Publication date: 9 August 2021

Under the Privacy Act 1988, the Commissioner may on their own initiative decide to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP1 (s 40(2)).

The OAIC considers a range of factors in prioritising matters for privacy regulatory action and selecting the most appropriate power in the circumstances. The primary objective when undertaking a Commissioner-initiated investigation (CII) is to improve the privacy practices of investigated entities and the regulated community generally.

When deciding whether to commence a CII, the OAIC will consider the factors identified in our Privacy Regulatory Action Policy, CDR Regulatory Action Policy and strategic regulatory priorities. The Commissioner will also consider the specific and general educational, deterrent or precedential value of commencing a CII, and whether it presents an opportunity to provide guidance to industry, government or the public on better privacy practice and acceptable privacy standards.

The Commissioner may also consider whether the entity has complied with Notifiable Data Breaches (NDB) scheme requirements and taken appropriate steps to respond to a data breach and prevent its recurrence. Compliance under the NDB scheme does not prevent the OAIC taking further regulatory action where the breach arises from non-compliance with other requirements under the Privacy Act.

In conducting a CII we seek to work with the parties concerned. In many cases, the Commissioner may use the formal powers conferred by the Privacy Act to require an individual or entity to provide information and documents.

Following a CII, the Commissioner may decide to take enforcement action against an entity, such as:

  • accepting an enforceable undertaking
  • bringing proceedings to enforce an enforceable undertaking
  • making a determination
  • bringing proceedings to enforce a determination
  • reporting to the Minister
  • applying to the court for a civil penalty order for a breach of a civil penalty provision .

In line with our Privacy Regulatory Action Policy, we generally will not comment publicly about an ongoing CII until the investigation is complete, unless there is a public interest in doing so.

CIIs opened since July 2021

Investigation focusDate openedStatus
Medlab5 December 2022Ongoing
Medibank1 December 2022Ongoing
Optus11 October 2022Ongoing
Bunnings and Kmart12 July 2022Ongoing
Optus2 August 2021Ongoing