OAIC
Office of the Australian Information Commissioner
Privacy and freedom of information regulator. Administers the Privacy Act 1988, the Notifiable Data Breaches scheme, and the Australian Privacy Principles.
20
Obligations enforced
16
Enforcement actions tracked
7
Scope topics
Obligations enforced by OAIC (20)
- criticalCWLTHNotifiable Data Breach (NDB) scheme
Under the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- criticalCWLTHAutomated Decision-Making transparency under Privacy Act (phased)
From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- criticalCWLTHMajor banks must provide CDR Banking + Action Initiation (2026)
CDR Action Initiation lets accredited recipients initiate payments + actions on consumer behalf.
- criticalCWLTHAPP 3 collection of sensitive information
APP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- highCWLTHAPP 8 cross-border disclosure
Before disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.
- highCWLTHAPP 12 & APP 13 access and correction requests
Individuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.
- highCWLTHComply with credit reporting obligations (Part IIIA Privacy Act)
Credit providers and CRBs must adhere to the CR Code on collection, use, disclosure, hardship and dispute resolution.
- highCWLTHConsumer Data Right (CDR) participant accreditation + compliance
Banking, energy and (soon) non-bank lending data sharing — accredited participants must comply with privacy safeguards.
- highCWLTHRespond to FOI requests within 30 days (Cwlth agencies + ministers)
FOI Act 1982 — Commonwealth agencies + ministers must respond to access requests within 30 days.
- highCWLTHComply with CDR Banking (Open Banking) — major + non-major ADIs
Banking data holders must share consumer data with accredited recipients on consumer consent.
- highCWLTHAPP 7 direct marketing
APP 7 restricts using or disclosing personal information for direct marketing and requires a simple opt-out — when it applies, the exceptions and penalties.
- highCWLTHChildren's Online Privacy Code 2026
OAIC developing mandatory children's online privacy code (in force December 2026).
- highCWLTHPrivacy Act Reform — information controllers regime (proposed Tranche 2)
Tranche 2 reforms in scoping — information controllers + processors regime.
- highCWLTHPublish a Privacy Policy compliant with APP 1
Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- highCWLTHProvide an APP 5 collection notice at or before collection
APP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- highCWLTHPrepare for the proposed removal of the small business exemption
Removing the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.
- highCWLTHCDR Energy sector — phased
Energy retailers + distributors must share data via CDR.
- highCWLTHAutomated Decision-Making transparency (Privacy Act 2024 reforms)
APP entities making decisions about individuals using ADM must disclose this in privacy policy from December 2026.
- highCWLTHPrivacy statutory tort (serious invasions of privacy)
From June 2025 — serious invasion of privacy actionable in tort.
- mediumCWLTHAPP 2 — anonymity + pseudonymity for individuals
Where reasonable, individuals must be able to deal with you anonymously or under a pseudonym.
Recent OAIC enforcement
- civil penalty2025OAIC investigation — Optus 2022 data breach
September 2022 Optus breach exposed ~10M customer records. OAIC alleges APP 11 failures + delayed notification.
- investigation2024OAIC enforcement — multiple SMB breach investigations 2024
OAIC investigated multiple SMB-scale breaches in 2024 — including in legal, retail, healthcare. Most resolved without penalty but documented APP 11 reasonable-steps + NDB notification expectations.
- determination2024OAIC + AFP Medibank determination 2024-2025
Class action + OAIC determination on Medibank Oct 2022 data breach affecting ~9.7M customers + their families.
- class action2024Optus class action — 2022 data breach
Class action by ~9.8M Optus customers affected by September 2022 data breach.
- determination2024OAIC determinations on Bunnings and Kmart facial recognition
Both retailers operated in-store facial recognition systems for loss-prevention. OAIC found inadequate notification and unjustified breach of APP 3.3 (sensitive information).
- determination2024OAIC determination — Bunnings facial recognition + biometric
Bunnings operated facial recognition in stores for loss prevention without proper notice + consent for sensitive (biometric) information.
- determination2024OAIC determination — Kmart facial recognition
Kmart operated facial recognition for loss prevention; same proceedings as Bunnings determination 2024.
- civil penalty2024OAIC investigation into Australian Clinical Labs (Medlab)
Following the February 2022 Medlab Pathology breach, OAIC alleges ACL failed to take reasonable steps to protect personal information and failed to properly notify the breach.
- investigation2024OAIC investigation — Latitude Financial 2023 breach
March 2023 Latitude breach exposed personal info of ~14M customers including 7.9M driver licences.
- follow up2024OAIC follow-up enforcement — Clearview AI compliance
Follow-up compliance from 2021 determination + ongoing biometric processing detected.
- civil penalty2024OAIC v Medibank Private Limited
The October 2022 Medibank breach exposed personal information of approximately 9.7 million current and former customers. OAIC alleges Medibank failed to take reasonable steps to protect personal information.
- determination2023OAIC determination — Health Engine
Health Engine forwarded patient data to insurance brokers without proper consent.
- determination2021Commissioner-initiated investigation into Clearview AI Inc
Clearview AI scraped publicly available images from the web and used them to build a facial-recognition tool that was offered to Australian police agencies.
- determination2021Commissioner-initiated investigation into 7-Eleven Stores Pty Ltd
7-Eleven collected facial images and faceprints from customers via in-store tablets as part of a customer feedback program. Consent processes were inadequate.
- determination2021Commissioner v Uber Technologies (cross-border breach)
Uber failed to protect personal information of 1.2M Australian customers/drivers in the 2016 breach, and concealed the breach for over a year by paying the attacker as a 'bug bounty'.
- ndb notification2018PageUp NDB incident (illustrative)
PageUp HR software experienced a security incident potentially exposing recruitment data of major Australian employers (CBA, Telstra, Coles, NAB). Quick public notification.
Scope topics
Parent legislation
Source: regulator's own website. Rules Mate links and summarises — we don't republish full statutory text.