Data and cyber security

We are committed to protecting our customers privacy.



SDG Goal 16
Data and cyber security


With the establishment of Wesfarmers OneDigital, our businesses are continuing to accelerate their investment in data and digital capabilities. In this context, we are committed to being a trusted and responsible custodian of the data we hold on behalf of customers.

Our data, digital and cyber strategies are underpinned by Wesfarmers' core values of integrity, accountability and openness which support our culture of doing what is right and our transparent approach.

Expectations regarding the collection, use and protection of data continue to evolve at pace. We recognise the importance of retaining community confidence and strive to adhere to legal and regulatory standards. We listen carefully to community expectations regarding data from customers, team members and other stakeholders.

As part of our risk management program, Wesfarmers has identified risks related to data and cyber security including changing customer expectations and regulatory environment, damage or dilution of Wesfarmers’ reputation, and customer trust in technology and cyber security.

During the year, Wesfarmers continued to grow and strengthen its data privacy and cyber security teams and capabilities, to protect data and mitigate the risk of data breaches including through cyber attacks. This included the establishment of a specialist privacy and customer trust team within OneDigital supporting and facilitating the sharing of best practices throughout the Group.

The cyber security teams collaborate actively across the Group, and with the Group’s information technology and advanced analytics teams, and key strategic partners. The Group also designed and prototyped an active defence concept to improve threat intelligence and response capabilities in each division. This year, the Group has observed a heightened and active cyber threat landscape globally. Wesfarmers’ dedicated defence team supported each division to proactively identify, prevent and respond to cyber threats and incidents, including globally significant cyber events.

Across the Group, we have invested in and enhanced cyber security controls. This includes governance practices like technology governance and risk management, supply chain risk management, metrics and maturity models, recruitment and development of cyber security talent and capability, and protective technologies such as cloud security governance, identity and access management and network segmentation.

The Group has continued to strengthen controls in privacy compliance and data protection, and cyber security detection, monitoring and resilience, and further development of privacy enhancing processes such as privacy by design, privacy impact assessments, de-identification processes and other privacy-related controls.

Where customer cardholder data is managed or handled, the divisions continue to demonstrate Payment Card Industry Data Security Standard (PCI-DSS) assurance.

These investments support Wesfarmers’ commitment to being a trusted and responsible custodian of the data we hold, to comply with the laws governing privacy and cyber security.

Wesfarmers’ Code of Conduct and key Group policies and standards, such as the Information Technology Policy, cyber security standards, and Enterprise Risk Management Framework, apply across the Group. They outline guiding principles on privacy, confidentiality, record keeping, cyber security risk management, and the acceptable use of the Group’s data and digital assets. Each division also has its own policies and processes that operationalise the Group policies and standards. Wesfarmers’ commitment is further supported by governance practices including a Shared Data Asset Charter, principles relating to data ethics and privacy by design and processes including data ethics and privacy review processes.

The newly launched OnePass business was designed and developed to align leading cyber security models with a high maturity level using currently accepted international best practices. Following the acquisition of API, Wesfarmers is working closely with the divisional leadership team to transition Group-level technology and cyber security governance practices, capabilities and plans.

Wesfarmers also continued to improve data governance, handling, and privacy processes across the Group’s information technology related projects, OneData, and our divisions. The ongoing development of the OneData shared data asset aligns the associated data governance, privacy, and cyber security information management systems to international standards. During the year, the divisions continued to invest in privacy, data enablement, governance capabilities, processes, and tools. Where appropriate, privacy policies were reviewed and updated, and improvements were made to customer registration and consent processes to improve customer engagement and experience for direct marketing and data sharing.

The OneDigital board was established during the year, comprising the Managing Directors of OneDigital, Bunnings, Kmart Group, Officeworks and Health, and the Group Managing Director, Chief Financial Officer and Chief Human Resources Officer. Team members completed training in relevant areas, including on privacy and cyber security. Data Councils or Data Governance committees with cross-functional representation met regularly with a focus on using data responsibly, and senior leaders across Wesfarmers’ divisions continued to review key data projects at regular cross-divisional forums.

In the coming year, Wesfarmers will continue to increase data, digital and cyber security capabilities and invest in talent, further maturing the Group in the areas of privacy, data ethics, data governance and cyber security. The Group will also continue to develop its cyber security and privacy information management systems as well as the Group’s data enablement, risk and governance frameworks.


GRI 103-1, GRI 103-2, GRI 103-3, GRI 413-2, GRI 418-1