Overview: Consequences of failing to comply with the data breach notification regime

Receiving a direction to notify from the Privacy Commissioner

If the Privacy Commissioner is aware that there are reasonable grounds to believe an entity has experienced an eligible data breach, the Privacy Commissioner may direct the entity to prepare a notification statement. An entity must comply with this direction as soon as practicable.

However, the Privacy Commissioner must first invite the entity to make a submission in relation to the direction. The Privacy Commissioner will consider the contents of this submission, along with other relevant advice given by third parties and any other such relevant matters, before deciding whether to give a direction to notify.

The notification statement required to be produced under the direction will need to be provided to the Privacy Commissioner and affected individuals.

The Privacy Commissioner’s decision to give a direction may be reviewed by application to the Administrative Appeals Tribunal.

Enforcement and penalties under the Privacy Act 1988 (Cth)

Failure to comply with obligations under the mandatory data breach notification regime will be deemed to be an interference with the privacy of an individual and a breach of the Privacy Act 1988 (Cth) (the Act). This will engage the Privacy Commissioner’s enforcement powers under the Act, as well as relevant penalties under the Act.