Helpious LogoHelpious

What are my rights after a data breach in Australia?

Answer

Under Australian law, if a data breach is likely to cause you serious harm, you have the right to be notified promptly. You also have the right to file a formal complaint with the Office of the Australian Information Commissioner (OAIC) if the organization mishandled your personal information.

Office of the Australian Information Commissioner (OAIC)
R
Robert JasonContent Researcher
Verified
Last UpdatedMay 3, 2026

Was this helpful?

4 readers found this helpful

How it works in practice

The Notifiable Data Breaches Scheme

In Australia, your rights following a data breach are primarily protected under the Privacy Act 1988. Specifically, the Notifiable Data Breaches (NDB) scheme legally requires organizations to notify you if your personal information is involved in a data breach that is likely to result in serious harm.

This notification must include recommendations on the steps you should take to protect yourself from potential fraud or identity theft. If an organization fails to notify you, or if you believe they breached your privacy by failing to secure your data, you hold specific legal rights.

Lodging a Formal Complaint

If you are dissatisfied with how a company responded to a breach, you must first complain directly to them in writing. By law, they have 30 days to respond to your privacy concerns.

If the company ignores your complaint or provides an unsatisfactory resolution, you have the right to escalate the matter to the Office of the Australian Information Commissioner (OAIC). The OAIC can investigate the incident, mandate corrective actions, and in specific circumstances, require the organization to pay compensation for financial or emotional harm caused by the data breach.

Important exceptions

Not all data breaches must be reported to affected individuals. Organizations are only legally required to notify you if the data breach is deemed likely to cause "serious harm," such as financial fraud, identity theft, or a physical threat.

Additionally, the Privacy Act 1988 generally only applies to Australian Government agencies and businesses with an annual turnover of more than $3 million. Small businesses, state government agencies, and political parties are frequently exempt from these federal laws, meaning your specific rights may vary depending on the exact entity involved.

What you should do now

  1. Change your passwords and enable multi-factor authentication for the affected accounts immediately.

  2. Contact your bank or financial institution to secure your accounts if financial details were exposed.

  3. Request a free copy of your credit report and monitor it for any unauthorized inquiries or new accounts.

  4. Submit a formal written complaint directly to the organization responsible for the data breach.

  5. Escalate your complaint to the OAIC if the organization does not resolve the issue within 30 days.

Expert Notes

No expert notes have been added to this question yet.

People also asked

Explore highly relevant questions and get instant verified short answers.

Can't find an answer?
Submit your question below. If we publish an answer, it will appear in the "People also asked" section on this page.

We'll notify you if your question is answered. We won't use your email for anything else.