Under the Privacy Act 1988, the Commissioner may on their own initiative decide to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP1 (s 40(2)).
The OAIC considers a range of factors in prioritising matters for privacy regulatory action and selecting the most appropriate power in the circumstances. The primary objective when undertaking a Commissioner-initiated investigation (CII) is to improve the privacy practices of investigated entities and the regulated community generally.
When deciding whether to commence a CII, the OAIC will consider the factors identified in our Privacy Regulatory Action Policy, CDR Regulatory Action Policy and strategic regulatory priorities. The Commissioner will also consider the specific and general educational, deterrent or precedential value of commencing a CII, and whether it presents an opportunity to provide guidance to industry, government or the public on better privacy practice and acceptable privacy standards.
The Commissioner may also consider whether the entity has complied with Notifiable Data Breaches (NDB) scheme requirements and taken appropriate steps to respond to a data breach and prevent its recurrence. Compliance under the NDB scheme does not prevent the OAIC taking further regulatory action where the breach arises from non-compliance with other requirements under the Privacy Act.
In conducting a CII we seek to work with the parties concerned. In many cases, the Commissioner may use the formal powers conferred by the Privacy Act to require an individual or entity to provide information and documents.
Following a CII, the Commissioner may decide to take enforcement action against an entity, such as:
- accepting an enforceable undertaking
- bringing proceedings to enforce an enforceable undertaking
- making a determination
- bringing proceedings to enforce a determination
- reporting to the Minister
- applying to the court for a civil penalty order for a breach of a civil penalty provision .
In line with our Privacy Regulatory Action Policy, we generally will not comment publicly about an ongoing CII until the investigation is complete, unless there is a public interest in doing so.
CIIs opened since July 2021
|Investigation focus||Date opened||Status|
|Medlab||5 December 2022||Ongoing|
|Medibank||1 December 2022||Ongoing|
|Optus||11 October 2022||Ongoing|
|Bunnings and Kmart||12 July 2022||Ongoing|
|Optus||2 August 2021||Ongoing|