Lawyers for litigation

Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224

Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224

PRIVACY ACT – Where an APP entity breached Australian Privacy Principle (APP) 11.1 of the Privacy Act 1988 (Cth) (Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure – what constitutes “reasonable steps” – where an APP entity interfered with the privacy of 223,000 individuals under s 13(1) of the Act by breaching an APP – where breaches of privacy constituted “serious contravention” under s 13G of the Act – where breach of privacy of each individual constituted a separate contravention of s 13G of the Act – where an APP entity was aware that there were reasonable grounds to suspect that there may have been an eligible data breach – where an APP entity failed to carry out a reasonable and expeditious assessment to determine whether there were reasonable grounds to believe that there was an eligible data breach in contravention of s 26WH of the Act – where contravention of s 26WH of the Act was serious – where an APP entity was aware that there were reasonable grounds to believe that there had been an eligible data breach – where an APP entity failed to prepare a statement in relation to the eligible data breach and provide it to the Commissioner in contravention of s 26WK of the Act – where contravention of s 26WK of the Act was serious – where a penalty was agreed between the regulator and the contravener –where a contravener admitted contraventions – where contraventions were extensive and significant – where it is not possible to quantify the loss or damage caused by contravening conduct – where contraventions were not deliberate – where a contravener cooperated with the regulator – where a contravener took meaningful steps to develop a satisfactory culture of compliance – where 223,000 contraventions arose from a single course of conduct – where the Court satisfied that agreed penalty falls within permissible range of penalties sufficient for both specific and general deterrence


Recent cases about privacy compliance

  • Medibank Private Limited v McClure [2026] FCAFC 38

    LEGAL PROFESSIONAL PRIVILEGE – third party reports – investigation into cyber-attack – whether primary judge erred as to dominant purpose in finding that reports not subject to legal professional privilege – whether documents were created, commissioned or obtained for the dominant purpose of legal advice – grounds of appeal not sufficiently arguable to warrant grant…

  • Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224

    PRIVACY ACT – Where an APP entity breached Australian Privacy Principle (APP) 11.1 of the Privacy Act 1988 (Cth) (Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure – what constitutes “reasonable steps” – where an APP entity interfered with the privacy of 223,000 individuals under s 13(1)…

  • Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224

    PRIVACY ACT – Where an APP entity breached Australian Privacy Principle (APP) 11.1 of the Privacy Act 1988 (Cth) (Act) by failing to take reasonable steps to protect personal information from unauthorised access or disclosure – what constitutes “reasonable steps” – where an APP entity interfered with the privacy of 223,000 individuals under s 13(1)…

Original article available at: https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2025/2025fca1224For more information, see the original judgement.
Send this to a friend