When a company in Australia suffers a data breach involving your personal information, you have legal rights. Here is what the law says and how to use it.

The Notifiable Data Breaches (NDB) Scheme

Under the Privacy Act 1988 (Cth), Australian organisations with a turnover above $3 million (and certain smaller organisations) must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm.

This means that if your data is exposed, the company must tell you — not just hope you find out from a news article.

What constitutes “serious harm”?

The OAIC considers serious harm to include financial loss, reputational damage, physical harm, relationship damage, and psychological harm. Given the scope of recent Australian breaches, most breaches involving name, address, and ID numbers would qualify.

Your rights under the Australian Privacy Principles (APPs)

The APPs give you the right to:

  • Know what personal information an organisation holds about you
  • Access that information
  • Request correction of inaccurate information
  • Complain if your privacy has been interfered with

How to make a privacy complaint

  1. Complain to the organisation first — By law, you must give the company an opportunity to resolve the complaint internally before approaching the OAIC.
  2. Escalate to the OAIC — If the company fails to respond or resolve within 30 days, you can lodge a complaint at oaic.gov.au. The OAIC can investigate and require remedial action.
  3. Consider legal action — Class actions have been launched following major breaches including Optus and Medibank. Law firms including Maurice Blackburn and Slater and Gordon have run these cases on a no-win-no-fee basis.

What are you entitled to?

Remedies can include an apology, changes to the organisation’s practices, and financial compensation in serious cases. The Medibank class action, for example, is seeking damages for the harm caused by the exposure of sensitive health data.

Check your exposure first

Before pursuing a complaint, it helps to know what has actually been exposed. DataGuard AU’s free breach check gives you a complete picture of your breach history — useful evidence if you do decide to pursue a complaint.

Check your breach exposure now →