Australia — Breach Notification

Australia's mandatory data breach notification regime operates under Part IIIC of the Privacy Act 1988 (Cth), known as the Notifiable Data Breaches (NDB) scheme. The scheme commenced on 22 February 2018 following enactment of the Privacy Amendment (Notifiable Data Breaches) Act 2017. It requires covered entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to any individual whose personal information is involved.

Entities covered by the NDB scheme

The NDB scheme applies to entities that have obligations under Australian Privacy Principle 11 (APP 11) to secure personal information they hold. Section 26WE(1)(a) of the Privacy Act defines covered entities as "APP entities," which include:

• Australian Government agencies, irrespective of size or annual turnover
• Private sector and not-for-profit organisations with an annual turnover exceeding AU$3 million
• Private sector health service providers, regardless of turnover (defined under section 6C(1) of the Privacy Act)
• Credit reporting bodies regulated under Part IIIA of the Privacy Act
• Credit providers that hold credit eligibility information
• Entities that trade in personal information, even if small businesses
• Tax file number (TFN) recipients in possession or control of records containing TFNs (section 11 of the Privacy Act)

Small businesses (annual turnover of AU$3 million or less) are generally exempt from the Privacy Act and the NDB scheme, with key exceptions: they must comply when they are health service providers, when they trade in personal information, when they provide services under a Commonwealth contract, or when they hold tax file numbers. Entities that have Privacy Act security obligations only in relation to specific types of information—for example, a small business required to secure TFN information—need only notify about data breaches affecting information within the scope of their Privacy Act obligations, not other categories of data they hold.

Recent extensions

The Digital ID Act 2024 extended Part IIIC to accredited entities that are not APP entities when providing accredited services, with an exception for State or Territory agencies covered by a comparable data breach notification scheme (section 40 of the Digital ID Act). Additionally, section 37 of the Data Availability and Transparency Act 2022 (DAT Act) applies the NDB scheme to data custodians of public sector data when they have shared personal information with or through an accredited entity, effectively making the data custodian responsible for assessing and notifying breaches involving personal information held by the accredited entity.

The regulator

The OAIC, led by the Australian Information Commissioner, administers the NDB scheme. The Commissioner has statutory functions under Part IIIC to provide guidance on compliance, monitor data breach reporting, and investigate breaches of notification obligations as potential interferences with privacy under section 40 of the Privacy Act. The Commissioner may also issue notices under section 26WU requiring production of information or documents from any person or entity regarding actual or suspected eligible data breaches.

Source: Privacy Act 1988 (Cth), Part IIIC Source: Privacy Amendment (Notifiable Data Breaches) Act 2017 Source: OAIC, About the Notifiable Data Breaches scheme Source: OAIC, Part 4: Notifiable Data Breach (NDB) Scheme

A data breach becomes an eligible data breach under section 26WE(2) of the Privacy Act 1988 (Cth) only when "a reasonable person would conclude" that the unauthorised access, unauthorised disclosure, or loss of personal information "would be likely to result in serious harm to any of the individuals to whom the information relates." This two-limb test—reasonable person + likely serious harm—is the statutory gatekeeper for notification obligations under Part IIIC.

The reasonable-person standard

The Act employs an objective standard: whether a reasonable person in the entity's position, on the basis of information available to the entity (either directly or following reasonable inquiries), would conclude that serious harm is likely. An entity cannot avoid notification by subjectively failing to recognise the risk if a reasonable person would have identified it. Conversely, notification is not required for harms that a reasonable person would not foresee, even if the entity is unusually risk-averse. The Explanatory Memorandum to the Privacy Amendment (Notifiable Data Breaches) Act 2017 clarifies that this standard ensures entities are not held to a standard of foresight beyond what was objectively reasonable at the time of assessment.

"Serious harm" — kinds contemplated

The Privacy Act does not exhaustively define "serious harm," but the Explanatory Memorandum indicates Part IIIC is "expected to predominantly require notification of eligible data breaches where a reasonable person would conclude that there is a likely risk of serious financial, economic or physical harm to individuals." However, the Memorandum explicitly states that "the likelihood of other kinds of serious harm (such as serious emotional or psychological harm, or serious harm to reputation) cannot be ruled out, especially for eligible data breaches involving health information, other forms of 'sensitive information' as defined in section 6(1) of the Privacy Act, or other information that would be considered 'sensitive' according to the ordinary meaning of the term."

The OAIC has further noted that "serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach." Minor inconvenience, short-lived embarrassment, or low-value fraud exposures typically fall below the threshold.

Section 26WG — relevant matters for assessing likelihood of serious harm

Section 26WG provides a non-exhaustive list of factors an entity must consider when determining whether serious harm is likely. The statute directs entities to have regard to:

• The kinds of information involved — sensitivity, volume, and completeness of records (e.g., a full identity profile versus an email address alone).
• Security measures protecting the information — whether the data was encrypted or otherwise rendered unintelligible to unauthorised persons, and the likelihood that those security measures (such as encryption) could be overcome by the threat actor who obtained access.
• The persons or kinds of persons who have obtained or could obtain the information — whether the recipient is a malicious actor, an organised crime syndicate, a hostile state, or a member of the public who stumbled upon the data and has no apparent motive to misuse it.
• The nature of the harm that could result — physical danger, identity theft, financial fraud, discriminatory treatment, reputational injury, or psychological distress.
• Any other relevant matter — the list is illustrative, not closed.

The OAIC guidance emphasises that if information is protected by a security technology or methodology that "was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information," an entity must assess whether the recipient has the intention and technical capability to circumvent that security. High-standard encryption that remains unbroken may reduce the likelihood of serious harm to the point that no eligible data breach exists, as section 26WE(2)(b)(ii) provides that a loss of personal information does not trigger notification if "unauthorised access to, or unauthorised disclosure of, the information is not likely to occur."

"Likely" versus "possible"

The Act requires that serious harm be "likely," not merely possible or conceivable. The Explanatory Memorandum does not numerically quantify this standard, and the OAIC has not published a percentage threshold. Case-by-case assessment is required, but the threshold is deliberately higher than a de minimis or speculative risk. Entities should weigh the probability of harm materialising (taking into account remedial action) and the severity of the harm if it does occur. The "likely" standard does not demand certainty or a balance-of-probabilities finding for each individual at risk; it requires a reasonable conclusion that serious harm to at least one individual is a probable outcome of the breach.

Interaction with remedial action — section 26WF

If an entity takes remedial action after a data breach and, as a result, "a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of the individuals to whom the information relates," section 26WF(1)(e) provides that the breach "is not, and is taken never to have been, an eligible data breach." Remedial action that successfully brings the likelihood of serious harm below the statutory threshold thus extinguishes the notification duty. Examples include remotely wiping a lost device, invalidating compromised credentials, or securing the return and verified destruction of misdirected records before any misuse occurs.

Source: Privacy Act 1988 (Cth), ss 26WE, 26WG, 26WF Source: Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Act 2017, paras 37–42, 58 Source: OAIC, Part 4: Notifiable Data Breach (NDB) Scheme Source: OAIC submission to NSW Inquiry into Cybersecurity

Once an entity is aware that there are reasonable grounds to believe that an eligible data breach has occurred, Part IIIC of the Privacy Act 1988 (Cth) imposes two parallel notification duties: a statement to the Office of the Australian Information Commissioner (OAIC) under section 26WK, and notification to affected individuals (or publication in certain circumstances) under section 26WL. Both must be completed "as soon as practicable" after the entity becomes aware of the reasonable grounds to believe an eligible data breach has happened.

The trigger — when the clock starts

The notification obligations under sections 26WK and 26WL apply when an entity "is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity." This awareness can arise in two ways:

• Direct awareness: The entity directly forms the view, on the basis of information available to it, that there are reasonable grounds to believe an eligible data breach has occurred (e.g., forensic evidence confirms unauthorised exfiltration of unencrypted customer records by a malicious actor).
• Post-assessment awareness: The entity completes a mandatory assessment under section 26WH(2) of a suspected eligible data breach and concludes, at the end of that assessment, that reasonable grounds exist. Section 26WI provides that if an entity has not completed its assessment within 30 days after the entity became aware of the suspected eligible data breach, the entity is taken to be aware that there are reasonable grounds to believe an eligible data breach has occurred. This statutory 30-day cap prevents entities from delaying notification through protracted investigation; if the assessment is not finished within 30 days, notification is triggered by operation of law.

Section 26WK — statement to the Commissioner

Section 26WK(2) requires the entity to prepare a statement about the eligible data breach and give a copy to the Commissioner "as soon as practicable" after the entity becomes aware of the reasonable grounds. The Privacy Act does not define "as soon as practicable," but the OAIC guidance and the Explanatory Memorandum to the Privacy Amendment (Notifiable Data Breaches) Act 2017 emphasise that this is an objective standard requiring urgency. Entities should notify within days, not weeks, once the reasonable-grounds threshold is met. Delays solely to gather additional detail beyond what is required by section 26WK(3), or to consult legal counsel on liability exposure, are generally inconsistent with the "as soon as practicable" standard.

The statement must set out the following matters under section 26WK(3):

• (a) The identity and contact details of the entity (organisation or agency name; telephone, email, or postal contact; if the entity's legal name differs from its trading name, the OAIC recommends including both to assist individuals in recognising the notifying entity).
• (b) A description of the eligible data breach. The OAIC expects sufficient detail to enable affected individuals to assess the consequences and take protective action. This includes the nature of the unauthorised access, disclosure, or loss (e.g., ransomware encryption and exfiltration, misconfigured cloud storage bucket publicly accessible for a period, lost unencrypted laptop); the approximate date or date range when the breach occurred and when it was discovered; and the categories of personal information involved (e.g., names, dates of birth, driver licence numbers, health records, financial account details).
• (c) The kinds of information concerned. This overlaps with (b) but focuses on data types: whether the breach involved sensitive information as defined in section 6(1) of the Privacy Act (health information, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, criminal records), tax file numbers, financial credentials, identity documents, or other categories.
• (d) Recommendations about the steps individuals should take in response to the eligible data breach. These should be specific and actionable. Examples include monitoring financial accounts for fraudulent transactions, placing a fraud alert or credit ban on credit reporting files, changing passwords or PINs, contacting the entity's dedicated breach response line, or watching for phishing attempts that reference the breach. The OAIC guidance notes that if the entity has already taken protective steps (such as suspending compromised accounts, issuing replacement credentials, or implementing enhanced monitoring), the statement should explain those measures and tailor the recommendations accordingly.

Section 26WK(4) provides that if the entity has reasonable grounds to believe the eligible data breach is also an eligible data breach of one or more other entities (for example, a shared IT service provider suffers a breach affecting multiple client entities), the statement may set out the identity and contact details of those other entities.

Section 26WL — notification to individuals

Section 26WL(2) requires the entity to take reasonable steps to notify the contents of the statement (prepared under section 26WK(3)) to each of the individuals to whom the relevant information relates, or if it is not practicable to notify each individual, to publish the contents of the statement on the entity's website (if any) and take reasonable steps to publicise the contents in a way that is reasonably likely to bring them to the attention of affected individuals. The entity must comply with this requirement "as soon as practicable after the completion of the preparation of the statement" (section 26WL(3)).

In practice, entities typically notify individuals and the OAIC concurrently or near-concurrently. The OAIC has stated that notification to individuals should not be unduly delayed in order to finalise every detail of the statement; the "as soon as practicable" standard applies once the section 26WK(3) content is ready. Methods of notification include direct email (if email addresses are available and not themselves compromised), postal mail, SMS, telephone contact, or app-based alerts. For large-scale breaches where individual contact details are unavailable or notification would be disproportionately burdensome, publication and media publicity (e.g., press release, social media posts, notice on the entity's homepage) may satisfy the section 26WL(2) alternative pathway.

Statutory consequence of non-compliance

Section 13(4A) of the Privacy Act provides that a contravention of the section 26WK(2) duty to prepare and give the statement to the Commissioner, or the section 26WL(3) duty to notify individuals, is taken to be an act that is an interference with the privacy of an individual. This triggers the OAIC's enforcement powers under Part V of the Privacy Act, including investigation, determination, and the Commissioner's power to seek civil penalties in the Federal Court. The OAIC may also issue a notice under section 26WU requiring the entity to produce information or documents about the suspected breach, and non-compliance with such a notice is itself an interference with privacy.

Interaction with the 30-day assessment cap

The 30-day cap under section 26WI applies to the assessment stage under section 26WH(2); it does not extend the notification timeline under sections 26WK and 26WL. If an entity is directly aware of reasonable grounds to believe an eligible data breach has occurred—without the need for further assessment—the "as soon as practicable" clock starts immediately. Conversely, if an entity conducts a mandatory assessment but does not reach a conclusion within 30 days, section 26WI deems the entity to be aware of reasonable grounds at the end of the 30-day period, and notification must then occur as soon as practicable. The OAIC guidance emphasises that entities should not treat the 30-day assessment period as a safe harbour; if reasonable grounds crystallise before day 30, notification is due at that earlier point.

Exceptions

Part IIIC contains several exceptions to the notification duties. Notably:

• Section 26WM: If another entity has already notified the same eligible data breach in compliance with sections 26WK and 26WL, the second entity is not required to duplicate notification (common in shared-service-provider scenarios).
• Section 26WN: Notification is not required if it would be likely to prejudice enforcement-related activities conducted by or on behalf of an enforcement body, provided the entity has consulted the relevant enforcement body.
• Section 26WP: Notification is not required to the extent it would be inconsistent with a secrecy provision in another Commonwealth, State, or Territory law (narrow carve-out; the OAIC guidance notes this will rarely apply because most secrecy provisions permit disclosure required by law).
• Section 26WQ: The Commissioner may, on application by the entity or on the Commissioner's own initiative, issue a written declaration that the section 26WK statement and/or section 26WL notification is not required, or that notification to individuals is delayed for a specified period, if satisfied it is reasonable in the circumstances (e.g., at the request of law enforcement to avoid tipping off a cybercrime investigation). Entities considering a section 26WQ application should lodge it as soon as practicable after becoming aware of the eligible data breach.

Source: Privacy Act 1988 (Cth), ss 26WH, 26WI, 26WK, 26WL, 26WM, 26WN, 26WP, 26WQ, 13(4A) Source: OAIC, Part 4: Notifiable Data Breach (NDB) Scheme Source: OAIC, Chapter 11: Data breach incidents (Guide to Privacy Regulatory Action)

When an APP entity becomes aware of reasonable grounds to suspect that an eligible data breach may have occurred, section 26WH(1) of the Privacy Act 1988 (Cth) triggers a mandatory assessment obligation—a distinct statutory duty that sits between initial detection and the notification obligations under sections 26WK and 26WL. This assessment stage is the entity's formal investigation into whether the suspected breach crosses the "likely serious harm" threshold under section 26WE, and failure to conduct it in a reasonable and expeditious manner carries independent civil penalties, as demonstrated in the October 2025 Australian Clinical Labs decision awarding AU$800,000 for breach of section 26WH(2) alone.

The trigger — "aware of reasonable grounds to suspect"

Section 26WH(1) requires an assessment when an entity "is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity." This is an objective standard. The OAIC guidance clarifies that whether an entity is "aware" is determined by how a reasonable person who is properly informed would be expected to act in the circumstances. If a person responsible for compliance or personnel with appropriate seniority within the entity are aware of information suggesting a suspected breach, the assessment duty is triggered. An entity cannot unreasonably delay an assessment by waiting until its CEO or board becomes aware of information that would otherwise trigger reasonable suspicion within the organisation.

The "reasonable grounds to suspect" threshold is lower than the "reasonable grounds to believe" standard required for notification under sections 26WK and 26WL. An entity should commence a section 26WH assessment if it experiences a data breach—unauthorised access, unauthorised disclosure, or loss of personal information—and is aware of anything that, from the viewpoint of a reasonable person in the entity's position, would give rise to reasonable grounds to suspect that the incident was an eligible data breach (meaning likely to result in serious harm to at least one individual). The OAIC's January to June 2022 NDB Report illustrates the trigger point: an entity became aware of a ransomware attack that encrypted files on its corporate network, though it did not initially know which files were affected. At that initial point, the entity had reasonable grounds to suspect an eligible data breach and was required to commence a section 26WH assessment.

Section 26WH(2) — the "reasonable and expeditious" standard

Once the trigger fires, section 26WH(2)(a) requires the entity to carry out "a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity." The Privacy Act does not prescribe how entities should conduct this assessment, and entities may develop their own procedures tailored to the nature of the suspected breach. However, the dual statutory criteria—"reasonable" and "expeditious"—impose objective constraints.

"Reasonable" means the assessment must be thorough enough to produce an evidence-based conclusion about whether serious harm is likely, having regard to the section 26WG factors (kinds of information involved, security measures protecting the information, persons who have obtained or could obtain the information, nature of the harm). The OAIC expects the level of effort and resources devoted to an assessment to be proportionate to the likelihood that an eligible data breach has occurred and its apparent severity. A reasonable assessment typically involves forensic investigation to determine the scope and duration of unauthorised access, identification of the categories and volume of personal information involved, and analysis of whether security measures such as encryption were in place and likely to withstand the threat actor's capabilities.

"Expeditious" means without undue delay. The OAIC has repeatedly emphasised that entities should not adopt a fixed-method or sequential approach to assessment and response that unnecessarily prolongs the timeline. The January to June 2023 NDB Report documented a case in which an entity undertook a forensic investigation and then, only upon its conclusion, commenced cross-checking and validation exercises to identify the exfiltrated personal information. This sequential approach delayed notification to affected individuals by five months and increased their risk of harm. Best practice, the OAIC states, is to conduct the forensic investigation and the section 26WH assessment in parallel, enabling entities to quickly identify reasonable grounds to believe an eligible data breach has occurred and to notify affected individuals promptly.

The 30-day cap — section 26WH(2)(b) and deemed awareness under section 26WI

Section 26WH(2)(b) requires the entity to "take such steps as are reasonable in the circumstances to ensure that the assessment is completed within 30 days" after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach. The 30-day period is measured in calendar days from the date the entity became aware of the reasonable grounds to suspect—not from the date the breach occurred, nor from the date the entity commenced its assessment.

The OAIC expects entities to treat 30 days as a maximum time limit and to endeavour to complete the assessment in a much shorter timeframe, because the risk of serious harm to individuals often increases with time. Where an entity genuinely cannot complete an assessment within 30 days despite taking all reasonable steps, the OAIC recommends the entity document the reasons and be prepared to demonstrate what reasonable steps were taken and why the assessment could not be completed within the statutory period.

Section 26WI — deemed awareness and the statutory backstop

If an entity has not completed its assessment within 30 days after becoming aware of the reasonable grounds to suspect an eligible data breach, section 26WI provides that the entity is taken to be aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity. This deemed-awareness provision is a statutory backstop that prevents entities from indefinitely delaying notification through protracted investigation. Once section 26WI deems the entity to be aware of reasonable grounds to believe, the notification obligations under sections 26WK and 26WL are triggered immediately, and the entity must prepare and give the statement to the Commissioner and notify affected individuals "as soon as practicable."

The OAIC guidance in the July to December 2022 NDB Report advises that where an entity is unable to complete its assessment promptly and within 30 days, and there are grounds to suspect an eligible data breach may have occurred, the entity should consider erring on the side of caution and notifying affected individuals and the OAIC rather than allowing the section 26WI deemed-awareness provision to apply by default.

The Australian Clinical Labs precedent — AU$800,000 penalty for section 26WH(2) breach

On 9 October 2025, the Federal Court in Australian Information Commissioner v Australian Clinical Labs Limited imposed a civil penalty of AU$800,000 for ACL's failure to carry out a reasonable and expeditious assessment following the February 2022 cyberattack on the Medlab Pathology IT systems, in contravention of section 26WH(2). This was in addition to AU$800,000 for failure to notify the Commissioner under section 26WK(2) and AU$4.2 million for failure to secure personal information under Australian Privacy Principle 11.1.

Justice Halley found that ACL's contraventions were "extensive and significant" and noted that ACL's most senior management were involved in decision-making around the response to the cyberattack, including whether it amounted to an eligible data breach. The penalty for the section 26WH(2) breach sent a clear signal, as the OAIC stated in its media release, that entities holding sensitive data "need to undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately."

The penalties were imposed under the regime in force at the time of the contraventions (before 13 December 2022), with a maximum of AU$2.22 million per contravention. Under the penalty regime introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced on 13 December 2022, the maximum penalty for a body corporate for a serious or repeated interference with privacy under section 13G is now AU$50 million, three times the benefit obtained, or 30% of adjusted turnover—meaning future section 26WH(2) breaches could attract substantially higher penalties.

Interaction with the notification timeline

The 30-day assessment cap under section 26WH does not extend the notification timeline under sections 26WK and 26WL. If an entity is directly aware of reasonable grounds to believe an eligible data breach has occurred—without the need for further assessment—the notification clock starts immediately and the "as soon as practicable" standard applies. The mandatory assessment obligation under section 26WH applies only when an entity suspects but does not yet have grounds to believe. Once the assessment concludes that there are reasonable grounds to believe an eligible data breach has occurred (or when the 30-day cap expires and section 26WI deems such awareness), notification must occur as soon as practicable. Delays for the purpose of gathering additional contextual detail, consulting legal counsel on liability exposure, or finalising public relations messaging are generally inconsistent with both the "expeditious" assessment standard and the "as soon as practicable" notification standard.

OAIC enforcement determinations on section 26WH

The OAIC's July to December 2023 NDB Report referenced two determinations that clarified the Commissioner's position on two aspects of section 26WH: when an entity forms a reasonable suspicion triggering the assessment duty, and what may point to a failure to conduct an "expeditious" assessment—such as delays in the entity's own investigation, delays in engaging and managing third-party forensic services, or delays in assessing the personal information involved. Both entities lacked data breach response plans before the breaches occurred, and the Commissioner ordered them to develop plans addressing specified matters, including insurance coverage details and incident-response protocols. The OAIC emphasised that entities should have a considered and up-to-date data breach response plan in place to enable prompt compliance with the section 26WH assessment duty.

Source: Privacy Act 1988 (Cth), ss 26WH, 26WI Source: OAIC, Part 4: Notifiable Data Breach (NDB) Scheme Source: OAIC, Notifiable Data Breaches Report: July to December 2023 Source: OAIC, Notifiable Data Breaches Report: January to June 2022 Source: OAIC, Notifiable Data Breaches Report: July to December 2022 Source: OAIC, Australian Clinical Labs ordered to pay penalties, 9 October 2025

The Office of the Australian Information Commissioner (OAIC) enforces Part IIIC of the Privacy Act 1988 (Cth) through investigation, determination, and civil penalty proceedings in the Federal Court. A contravention of the notification obligations under sections 26WH(2) (failure to conduct a reasonable and expeditious assessment of a suspected eligible data breach), 26WK(2) (failure to prepare and give a statement to the Commissioner about an eligible data breach), or 26WL(3) (failure to notify affected individuals) is deemed by section 13(4A) to be an interference with the privacy of an individual, subjecting the entity to the full range of Privacy Act enforcement mechanisms.

Civil penalty provisions — sections 13G and 13H

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced on 13 December 2022, introduced a two-tier civil penalty regime for privacy breaches. Section 13G applies to serious or repeated interferences with privacy (the higher tier), while section 13H applies to interferences with privacy that do not meet the section 13G threshold (the mid-tier). The Commissioner may apply to the Federal Court under section 80U(2) for a civil penalty order; such applications must be made within six years of the alleged contravention.

Section 13G — serious or repeated interference with privacy

Section 13G is a civil penalty provision that applies when an entity engages in conduct that constitutes a serious interference with the privacy of an individual, or repeated interferences with the privacy of individuals. For body corporates, the maximum penalty under section 13G is the greater of:

• AU$50 million;
• Three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate that is reasonably attributable to the conduct constituting the contravention; or
• If the court cannot determine the value of that benefit, 30% of the body corporate's adjusted turnover during the breach turnover period (minimum 12 months) for the contravention.

For individuals (persons other than body corporates), the maximum penalty is AU$2,500,000 per contravention. The OAIC guidance in Chapter 7 of the Guide to Privacy Regulatory Action confirms that where an entity contravenes section 13G multiple times, the court may award a single civil penalty order, but the amount of that penalty cannot exceed the sum of the maximum penalties that could be ordered if a separate civil penalty order were made for each contravention.

Section 13H — interference with privacy of individuals (mid-tier)

Section 13H creates a mid-tier civil penalty provision for interferences with privacy that are not captured by section 13G. The maximum penalty for body corporates is AU$2,500,000 per contravention, and for individuals 500 penalty units per contravention. The Australian Government, in its response to the Privacy Act review report, agreed that section 13G should be amended to remove the word "repeated" and clarify that a "serious" interference can include repeated interferences with privacy, and that section 13H should cover interferences that do not meet the threshold of being "serious."

First-ever civil penalties — Australian Clinical Labs decision

On 9 October 2025, the Federal Court ordered Australian Clinical Labs Limited (ACL) to pay AU$5.8 million in civil penalties in relation to a February 2022 data breach at its Medlab Pathology business that resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals. This was the first time civil penalties had been ordered under the Privacy Act. Justice Halley imposed:

• AU$4.2 million for ACL's failure to take reasonable steps to protect personal information under Australian Privacy Principle 11.1, amounting to more than 223,000 contraventions of section 13G(a);
• AU$800,000 for ACL's failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack, in contravention of section 26WH(2); and
• AU$800,000 for ACL's failure to prepare and give to the Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of section 26WK(2).

Justice Halley found the contraventions were "extensive and significant" and noted that ACL's most senior management had been aware of the risks. The penalties were imposed under the penalty regime in force at the time of the contraventions (before 13 December 2022), with a maximum penalty of AU$2.22 million per contravention. The OAIC noted that the new penalty regime that came into force on 13 December 2022 allows the Court to impose much higher penalties, with maximum penalties per contravention of up to AU$50 million, three times the benefit, or 30% of adjusted annual turnover.

Optus enforcement action — section 13G allegations

On 8 August 2025, the Australian Information Commissioner filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited following the September 2022 data breach that involved unauthorised access to the personal information of approximately 9.5 million current, former, and prospective customers and the subsequent release of some of this information on the dark web. The Commissioner alleges that from on or around 17 October 2019 to 20 September 2022, Optus seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure, in breach of the Privacy Act. The Commissioner alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with. Because the alleged contraventions occurred from 17 October 2019 to 20 September 2022, the penalties are subject to the pre-December 2022 regime, with a maximum of AU$2.22 million per contravention. The OAIC confirmed that increased civil penalties of up to AU$50 million came into effect in December 2022, although they do not apply to this case.

OAIC information-gathering powers — section 26WU

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 also introduced section 26WU, which gives the Commissioner power to issue a notice requiring any person or entity to produce information or documents about an actual or suspected eligible data breach. This provision, which commenced on 13 December 2022, supports the OAIC's regulatory role in ensuring timely notification to affected individuals and compliance with the NDB scheme. The OAIC's Notifiable Data Breaches Report: July to December 2022 noted that these new powers are intended to strengthen the NDB scheme and enhance the Commissioner's enforcement powers, and that where appropriate, the Commissioner will use these regulatory powers to ensure compliance.

OAIC regulatory posture

The OAIC has stated that it has identified the security of personal information as a regulatory priority and is prioritising regulatory action that addresses areas where there is the greatest risk of harm to individuals. This includes serious failures to take reasonable steps to protect personal information and failures to comply with the reporting requirements of the NDB scheme, particularly where the OAIC has publicised risks and mitigations. Entities are expected to have established processes in place to ensure an effective response to data breaches and compliance with the requirements of the NDB scheme. The Commissioner's Guide to Privacy Regulatory Action (Chapter 11) confirms that the Commissioner will acknowledge receipt of all data breach notifications but may or may not take action in response, depending on available resources and the Commissioner's evaluation of the extent to which taking action will further the objects of the Privacy Act.

NDB reporting statistics and enforcement trends

The OAIC periodically publishes statistical reports on notifications received under the NDB scheme. In the July to December 2023 reporting period, the OAIC received 483 primary notifications and 121 secondary notifications (a significant increase from 29 secondary notifications in the prior half). The OAIC has noted that most data breaches (88% in the July to December 2022 period) involved the personal information of 5,000 or fewer individuals worldwide, with 62% of notifications affecting 100 or fewer individuals and 43% affecting between 1 and 10 individuals. However, the OAIC has emphasised that large-scale breaches caused by cybersecurity incidents reiterate the importance of entities having measures in place to protect, detect, and respond to the range of cyber threats in the environment. In 2022, there were several large-scale data breaches that impacted millions of Australians' personal information, as well as a 26% increase in breaches overall, demonstrating the high level of community concern about the protection of individuals' personal information.

Source: Privacy Act 1988 (Cth), ss 13(4A), 13G, 13H, 80U Source: OAIC, Chapter 7: Civil penalties (Guide to Privacy Regulatory Action) Source: OAIC, Australian Clinical Labs ordered to pay penalties, 9 October 2025 Source: OAIC, OAIC commences Federal Court proceedings against Australian Clinical Labs Limited, 20 February 2024 Source: OAIC, Australian Information Commissioner takes civil penalty action against Optus, 8 August 2025 Source: OAIC, Notifiable Data Breaches Report: July to December 2023 Source: OAIC, Notifiable Data Breaches Report: July to December 2022

When an entity suspects that an eligible data breach may have occurred but does not yet have reasonable grounds to believe that one has occurred, section 26WH(2) of the Privacy Act 1988 (Cth) imposes a mandatory assessment obligation. This obligation sits between the initial suspicion and the notification duties under sections 26WK and 26WL. Failure to conduct the assessment, or to conduct it in a reasonable and expeditious manner, is itself an interference with privacy under section 13(4A) and exposes the entity to civil penalty enforcement under sections 13G and 13H.

Section 26WH(1) — the trigger: reasonable grounds to suspect

The assessment duty is triggered under section 26WH(1) when an entity "is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity." This is a lower threshold than the notification trigger under sections 26WK and 26WL, which requires reasonable grounds to believe an eligible data breach has occurred. The OAIC guidance explains that "reasonable grounds to suspect" means that an entity is aware of anything that objectively—from the viewpoint of a reasonable person in the entity's position—would give rise to reasonable grounds to suspect that an incident was an eligible data breach. An entity's suspicion may be formed by reference to anything relevant to the breach and surrounding circumstances of which the entity is aware.

Whether an entity is "aware" is a factual matter in each case, having regard to how a reasonable person who is properly informed would be expected to act in the circumstances. The OAIC has stated that if a person responsible for compliance or personnel with appropriate seniority are aware of information that suggests a suspected breach may have occurred, an assessment should be done. An entity should not unreasonably delay an assessment of a suspected eligible breach by waiting until its CEO or board is aware of information that would otherwise trigger reasonable suspicion within the entity.

Section 26WH(2) — reasonable and expeditious assessment within 30 days

Once the section 26WH(1) trigger is met, section 26WH(2)(a) requires the entity to "carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity." Section 26WH(2)(b) further requires the entity to "take all reasonable steps to ensure that the assessment is completed within 30 days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach."

The Privacy Act does not prescribe how an assessment should be conducted, and the OAIC guidance notes that entities may develop their own procedures. The OAIC suggests a three-stage framework:

• Initiate: Decide whether an assessment is necessary and identify which person or group will be responsible for completing it.
• Investigate: Make inquiries and gather information—this may include forensic analysis, log reviews, interviews with staff, engagement of external cybersecurity experts, and examination of the scope and nature of unauthorised access or exfiltration.
• Evaluate: Consider the information gathered and decide whether there are reasonable grounds to believe an eligible data breach has occurred, applying the section 26WE(2) "likely to result in serious harm" test.

The OAIC expects that the time and effort entities expend in an assessment should be proportionate to the likelihood of the breach and its apparent severity. Entities should treat the 30-day period as a maximum, not a safe harbour, and endeavour to complete assessments in a much shorter timeframe where possible, as the risk of serious harm to individuals often increases with time.

Section 26WI — deemed awareness if the 30-day cap is exceeded

Section 26WI provides that if an entity has not completed the assessment within 30 days after becoming aware of the reasonable grounds to suspect an eligible data breach, the entity is taken to be aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity. This statutory deeming provision triggers the notification obligations under sections 26WK and 26WL, even if the entity has not affirmatively concluded that an eligible data breach occurred. The 30-day cap therefore functions as both a deadline for the assessment and a default rule: if the entity cannot rule out an eligible data breach within 30 days, notification is deemed required.

The OAIC has emphasised that where an entity cannot reasonably complete an assessment within 30 days, it should document this and be able to demonstrate that all reasonable steps have been taken to complete the assessment within that period. However, the OAIC has also made clear that delays caused by an entity's failure to engage external experts promptly, failure to manage third-party service providers effectively, or protracted internal decision-making may point to a failure to conduct an "expeditious" assessment.

Enforcement precedent — Australian Clinical Labs

The first-ever civil penalty decision under Part IIIC involved a breach of section 26WH(2). On 9 October 2025, the Federal Court ordered Australian Clinical Labs Limited (ACL) to pay AU$800,000 in civil penalties for its failure to carry out a reasonable and expeditious assessment following a February 2022 cyberattack on its Medlab Pathology business that involved unauthorised access and exfiltration of personal information of over 223,000 individuals. The Commissioner alleged, and the Court accepted, that by 1 March 2022 ACL had reasonable grounds to suspect that there may have been an eligible data breach, but ACL did not conduct a section 26WH assessment and instead concluded—without adequate investigation—that the incident was not an eligible data breach. The penalty reflected the Court's finding that ACL's failure to conduct the assessment was a serious interference with privacy under section 13G.

The Court's judgment emphasised that ACL's most senior management were involved in the decision-making around the cyberattack response, including whether it amounted to an eligible data breach, and that a reasonable and expeditious assessment would have led to earlier notification and reduced harm to affected individuals. This decision clarifies that the section 26WH(2) obligation is enforceable through civil penalties and that entities must document their assessment process and complete it promptly.

OAIC determinations clarifying the assessment obligation

In October 2023, the OAIC issued two determinations—Datateks Pty Ltd (Privacy) [2023] AICmr 97 and Pacific Lutheran College (Privacy) [2023] AICmr 98—that clarified the Commissioner's position on two aspects of the assessment requirement:

• When reasonable suspicion is formed: An entity forms a reasonable suspicion triggering the section 26WH assessment when it is aware of information that objectively, from the viewpoint of a reasonable person in the entity's position, would give rise to reasonable grounds to suspect an eligible data breach may have occurred. The absence of affirmative evidence of data exfiltration does not conclusively determine that an eligible data breach has not occurred; where an entity cannot confirm whether a malicious actor has accessed, viewed, or exfiltrated data in a compromised environment (for example, following a ransomware attack), there will generally be reasonable grounds to suspect an eligible data breach and an assessment will be required.
• What constitutes an "expeditious" assessment: Delays in concluding an entity's own investigation, engaging and managing third-party cybersecurity or forensic service providers, or assessing the categories of personal information involved may indicate a failure to conduct an expeditious assessment. The determinations noted that neither entity had a data breach response plan in place before the breach occurred, and the Commissioner ordered both entities to develop such plans within a specified timeframe.

The OAIC has stated that given the prevalence of ransomware attacks and other cybersecurity incidents, entities are expected to have appropriate internal practices, procedures, and systems in place to undertake a meaningful section 26WH assessment.

Section 26WJ — record-keeping obligation

Section 26WJ requires an entity that conducts a section 26WH assessment to make a written note of the assessment, the grounds on which the entity formed a reasonable suspicion that there may have been an eligible data breach, and the reasons for the entity's belief at the conclusion of the assessment (whether or not the entity concludes an eligible data breach occurred). This written record must be retained for at least three years after the assessment is completed. The record serves as evidence of compliance with the section 26WH(2) obligation and supports the OAIC's oversight and enforcement functions, including investigations under section 40 of the Privacy Act and information-gathering under section 26WU.

Source: Privacy Act 1988 (Cth), ss 26WH, 26WI, 26WJ, 13(4A), 13G Source: OAIC, Part 4: Notifiable Data Breach (NDB) Scheme Source: OAIC, Australian Clinical Labs ordered to pay penalties, 9 October 2025 Source: OAIC, Notifiable Data Breaches Report: July to December 2023