Australia

A company experienced a serious data breach but didn't report it to the Privacy Commissioner. What happens?

$2.1 million
Max penalty
30 days
Notification deadline
Serious harm
Threshold test
OAIC
Regulator
The Short Answer

The company may face a civil penalty of up to $2.1 million for failing to notify the OAIC of an eligible data breach under the Privacy Act.

What the Law Says

Under Australia’s Privacy Act, organisations must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an 'eligible data breach' occurs.

An eligible data breach happens when there is unauthorised access to, or unauthorised disclosure of, personal information — or loss of personal information — that is likely to result in serious harm to any of the individuals to whom the information relates.

Once an organisation becomes aware that a data breach has occurred and that it is likely to result in serious harm, it must assess the breach within 30 days. If it confirms the breach is eligible, it must notify the OAIC and affected individuals as soon as practicable.

Failure to comply with this requirement is an 'interference with the privacy of an individual' under the Privacy Act — which exposes the organisation to enforcement action and civil penalties.

Statutory Text

An entity must give a statement to the Information Commissioner about an eligible data breach as soon as practicable after the entity becomes aware that the breach has occurred.

Privacy Act 1988 (Cth), s. 26WE(1) — Notifying the Information Commissioner
Statutory Text

A civil penalty of up to 2,500 penalty units ($2.1 million) applies for serious or repeated interferences with privacy.

Privacy Act 1988 (Cth), s. 13G — Civil penalties

What to Do

1

Assess whether the breach meets the definition of an 'eligible data breach' within 30 days of becoming aware of it.

2

If eligible, prepare a notification statement including: description of the breach, types of information involved, and recommended steps individuals can take.

3

Notify the OAIC via the Notifiable Data Breaches (NDB) form on the OAIC website.

4

Notify affected individuals directly — unless OAIC approval is obtained to notify publicly instead.

5

Review and update data security practices to prevent future breaches and document remediation steps.

Sources

statutePrivacy Act 1988 (Cth), s. 26WE — Notifying the Information CommissionerstatutePrivacy Act 1988 (Cth), s. 13G — Civil penalties

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.