Data and cyber security

We are committed to protecting our customers privacy.



SDG Goal 16
CyberSecurity POD

We are committed to being responsible custodians of the data we hold by protecting the privacy of team members, customers, suppliers and stakeholders, and keeping data secure. Effective data analytics enables us to better understand our customers’ demands and preferences, to improve our approaches to marketing and to be responsible stewards of our customers data. 

Wesfarmers continues to make strong progress in accelerating data and digital capabilities across our businesses. Wesfarmers’ achievements this year have included further investment in digital offers across all divisions, a significant expansion of the Group’s online presence, the establishment of the Group data platform to enable customer data insights across the Group and continuing to better leverage data insights to drive better decisions and improve operations. Wesfarmers recognises the external environment and expectations of key stakeholders in relation to the collection, use and security of data continues to evolve quickly. As part of our risk management program, Wesfarmers has identified some relevant risks, including damage or dilution to Wesfarmers’ reputation or brands, changing customer expectations and technology, cyber security and data-related risks, inclusive of privacy.  

As a result, the Group continues to make ongoing investments in data privacy compliance and protection and cyber-security resilience. These investments support Wesfarmers’ commitment to be a responsible custodian of the data we hold, to comply with the laws governing data privacy and cyber-security, and to act ethically with honesty, integrity, fairness and accountability.  

Wesfarmers’ Code of Conduct and key Group policies and standards, such as the Information Technology Policy and cyber-security standards, apply across the Group. They outline guiding principles on privacy, confidentiality, record keeping, cyber-security risk management and the use of and access to the Group’s data and digital assets and information systems. Each business also has its own operating policies and processes relating to privacy, cyber security and data classification and handling. The Wesfarmers’ Data Ethics Principles and associated data ethics and privacy review processes further support Wesfarmers’ commitment to be a responsible data custodian. After an initial pilot, the Principles and review processes are being implemented across the Group. 

During the year, Wesfarmers continued enhancing data privacy and cyber-security teams and processes. This included the appointment of a Group Chief Information Security Officer, who is supported by additional security, data governance and data assurance specialists. Wesfarmers has invested in and improved proactive cyber-security controls across the Group, including secure development training, cyber threat intelligence scanning, data breach monitoring, network segmentation and access controls, third-party data governance and assurance processes. Additionally, where customer cardholder data is managed or handled, the businesses continue to demonstrate Payment Card Industry Data Security Standard (PCI-DSS) assurance. 

The Group established a dedicated cyber threat intelligence reporting platform to improve awareness of and reduce reaction times to cyber-security threats and incidents. The platform is complemented by greater collaboration between the Group’s information technology, security and advanced analytics teams and key strategic partners in information security, privacy and data ethics.  

Wesfarmers also continued to improve data governance and privacy processes for Corporate Office information technology related projects, the Advanced Analytics Centre and across our divisions. This included risk identification workshops for key data-focused Group projects and the ongoing development of the Advanced Analytics Centre shared data platform and associated cyber security and privacy information management systems in line with International Organization for Standardization (ISO) standards. During the year, the divisions continued to invest in data governance and protection processes and tools. They reviewed their privacy policies and updated them where appropriate. External experts were engaged to assist with improving customer understanding and engagement with the sign-up and consent process for direct marketing. 

Senior leaders across Wesfarmers’ businesses continued to review key data projects at regular Data and Digital Steering Committee meetings, while team members completed training in relevant areas, including on the Wesfarmers Data Ethics Principles, data privacy and cyber –security, which included a broad cyber awareness program. Several divisions established Data Governance committees with cross-functional representation that met regularly to consider matters relating to data collection, use and governance. 

In the coming year, the Group will continue developing the cyber security and privacy information management systems for the Wesfarmers Advanced Analytics Centre and its platform, as well as the Group’s data governance frameworks and data classification and protection processes. Wesfarmers expects to continue to increase capabilities and maturity across the Group in the areas of data privacy, ethics and governance, and cyber security, including assessment processes and training.


GRI 103-1, GRI 103-2, GRI 103-3, GRI 413-2, GRI 418-1