Mandatory Breach Reporting and/or Consumer Notification

As soon as practicable
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Written Program for Protection & Security
  • Third Party: Specific Obligations
  • Third Parties: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- Fines up to $2.1 M

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Third Party Management
  • Third Party Management
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The Australian Capital Territory’s Information Privacy Act 2014 regulates the collection, storage, use, security, and access of personal information for public entities and contracted service providers for public entities.
  • The New South Wales Privacy and Personal Information Act 1998 (PPIP Act), regulates collection and handling of personal information by New South Wales public sector agencies. New South Wales highly encourages all agencies to report all types of data breaches to the NSW Information Privacy Commissioner (IPC) and affected individuals, which may involve personal information other than TFN numbers.
  • The Northern Territory of Australia Information Act, effective 12 April 2017, regulates public sector organisations (PSO) collection and handling of personal information. The Office of the Information Commissioner for the Northern Territory oversees the Information Act.
  • The Queensland Right to Information Act 2009 and the Information Privacy Act 2009 promotes access to government-held information, and to protect people’s personal information held by the public sector. These Acts are facilitated by the Queensland Office of the Information Commissioner (IOC). Queensland encourages public entities to report data breaches to directly to the IOC.
  • In addition to the South Australian Information Privacy Principles Instruction and the Code of Fair Information Practice, South Australia has published a Personal Information Data Breaches guideline for the public sector.  The Privacy Committee of South Australia must be notified.  In some circumstances it may be appropriate to notify State Records, South Australian Government Chief Information Security Officer, the Agency Security Executive, Office for Cyber Security, and others.
  • The Tasmanian Personal Information Protection Act 2004 regulates the collection, use and disclosure of personal information, and applies to Personal Information Custodians.  Instead of establishing a central body, such as Privacy Commissioner, the Tasmanian Ombudsman investigates and makes any recommendation it considers appropriate in relation to the subject matter of a complaint.
  • The Office of Victorian Information Commissioner (OVIC) administers the Privacy and Data Protection Act 2014 (PDP Act) which specifically regulates how government organisations, local councils and government-contracted service providers collect and handle personal information.  Victoria’s OVIC strongly recommends that these entities report data breaches to them.
  • The Western Australia public sector does not currently have a legislative privacy regime. The Office of the Information Commissioner in West Australia oversees their Freedom of Information Act 1992.
Statutes and Laws
  • Australian Privacy Act of 1988, Part IIIC
  • Notifiable Data Breach (NDB) Scheme, Effective February 22, 2018
  • My Health Records Act 2012
BAck to map