Can the Privacy Commissioner fine or prosecute an organisation or individual?

The Privacy Act which took effect in December 2020 gives the Commissioner more powers. The law introduces the criminal offences of misleading an organisation in order to access, use, alter or destroy someone else’s information, or destroying documents containing personal information if a request has been made for it. The penalty is a fine up to $10,000.

You can find out more about our enforcement framework, powers and penalties here.

But generally, the Privacy Commissioner works to settle privacy disputes, often after investigation, and aims to educate people and organisations on how to comply with the Act.

If the dispute can’t be settled, and there’s a serious enough breach of the Act, the Commissioner can refer the case to the Director of Human Rights Proceedings, who will consider whether to take it to the Human Rights Review Tribunal.