Newsroom

Search our media releases, articles, interviews and speeches

High Court clears way for OAIC case against Facebook to proceed

The Office of the Australian Information Commissioner (OAIC) today welcomed the Full Court of the High Court of Australia’s decision to revoke Facebook Inc’s special leave to appeal to the High Court.

Media release
Data breach
Privacy

7 March 2023

Cyber security incidents impact data breach risk

Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today.

Media release
Data breach
OAIC publication

3 March 2023

OAIC welcomes release of Privacy Act report

The Office of the Australian Information Commissioner welcomes the final report of the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 and encourages interested parties to have their say about privacy reform in

Media release
Legislation
Privacy

16 February 2023

Association of Information Access Commissioners of Australia and New Zealand (AIAC) meeting communique

The Association of Information Access Commissioners (AIAC) met in Wellington, New Zealand, on 7 to 8 December, for its second meeting of 2022, hosted by New Zealand’s Chief Ombudsman, Peter Boshier.

Media release
Event
Information access

21 December 2022

OAIC opens investigation into Medlab over data breach

The Office of the Australian Information Commissioner (OAIC) has commenced an investigation into the personal information handling practices of Medlab Pathology, owned by Australian Clinical Labs, in relation to its notifiable data breach.

5 December 2022

OAIC opens investigation into Medibank over data breach

The Office of the Australian Information Commissioner (OAIC) today commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach.

1 December 2022

OAIC completes COVIDSafe oversight

The Office of the Australian Information Commissioner (OAIC) has published its final six‑monthly COVIDSafe privacy report and completed its COVIDSafe assessment program, which examined compliance and risk throughout the ‘information lifecycle’

Media release
Health
Privacy

30 November 2022

OAIC welcomes passing of Privacy Bill

The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which enhances the OAIC’s ability to regulate in line with community expectations

29 November 2022

35th LAWASIA Conference

Thank you to Dr Gordon Hughes, Secretary-General of LAWASIA for the invitation to address you today, on the role of information management in maintaining human rights and the rule of law, which is essential to my office’s core functions. And as

Speech
Data breach
Event
Information access
Privacy

18 November 2022

Senate Standing Committees on Legal and Constitutional Affairs Privacy Legislation Amendment Bill 2022 opening statement

The OAIC welcomes the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 as a positive step towards updating Australia’s privacy laws, to ensure we have a regulatory framework that empowers individuals, ensures entities

Speech
Event
Privacy

17 November 2022

The KWM Digital Future Summit

As acknowledged in the description of this session today, the digital landscape presents enormous potential for innovation and reward. But it also presents risks, and we as a society won’t fully realise the rewards unless we deal with the risks.

Speech
Data breach
Event
Privacy

14 November 2022

OAIC data breach report shows key privacy risks

The significant impact of recent data breaches on millions of Australians and the findings of the latest Notifiable data breaches report released today stress the need for organisations to have robust information handling practices and an up-to-date

Media release
Data breach
OAIC publication
Privacy

10 November 2022

OAIC welcomes additional Budget funding

The Office of the Australian Information Commissioner (OAIC) welcomes funding announced in the October 2022-23 Federal Budget to assist its privacy investigations.

Media release
Funding
Privacy

26 October 2022

Advice on Medibank data breach

The Australian Government has released a factsheet to provide information on what to do if your data has been compromised in the recent Medibank and AHM cyber incident.

Media release
Data breach
Health
Privacy

25 October 2022

OAIC making inquiries with Medibank

The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank following its cyber incident, to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

Media release
Data breach
Privacy

20 October 2022

Showing 1 to 15 of 122 results

1 to 15 of 122 search results
filter icon

Refine your search

2

Refine your search

Type

Topic

FAQs: Notifiable Data Breaches (NDB) scheme

Can you confirm you have been notified of a data breach?

The OAIC generally will not comment publicly about the content of data breach notifications.

Where a particular incident is of community concern and has already been reported in the media, we may confirm publicly that we have received a notification or are investigating or making inquiries into the matter. We will generally not comment further until the investigation or our inquiries are complete.

We may also comment publicly on a matter where there is public interest in us doing so, for example, to enable members of the public to respond to a data breach.

Why don’t you list the names of organisations that have notified data breaches?

There is no specific provision that provides for the OAIC to make available a list of names of organisations that notify data breaches. The NDB scheme does have specific provisions regarding how organisations must notify individuals at likely risk of serious harm from a data breach and the OAIC. Accordingly, the OAIC will not generally disclose a list of names of organisations that notify data breaches.

FAQs: Commissioner-initiated investigations

Can you advise when an investigation will be completed?

Some investigations can be finalised quickly, but some take longer because of the type of inquiries and the volume of material that needs to be reviewed. We aim to finalise all investigations as quickly as possible.

Will you publish a report on the investigation?

Where the Commissioner makes a determination, a decision will be published. If the Commissioner takes proceedings for civil penalties, the Commissioner will file a statement of claim.

There’s more information on Commissioner-initiated investigations, including our approach to publication, in our Guide to privacy regulatory action.

FAQs: Penalties

What penalties are available to the OAIC for an interference with privacy?

Section 80W of the Privacy Act 1988 empowers the Commissioner to apply to the FederalCourt or Federal Circuit Court for an order that an entity that is alleged to have contravened a civil penalty
provision in that Act pay the Commonwealth a penalty.

Under section 13G of the Privacy Act, since 13 December 2022 the maximum penalty for serious or repeated interferences with privacy are:

  • for a body corporate, the greater of either:
    • $50million; or
    • the value of any benefit the relevant court has determined that the body corporate, or any body corporate related to it, has obtained directly or indirectly that is reasonably attributable to the contravention, multiplied by three;
    • or if the court cannot determine the value of that benefit, 30% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the contravention happened or began.
  • for a person other than a body corporate, the maximum penalty amount is $2.5million.

The Federal Court or Federal Circuit Court ultimately determines the penalty awarded, taking into account matters including:

  • the nature and extent of the contravention
  • the nature and extent of any loss or damage suffered because of the contravention
  • the circumstances in which the contravention took place
  • whether the person has previously been found by a court to have engaged in any similar conduct.

There is more information on civil penalties, including provisions in other legislative frameworks, in our Guide to privacy regulatory action.

How to contact us if you have a media enquiry or interview request
Photographs of Angelene Falk, Australian Information Commissioner and Privacy Commissioner