AskUs

What are the consequences if I breach the Privacy Act?

There can be a number of consequences if you or your agency breach the Privacy Act, from reputational damage to damage to your relationship with staff or clients.

However, in terms of the legal consequences, if you breach one or more privacy principles (or equivalent rules under a code of practice), then any individual who has been affected can make a complaint to us to investigate. When we investigate a complaint, we will attempt to facilitate resolution. However, if we’re unable to help settle the complaint, the legal test we then consider is whether there has been an ‘interference with privacy’.

If we are satisfied there has been an interference with privacy, and are unable to resolve the matter, we may refer the complaint to the Director of Human Rights Proceedings (the Director) so they can bring the case to the Human Rights Review Tribunal (the Tribunal).

Even if we are not satisfied there has been an interference, or if we don’t refer the matter to the Director, once we have investigated a complaint, if it hasn’t been resolved the individual can take a case to the Tribunal themselves.

The Tribunal has considered the appropriate range of compensation for breaches of the Privacy Act at length. It is entirely up to the Tribunal whether it awards compensation. Sometimes it does not award damages at all, or only awards a nominal figure. The behaviour of both the plaintiff and the agency can be relevant, as well as the actual harm the plaintiff has suffered.

The Tribunal has said that cases at the less serious end of the spectrum will range up to $10,000, more serious cases can range from $10,000 to around $50,000, and the most serious cases will range from $50,000 upwards. The most the HRRT has awarded so far for a privacy matter is just over $168,000. If there has been a privacy breach by your agency, you also need to assess whether it is a notifiable privacy breach that should be reported to us. We have a tool to assist you to do that here. This is a legal requirement and failure to notify our Office is an offence under section 118 of the Privacy Act 2020.