Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Australians better protected with mandatory data breach notification

The Australian Privacy Commissioner, Timothy Pilgrim, has welcomed the mandatory data breach notification laws announced by the Attorney-General the Hon Mark Dreyfus QC MP today. The proposed laws, to commence on 12 March 2014, require notification of serious data breaches that will result in a real risk of serious harm.

‘I have supported the introduction of mandatory data breach notification laws in Australia since they were first proposed by the Australian Law Reform Commission in 2008. Currently there is no legal requirement in Australia for government agencies or private sector organisations to notify individuals when a data breach occurs, except in limited circumstances under eHealth laws,’ said Timothy Pilgrim, Australian Privacy Commissioner.

‘Without notification, people affected by serious data breaches are unable to take mitigating steps to protect their personal information — steps which only they may be able to take, such as cancelling credit cards or requesting a new Medicare number,’ Mr Pilgrim said.

‘The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has continued to grow over the past three years,’ Mr Pilgrim noted.

Despite this upward trend, the Office of the Australian Information Commissioner (OAIC) only received 46 data breach notifications in the 2011–12 financial year, an 18% decrease from the previous year.

‘I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring. Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised,’ Mr Pilgrim said.

‘There are real incentives for agencies and organisations to notify of a privacy breach. Apart from being good privacy practice, it can also engender consumer trust, reduce the cost of dealing with a data breach and mitigate against reputational damage’.

‘All agencies and organisations must embed a culture that values and respects privacy. Mandatory data breach notification will go some way to achieving this. It will also compliment other privacy law reforms due to commence in March 2014 that will require agencies and organisations to implement new practices, procedures and systems to ensure compliance with the Privacy Act.’

‘In my view, mandatory data breach notification will also lead to better public understanding of the scope and frequency of data breaches, and encourage greater privacy awareness,’ Mr Pilgrim said.

Since 2008, organisations have been encouraged to use the OAIC’s guide on voluntary data breach notification to assess how to handle a privacy breach. Earlier this month the OAIC released a guide to information security to help agencies and organisations comply with information security requirements under the Privacy Act.

For interview requests: Angela Wong     0407 663 968

Notes to editors

The OAIC’s guidance on voluntary data breach notification, Data Breach Notification: A guide to handling personal information security breaches, can be accessed here:

The OAIC’s Guide to information security: ‘Reasonable steps’ to protect personal information can be accessed here:

More information about the privacy reforms can be accessed on the OAIC website:

Stay in touch with the OAIC by subscribing to:

  • OAICnet — a mailing list for general updates about the OAIC’s activities
  • Privacy Connections — a network for business privacy contact officers: