel (VUB), 2018
- Advisory Board Member for the EU’s STAR project, to develop training on behalf of European Data Protection Authorities, 2017 to date
- Member of the Asian Privacy Scholars Network (APSN), 2017 to date
- Editorial Board Member, Privacy Law Bulletin, 2010-16
- Advisory Committee Member, the Australian Law Reform Commission’s Inquiry into the Invasion of Privacy, 2013-14
- Board member, the International Association of Privacy Professionals, Australia & New Zealand, 2010-11
- Advisory Committee Member, the Australian Law Reform Commission’s expert advisory group on health privacy for the Review of the Privacy Act, 2006-08
- Project Team Member, University of New South Wales’ Interpreting Privacy Principles project, 2006-09
- Campaign Director, NoIDCard, the successful campaign against the proposed Access Card, 2006-07
- Chair of the Australian Privacy Foundation, 2005-06; Member of the International Committee 2018 to date
- Consumer Representative Member, National E-Health Transition Authority’s Consumer & Clinician Forum, 2005-06
- Primary Author, Australian country reports for Privacy International’s Privacy and Human Rights, 2005-06
- Editorial Board Member, Privacy Law & Policy Reporter, 2004-06
Anna holds a first class honours degree in Law, a Masters of Public Policy with honours, a Graduate Certificate in Management, a Graduate Diploma of Legal Practice, and a Bachelor of Arts. She is a Certified Information Privacy Professional, Europe (CIPP/E) and a Certified Information Privacy Manager (CIPM). She was admitted as a Solicitor of the Supreme Court of NSW in 1996. However since she no longer practices as a solicitor, she won’t mind your lawyer jokes at all.
Melanie Casley, Senior Privacy Consultant, has deep experience in the application of privacy laws, having worked in the field since 2002, across both regulatory and advisory capacities.
At Salinger Privacy Melanie has led Privacy Impact Assessments into complex, multi-jurisdictional projects, such as a project to develop a real-time national information-sharing system for child protection, and data linkage and analytics projects in the health and disability sectors.
In 2021 Mel completed a three-month secondment to Rio Tinto in its Global Data Privacy Team to assist with the completion of PIAs and a range of data privacy advices spanning Rio Tinto’s world-wide operations. At Rio Tinto, Mel worked closely with the existing Data Privacy Team, Rio Tinto’s Global Cyber Security Team, broader Information Security and Technology members and other key business operations including Procurement, Human Resources and Exploration operations based in Australia, New Zealand, Canada, Utah, France, Singapore, Serbia, Kazakhstan, India, Zambia and Mongolia. Each of these PIAs required Melanie to use Rio Tinto’s existing risk management platform, Global Data Privacy Standard, local data privacy laws, and rely on local knowledge of Rio Tinto staff to develop her advice.
Other notable engagements with public sector clients include Mel’s development of a framework for privacy management for the Queensland Government’s Unify program, along with a series of seven PIAs on different aspects of the Unify program. The Unify program is a four-year project to replace legacy client-management systems and improve information sharing and collaboration across the social services and justice sectors, led by the Department of Child Safety, Youth and Women, in partnership with the Department of Youth Justice. Mel has also conducted privacy compliance reviews for clients needing a health check of their existing operations.
Mel has previously served as Manager of the Information and Privacy Unit in the Victorian Department of Justice and Regulation (now known as the Department of Justice and Community Safety), overseeing the compliance of both the Department, and statutory agencies within the Justice portfolio, in relation to privacy and related laws. She has also managed the secretariat functions for the Justice Human Research Ethics Committee, and coordinated a Whole of Victorian Government approach to privacy governance and policy. Prior to her role with the Victorian Department of Justice and Regulation, Mel performed a number of policy, training and compliance roles with the Office of the Victorian Privacy Commissioner (now known as OVIC).
Melanie is also the editor of the privacy law section of the Fitzroy Legal Service’s Law Handbook.
Melanie holds a Bachelor of Laws, a Bachelor of Arts, and a Graduate Diploma of Educational Psychology. She was admitted as a Solicitor of the Supreme Court of Victoria in 2001.
Mel is also an accredited mediator, a member of the IAPP, a Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) and Certified Information Privacy Professional – Europe (CIPP/E). In 2022 Melanie was recognised as an industry veteran by the IAPP with the designation of Fellow of Information Privacy (FIP).
Alex Kotova, Privacy & Technology Specialist, has developed her privacy expertise through roles across multiple industries, including banking, retail, hospitality, gaming and health insurance.
Alex has particular expertise in applying privacy principles to the rapidly moving technology landscape, including the implementation, use and governance of expert systems (including artificial intelligence, machine learning, and algorithms) and other emerging technologies. She has advised extensively on third-party software, complex data flows, and data sharing arrangements. She has a special interest in the operation of data ecosystems, including AdTech and data brokerage.
With her extensive experience in in-house roles, Alex brings to her clients a solid understanding of how privacy risk fits into broader organisational risk profiles and project management activities, to ensure privacy risks are identified and mitigated without disrupting existing risk management processes. She excels at developing a pragmatic understanding of our clients’ business operations and objectives to provide tailored and relevant advice on the practical application of privacy principles; the suitability and potential uplift of existing controls; and preparedness for upcoming regulatory changes.
Alex is able to offer advice at all stages of project delivery, including Privacy by Design at the inception of projects, and remediation advice for previously delivered initiatives, systems and processes. She can also advise on the development of policies, procedures and frameworks to enable and support the privacy function, providing governance for its operation in a broader risk management context and uplifting compliance maturity.
Alex holds a Bachelor of Laws / Bachelor of Arts, a Graduate Diploma of Legal Practice and was admitted as an Australian Lawyer in Victoria in 2015. She is also a member of the IAPP, a Certified Information Privacy Manager (CIPM), and Certified Information Privacy Professional – Europe (CIPP/E).
Justin Frank, Privacy & Technology Specialist, is an experienced privacy advisor, with qualifications in both technology and law.
Justin has experience at a senior level, in ensuring compliance with State and Federal privacy laws and related statutory regimes, particularly in assisting stakeholders to understand and navigate their obligations. Justin prides himself on taking a proactive and pragmatic approach to privacy, reflecting his belief that organisations are best served by implementing privacy solutions that are compliant and mirror best practice, with a view to the evolving regulatory environment. Justin combines his past experience with technology and the law to provide understanding, practical advice, guidance and comprehensive solutions.
Immediately prior to joining Salinger Privacy, Justin served as Associate Director in the Global Privacy Office of National Australia Bank (NAB). Prior to NAB, Justin worked as a privacy and FOI specialist lawyer with a Commonwealth regulatory agency. Justin has held numerous positions within the Victorian and Commonwealth public service and worked in technology roles in the retail and telecommunications sectors, including as a Senior System Engineer at Coles Myer.
Justin holds a Bachelor of Science, Bachelor of Laws with Honours, Master of Laws, and Graduate Diploma of Legal Practice. Justin was admitted as an Australian Lawyer in Victoria in 2015. He is also a member of the IAPP.
Emily McGufficke, Senior Privacy Consultant, brings an extensive background in privacy compliance and risk management to her client engagements.
Drawing from her experience working in health, legal and financial sectors as well as regulatory roles, Emily can articulate for our clients how privacy obligations apply to their operations, the material privacy risks associated with their business activities, and the appropriateness of the controls and compliance arrangements in place.
Before joining Salinger Privacy, Emily held in-house privacy roles across both government and for-profit organisations. Most recently as Privacy Compliance Manager at the Commonwealth Bank, Emily assisted business units and Line 1 risk teams to identify and mitigate privacy risks in projects ranging from handling personal information about individuals experiencing vulnerability, through to implementing high privacy risk technology such as biometric identification and use of AI. She also supported privacy compliance and risk management for start-ups and new digital solutions via x15ventures, CBA’s venture scaler and innovation arm.
Emily also has a deep appreciation for the expectations of a privacy regulator, having worked in the OAIC, where she investigated and conciliated complaints, and conducted privacy audits and data-matching inspections on behalf of the Privacy Commissioner.
Emily holds a Bachelor of Laws with Honours, a Bachelor of Arts, and a Graduate Diploma of Legal Practice. Emily was admitted as a Lawyer of the Supreme Court of NSW in 2010. She is also a member of the IAPP.
Andrea Calleia, our Director of Learning, has extensive experience in the learning and development field, and has specialised in privacy training since 2003 when she managed the privacy education program for the NSW Privacy Commissioner’s Office. Since joining Salinger Privacy in 2008 Andrea has managed our e-learning privacy training program, and delivers most of our face to face training. She has developed and delivered customised privacy training on behalf of clients including QANTAS, Sage Software, the Office of the Australian Information Commissioner, and PRAXIS Australia.
Andrea is consistently rated “5 out of 5” by our training participants and has been described as “excellent and engaging”, “enthusiastic, clear and effective”. She developed our Privacy Management in Practice workshop program, which has been described by participants as “top notch”, “practical and informative” and “effective for all participants coming from varied organisations”. Andrea also delivers our CIPM training on behalf of the International Association of Privacy Professionals (IAPP).
Andrea has been appointed to the IAPP’s ANZ Advisory Board for 2020/2021, and again for 2022/2023, to promote and serve the privacy profession in Australia and New Zealand.
Andrea holds a Bachelor of Arts majoring in Education and Human Resources, and a Certificate IV in Training and Assessment. As an alumni of the University of New South Wales, she is a Mentor for students specialising in the fields of Human Resources and Learning and Development. Andrea is a Certified Information Privacy Professional – Europe (CIPP/E), Certified Information Privacy Manager (CIPM), a Certified Information Privacy Technologist (CIPT), a Certified Practitioner of Human Resources with the Australian Human Resources Institute, a Fellow of the Australian Institute of Training and Development (AITD), a member of the IAPP, and a member of the Australian Privacy Foundation. In 2021 Andrea was recognised as an industry veteran by the IAPP with the designation of Fellow of Information Privacy (FIP).
Nicole Hunt, Client Relationship Manager, is a leader in the Australian privacy professionals industry.
Nicole draws on her extensive experience in privacy risk and compliance to understand our clients’ challenges and needs. She has held senior roles including as Executive Manager Privacy at Commonwealth Bank Group, Group Privacy and Ethics Specialist at ANZ Banking Group, Director of Privacy at the Australian Digital Health Agency, Senior Privacy Advisor at the NBN, and Compliance Deputy Director at the OAIC.
Knowing that organisations need a collective line of defence, Nicole is passionate about the importance of training, to stress that privacy compliance is everybody’s job. In fact before she joined Salinger Privacy, Nicole was our client, implementing our training solutions to help uplift privacy capability, across two organisations in different sectors.
Nicole has a Bachelor of Arts with Honours specialising in Criminology, writing her thesis on stalking laws and criminal behaviours, and is an active member of the IAPP.
We often also collaborate with Stephen Wilson of Lockstep Consulting. Stephen is a leading international authority on digital identity and cyber security. His career spans more than 28 years in IT, software engineering and R&D management, in both Australia and the US, and since 1995 he has specialised in e-security. Stephen is Managing Director of ValidIDy and Lockstep Consulting, and has partnered with Salinger Privacy on a number of PIAs and other client engagements since 2005.
Stephen’s privacy experience is founded on many years working in the sensitive sectors of healthcare and government, and forged through highly original research into the complex interplay of privacy and security. He has pioneered privacy engineering and design techniques to tailor practical guidance for information architects, designers and project managers, to help build privacy controls into the formative stages of systems development. Stephen has helped organisations in government, health and finance throughout the Asia Pacific, with e-security strategy, policy, architecture, privacy, risk management, governance and technology selection.
Stephen has long been involved in public policy in privacy and security. He was a member of the ALRC’s Developing Technology Advisory Sub-committee (2007-08) and the Federal Privacy Commissioner’s PKI Reference Group (2000). He has served as Standards Australia’s Nominated Privacy Expert on the ISO Financial Services Security Technical Committee 68/SC 6. Stephen has authored numerous submissions to public inquiries into privacy, including the National Health Privacy Code (2003), the Privacy Act (2005), the Health & Welfare Access Card (2007), and Health Identifiers (2010).
Stephen holds an honours degree in Electrical Engineering, and a Bachelor of Science.
Depending on the nature of any given engagement, we may also bring on board Dr Chris Culnane of Castellate Consulting. Chris is an expert in cyber security and privacy, specialising in re-identification risk assessments. He has previously held academic posts at the University of Surrey and the University of Melbourne, where his research focus included the integrity of electronic voting, and the privacy and cyber security of open data releases.
Chris has partnered with Salinger Privacy on policy and research work in relation to online identifiers and developing law reform options. Chris also has a particular expertise in evaluating the privacy risks posed by large datasets, and has written extensively about de-identification and re-identification risks. His work led to the discovery of re-identification risks in the Federal MBS/PBS open data release, and more recently the Victorian government release of Myki data.
Whilst at the University of Melbourne Chris led consultancy contracts which undertook evaluations of privacy-preserving techniques, including for the Australian Bureau of Statistics and Transport for New South Wales. He was also the technical lead on the vVote project, which designed and implemented an end-to-end verifiable election system for the 2014 Victoria State Election, which at the time was the largest politically binding deployment of an end-to-end verifiable election.
In addition to his technical work, Chris has also led a number of consultation responses including in relation to Data Sharing and Release, and the Consumer Data Right, as well as appearing as a witness at both state and federal inquiries, including Electoral Matters Committees and the PJCIS inquiry into the Assistance and Access Bill (now TOLA).
Chris holds a first class honours Bachelor of Science in Computing, a Master of Science in Internet Computing, and a PhD in Computer and Information Systems Security.