Privacy Act prosecutions begin

The first of their kind legal proceedings by the Office of the Australian Information Commissioner (OAIC) flag a new focus on prosecuting organisations for breaches of the Privacy Act 1998 (Cth) (Privacy Act). This underlines the importance of businesses putting in place effective and compliant data protection, recovery and reporting processes.

On 3 November 2023, the OAIC announced that it had commenced proceedings against Australian Clinical Labs Limited (ACL). The proceedings relate to a data breach of ACL’s information technology systems in February 2022 which resulted in the unauthorised access and disclosure of personal information of hundreds of thousands of ACL’s patients including Medicare numbers, sensitive health information, and credit card information.

In particular, the OAIC is alleging that ACL breached its obligations under the Privacy Act by:

• failing to take reasonable steps to protect personal information from unauthorised access or disclosure in breach of the Australian Privacy Principles;
• failing to carry out a reasonable assessment within 30 days of whether the breach amounted to an eligible data breach pursuant to the notifiable data breach requirements under the Privacy Act; and
• failing to notify the OAIC of the breach as soon as practicable after ACL became aware that there were reasonable grounds to believe that there had been an eligible data breach.

The OAIC has alleged that the above failures amounted to a serious interference of the privacy of millions of patients and that that these failures left ACL vulnerable to cyberattack in contravention of section 13G of the Privacy Act.

If the OAIC is successful, the Federal Court may impose a penalty of up to $2,220,000 for each contravention of section 13G. In that respect, we note that had the alleged conduct occurred following December 2022 when amending legislation was passed to significantly increase the maximum penalties under the Privacy Act, then ACL would potentially be facing maximum penalties of up to $50 million for each contravention instead.

We will continue to provide updates on this decision as it progresses through the Federal Court.

This article provides general comments only. It does not purport to be legal advice. Before acting on the basis of any material contained in this article, we recommend that you seek professional advice.

Co-author

Name: Lachlan Chuong

Position: Associate

Practice: Disputes