What are the consequences if I breach the Privacy Act?

If you or your agency breach the Privacy Act, this can result in reputational loss, damage to your relationship with staff or clients, or financial consequences. A privacy breach can also cause real emotional, or even physical, harm to the affected individual..

In terms of the legal consequences, if you breach one or more privacy principles (or equivalent rules under a code of practice), then any individual who has been affected can make a complaint to us to investigate. When we investigate a complaint, we will attempt to facilitate resolution. However, if we’re unable to help settle the complaint, the legal test we then consider is whether there has been an ‘interference with privacy'(external link).

If we are satisfied there has been an interference with privacy, and are unable to resolve the matter, we may refer the complaint to the Director of Human Rights Proceedings (the Director) so they can bring the case to the Human Rights Review Tribunal(external link) (the Tribunal).

An individual can take a case to the Tribunal themselves, even if we are not satisfied there has been an interference or if we don’t refer the matter to the Director.

The Tribunal can award compensation for harm caused by a privacy breach. Cases at the less serious end of the spectrum will range up to $10,000, moderately serious cases can range from $10,000 to around $50,000, and the most serious cases will range from $50,000 up to $350,000. The most the HRRT has awarded so far for a privacy matter is just over $168,000. If there has been a privacy breach by your agency, you also need to assess whether it is a notifiable privacy breach that should be reported to us. We have a tool to assist you to do that here. This is a legal requirement and failure to notify our Office is an offence under section 118 of the Privacy Act 2020.

Updated October 2025