Notify the OAIC and affected individuals of eligible data breaches
Eligible data breaches must be notified to OAIC and affected individuals 'as soon as practicable'.
Who must comply
All APP entities (Australian Government agencies and organisations with annual turnover >$3M, plus carved-in entities). Small business exemption is set to be removed by 10 December 2026.
What triggers it
An eligible data breach — unauthorised access/disclosure of personal information likely to cause serious harm.
When due
Notification 'as soon as practicable' after the entity is aware it is an eligible breach. Assessment within 30 days.
Evidence required
Breach assessment record, OAIC notification, individual notification, remediation steps log.
Max penalty
Up to $50M, or 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences
Summary
Under Part IIIC of the Privacy Act, APP entities must notify the OAIC and affected individuals if there has been an eligible data breach — unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm. The assessment must be completed within 30 days of becoming aware. From the 2024 amendments, statutory tort for serious invasions of privacy is now actionable.
Enforced by
Source legislation
Topics
Source: https://oaic.gov.au/privacy/notifiable-data-breaches. Rules Mate is not a law firm. Always verify against the live regulator source before acting.