The OAIC generally will not comment publicly about the content of data breach notifications.

Where a particular incident is of community concern and has already been reported in the media, we may confirm publicly that we have received a notification or are investigating or making inquiries into the matter. We will generally not comment further until the investigation or our inquiries are complete.

We may also comment publicly on a matter where there is public interest in us doing so, for example, to enable members of the public to respond to a data breach.

There is no specific provision that provides for the OAIC to make available a list of names of organisations that notify data breaches. The NDB scheme does have specific provisions regarding how organisations must notify individuals at likely risk of serious harm from a data breach and the OAIC. Accordingly, the OAIC will not generally disclose a list of names of organisations that notify data breaches.

Some investigations can be finalised quickly, but some take longer because of the type of inquiries and the volume of material that needs to be reviewed. We aim to finalise all investigations as quickly as possible.

Where the Commissioner makes a determination, a decision will be published. If the Commissioner takes proceedings for civil penalties, the Commissioner will file a statement of claim.

There’s more information on Commissioner-initiated investigations, including our approach to publication, in our Guide to Privacy Regulatory Action.

Section 80W of the Privacy Act 1988 empowers the Commissioner to apply to the FederalCourt or Federal Circuit Court for an order that an entity that is alleged to have contravened a civil penalty
provision in that Act pay the Commonwealth a penalty.

Under section 13G of the Privacy Act, since 13 December 2022 the maximum penalty for serious or repeated interferences with privacy are:

• for a body corporate, the greater of either:
  • $50million; or
  • the value of any benefit the relevant court has determined that the body corporate, or any body corporate related to it, has obtained directly or indirectly that is reasonably attributable to the contravention, multiplied by three;
  • or if the court cannot determine the value of that benefit, 30% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the contravention happened or began.
• for a person other than a body corporate, the maximum penalty amount is $2.5million.

The Federal Court or Federal Circuit Court ultimately determines the penalty awarded, taking into account matters including:

• the nature and extent of the contravention
• the nature and extent of any loss or damage suffered because of the contravention
• the circumstances in which the contravention took place
• whether the person has previously been found by a court to have engaged in any similar conduct.

There is more information on civil penalties, including provisions in other legislative frameworks, in our Guide to Privacy Regulatory Action.