Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

ARC Mercantile enforceable undertaking

1 September 2016

The Australian Privacy Commissioner has accepted an enforceable undertaking from ARC Mercantile (ARC), following a 2015 data breach that disclosed the personal information of some Optus customers on an external website.

This incident emphasises the importance of not only establishing and implementing privacy processes, but also maintaining these processes to ensure a culture of privacy within the organisation. This includes providing appropriate training to all staff across the organisation on their obligations under the Privacy Act, and ensuring they understand these obligations.

ARC provided a voluntary notification about the data breach in November 2015 and both Optus and ARC took immediate steps in response to the incident.

An enforceable undertaking is a legally enforceable agreement between the Commissioner and an organisation or agency that creates a binding commitment to take steps to ensure privacy compliance.

Under the enforceable undertaking ARC must complete an independent review of its handling of personal information, and implement any recommendations. The full list of requirements is available in the undertaking.