Can you sue for a privacy or data breach in Australia?

  • 14 February 2023

Australia has recently experienced several serious data breaches, with the data of companies like Optus and Medibank being hacked. As a result millions of people have had their private information stolen. This is a breach of privacy that can have serious consequences, especially if the data that is stolen can be used for identity theft or give people access to your bank details. 

Can you sue if your data is hacked?

As a general rule you cannot sue for breach of privacy in Australia. However, there are specific laws in both Victoria and the Commonwealth (Australia) that give you rights if your data has been hacked. 

Do I turn to Victorian or Australian law?

The Australian or Commonwealth laws generally apply to organisations that have a turnover of $3 million or more a year. While there are exceptions to this, the laws do cover companies like Optus and Medibank. 

The Victorian law applies to local councils and Victorian government agencies. 

Making a complaint under Australian law

The Australian laws are overseen by the Office of the Australian Information Commissioner (OAIC). Before you can go to the OAIC, you must first make a complaint to the organisation that you believe has breached your privacy. Your complaint must be made within 12 months of discovering the alleged breach. 

When you make your complaint to the organisation, you must include the following information:

  • Your name;
  • Your address and other contact details, like your phone number or email address;
  • Details of your complaint;
  • Why you believe your rights under the law have been breached; and
  • How you would like the issue resolved.

Once you have made the complaint you have to give the organisation at least 30 days to respond. If they do not respond in 30 days or you are not happy with their response, you can then complain to the OAIC. 

Making a complaint to the OAIC

A complaint to the OAIC must be in writing. This can be made either online, by email, mail or fax. Your complaint must include the following information:

  • Your name;
  • Your address and other contact details, like your phone number or email address;
  • Any reference or identifying numbers given to you by the organisation you complained to;
  • The name of the organisation you are complaining about;
  • Details of your complaint;
  • What the organisation did to try and fix the issue;
  • Copies of any documents or correspondence you have with the organisation; and
  • How you would like the issue resolved.

In most situations, the OAIC will contact the organisation and ask for a response. If they do this, the response from the organisation will be provided to you. 

The issue will then go to conciliation. Conciliation is a process where you and the organisation try to find an amicable solution. If no solution can be reached, then the OAIC may investigate the complaint or choose to close it without any resolution. 

What the OAIC can do

If the OAIC investigates the issue they can:

  • Try to resolve the issue. This may include being given access to personal information or having your record corrected;
  • Request an apology from the organisation;
  • Ask the organisation to change their processes;
  • Ask the organisation to train their staff; and
  • Request the organisation to compensate you either financially or by some other means. 

What if I am not happy with the OAIC’s decision?

If you are not happy with the OAIC’s decision you can ask the Court to review the decision. Generally, you can only do this if you believe the OAIC’s decision was not legally correct, it is not enough for you to think it is not fair. Our lawyers can help you understand whether you may have an argument that the decision was not legally correct. 

If you want to apply to the Court for a review of the decision, you must do so within 28 calendar days of the OAIC decision. If the Court agrees to review the decision they may then refer it back to the OAIC to reconsider. The Court will not review your entire complaint and make a final decision on it. 

Making a complaint under Victorian law?

If you believe your privacy has been breached by a local council or Government organisation in Victoria the organisation that oversees these complaints is the Office of the Victorian Information Commissioner (OVIC). The objective of OVIC is to reach a resolution for you, not punishing an organisation.

Making a complaint to OVIC

If you make a complaint to OVIC they will use conciliation to try to resolve the issue. This means they will give both you and the organisation you are complaining about the opportunity to discuss the issue and try to reach an amicable resolution. 

There are many different things you could ask for to resolve the issue including:

  • An apology;
  • Change in the organisation’s processes or policies; or
  • Training for the organisation’s employees.

If the matter cannot be resolved by conciliation then OVIC may refer it to the Victorian Civil and Administrative Tribunal (VCAT).

Making a complaint to VCAT

A complaint must be referred to VCAT within 60 days of receiving a notice from OVIC. 

Under the law, VCAT can award compensation of up to $100,000 for loss or damage that you have suffered as a result of your privacy being interfered with. However, it is worth noting that VCAT has never awarded compensation of this amount before. 

When you go to VCAT it is a bit like going to Court. You will need to have evidence to support the loss or damage you have suffered. 

If your case goes to VCAT there are several things that they may choose to do including:

  • Agree with your claim but not award you any compensation;
  • Agree with your claim and award you compensation;
  • Order the organisation to stop doing the act that gave rise to the issue; or
  • Order the organisation to take actions to redress your loss or damage. This could be making a public apology, for example.

How a lawyer can help you with a privacy or data breach

Cases involving breach of privacy or a data breach are often complicated. As they involve government authorities there are strict procedures and timelines that you must adhere to as well. If you believe you have been impacted by a privacy or data breach, get in touch with us as soon as possible. We will help you understand your options and can help you complete the relevant paperwork and represent you in conciliation hearings or in Court or VCAT. 

Contact a MNG Lawyer
Today

Get in touch today, always in confidence.

We’re here to help. It’s our top priority to ensure your needs and concerns are met every step of the way.


Scroll to Top