Court ruling sends a clear warning to all businesses
Court ruling sends a clear warning to all businesses
The first civil penalty handed down under Australia’s amended Privacy Act has confirmed that the era of regulatory leniency is over.
Following a landmark Federal Court decision against Australian Clinical Labs, BDO Forensic Services Partner Conor McGarrity says the message to business is clear: it’s time to act.
“This case is a real warning shot,” Conor said.
“It shows that the regulator is no longer satisfied with promises of improvement or reactive measures. The expectation now is proactive compliance, with data privacy embedded across every part of the organisation.”
The ruling ordered Australian Clinical Labs to pay a $5.8 million penalty after a cyber incident that exposed the personal data of more than 223,000 individuals.
It is the first civil penalty enforced under the Privacy Act and establishes how the courts interpret the new obligations introduced through recent reforms.
The judgment made clear that organisations must take “reasonable steps” to secure personal information, assess and notify breaches promptly, and maintain strong authentication and forensic logging.
Each affected individual can also be treated as a separate contravention, multiplying potential penalties.
Conor said the reforms fundamentally change the risk landscape for all organisations handling personal information.
“The regulator is now scrutinising whether data is still necessary to retain and whether adequate safeguards are in place,” he said.
“Businesses can no longer justify keeping data ‘just in case’. They must be able to prove why they hold it and how it’s protected.”
He added that the implications extend far beyond any one sector.
“Retail, finance, health, technology, professional services—it’s universal. Boards and executives must understand that privacy obligations now sit alongside financial and operational risk. Those who don’t move quickly risk severe reputational and financial damage.”
Conor said that with maximum penalties reaching $50 million or more under the ‘greater-of’ framework, organisations must shift from awareness to action.
This judgment also provides some guidance as to what the Office of the Australian Information Commissioner and the court will consider as ‘reasonable steps’ to protect personal information.
Factors considered in determining reasonable steps include:
- the volume and sensitivity of the relevant personal information
- the potential harm to individuals if the information was accessed or disclosed
- the size and sophistication of the business
- the cyber security environment in which the business operates
- any previous threats or cyberattacks made against the business.
For media enquiries:
Tate Papworth
Manager, Media
E: Tate.Papworth@bdo.com.au
Ph: 0433411189