Australia's first civil penalty decision under the Privacy Act: Key lessons and call to action for Australian organisations

The result in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (Decision) is the first civil penalty decision issued under Australia's Privacy Act.

For Australian businesses and government organisations regulated by the Australian Privacy Principles and the Privacy Act, the Decision delivers new and clear guidance on what the Court considers are the "reasonable steps" an organisation must take for protecting personal information under APP 11, and for assessing and responding to a data breach under the Notifiable Data Breaches Scheme, each under the Privacy Act.

The Decision also provides a cautionary tale for the buyer of a target business holding significant amounts of personal information.

In this article, we unpack the key learnings from the Decision. These put clear light on the steps Australian organisations should take to responsibly protect personal information, uplift their incident response preparation, and reduce risks of facing regulatory action and civil penalties.

Looking ahead, business leaders should acknowledge that the Decision is not the end. It looked at Australian Clinical Labs' (ACL) particular conduct, and at a point-in-time and in particular circumstances.

Yet "reasonable steps" must and will be adapted to consider a range of factors such as: the sensitivity of data or personal information; potential harms to individuals from unauthorised access, loss or disclosure of that personal information; the organisation's size, sophistication and resources; and the evolving cyber risks landscape. Good cyber risks preparation and response is not "set-and-forget".

We will see further regulatory action against organisations that fail to take reasonable steps to protect personal information.

What do Australian businesses and cyber insurers need to know?

Key points

Background

• In December 2021, ACL acquired Medlab Pathology for $70 million.
• Only a few months later, in February 2022, the 'Quantum Group' ransomware group attacked Medlab’s IT systems. The group downloaded 86GB of sensitive health or financial information of over 223,000 individuals from ACL's systems, and later published the data on the dark web.
• After a regulatory investigation, the Australian Information Commissioner (Commissioner) applied in late 2023 to the Federal Court seeking a declaration that ACL breached the Privacy Act and civil penalty orders.
• On 8 October 2025, the Court accepted a settlement agreed between the Commissioner and ACL.
• The Court's Decision declared that ACL's conduct contravened three provisions of the Privacy Act, and ordered ACL to pay civil penalties totalling $5.8 million plus a further $400,000 towards the Commissioner's legal costs.

Privacy breaches

The Court accepted a settlement proposal from the Commissioner and ACL, including an agreed statement of facts.

ACL contravened Australia's Privacy Act in three key ways:

1. ACL failed to take reasonable steps to protect personal information from unauthorised access or disclosure (Breach of APP 11.1(b))
   • After it acquired Medlab, ACL failed to address known cybersecurity vulnerabilities in Medlab’s IT systems.
   • Medlab's systems lacked basic protections such as up-to-date antivirus software, encryption, and multifactor authentication.
   • ACL over-relied on its third-party cybersecurity provider StickmanCyber who conducted an inadequate investigation.
2. ACL failed to carry out a reasonable and expeditious assessment of whether the cyberattack was an "eligible data breach" (Contravention of s 26WH(2))
   • ACL had reasonable grounds to suspect a data breach by 2 March 2022 yet failed to complete a proper assessment within 30 days as to whether the breach was an eligible data breach.
   • StickmanCyber's assessment of the data breach was insufficient, and ACL’s reliance on it was unreasonable.
3. ACL failed to notify the Australian Information Commissioner of the eligible data breach as soon as practicable (Contravention of s 26WK(2))
   • By 16 June 2022 ACL had reasonable grounds to believe an eligible data breach had occurred, yet it only notified the Commissioner on 10 July 2022.

Penalty

The Court ordered ACL to pay civil penalties of $5.8 million, broken down as:

• $4.2 million for the APP 11.1(b) contraventions which affected 223,000 individuals.
• $800,000 for the s 26WH(2) contravention.
• $800,000 for the s 26WK(2) contravention.

The Court also ordered ACL to pay $400,000 towards the Commissioner's costs in the proceedings.

Lessons learned (the hard way)

What "reasonable steps" should ACL have taken to comply with APP 11?

The Court detailed what (in ACL's circumstances) “reasonable steps” would have looked like, to comply with APP 11.1(b). These included:

• Pre-acquisition due diligence for identifying and mitigating vulnerabilities in Medlab’s IT systems.
  • Timely integration or decommissioning of legacy systems.
  • Implementation of basic cybersecurity controls, such as:
    • Effective antivirus and anti-malware tools.
    • Strong authentication mechanisms (e.g., multifactor authentication).
    • Adequate firewall logging and monitoring.
    • File encryption.
    • Application whitelisting.
    • Data loss prevention tools.
  • Clear incident response plans, including:
    • Defined roles and responsibilities for each of internal and external participants.
    • Use of third-party experts who are capable of delivering a robust assessment of a suspected data incident.
    • Regular testing of incident response procedures.
    • Training for staff, especially those in key IT and incident response roles.
  • An independent and thorough assessment of cyber incidents, not solely relying on third-party advice.
  • Timely assessment of whether a suspected data breach is an eligible data breach which requires reporting.
  • Timely notification of an eligible data beach to the OAIC and affected individuals.
  • Cybersecurity due diligence in M&A transactions – and prompt action to mitigate or resolve adverse findings.

By when should ACL have completed its data breach assessment and notice?

• Data breach assessment (s 26WH(2)): Within 30 days of becoming aware of reasonable grounds to suspect a breach.
• Notification to Commissioner (s 26WK(2)): As soon as practicable after forming reasonable grounds to believe an eligible data breach occurred. In ACL's case, the Decision found that 2 3 days would have been practicable.

Why is the outcome in ACL notable or surprising?

The Decision considered ACL’s (insufficient) actions, particularly the question of what are “reasonable steps” under APP 11.1(b), by applying principles from earlier regulatory cases, specifically corporate law and financial licensing regulatory enforcement cases.

So while the Decision did not directly compare ACL’s conduct to that of other APP entities, it followed analogous reasoning in other regulatory contexts when assessing ACL’s failures in this data privacy context.

ACL is the new objective standard for “reasonable steps” under the Privacy Act
‍
The Court emphasised that APP 11.1(b) imposes an objective standard, and the scope of “reasonable steps” must be informed by the relevant circumstances, including:

1. the sensitivity of the data or personal information.
2. the potential harm from unauthorised access, loss or disclosure.
3. the size and sophistication of the business.
4. the (changing) cybersecurity environment.

The reasonableness (or otherwise) of the steps taken by your business will be assessed in context – no two cases will be assessed against precisely the same metrics. But this reasonableness assessment will first be done through the lens of a disinterested, dispassionate and independent privacy regulator. And that the regulator, whilst acting reasonably, may have eyes on a significantly different or higher standard than that which was adopted (or was funded) by your organisation's decision-makers or board.

Organisations that wish to avoid regulatory scrutiny ought to have regard to the factors assessed in this Decision, and in other regulatory actions, for testing the reasonableness of their own actions under Australia's privacy, companies, or financial licensing laws.

First civil penalty issued under the Privacy Act

This is the first civil penalty proceeding under the Privacy Act. Accordingly, it has set precedent and provides guidance for other APP entities about the reasonableness of their privacy planning and management, and data incident response approach and timing.

Single course of conduct -v- multiple contraventions

The Court accepted that, while ACL’s conduct resulted in 223,000 contraventions of the Privacy Act, these contraventions arose from a single course of conduct. This this factor significantly influenced the amount of the civil penalties applied here.  

Conclusion

While the Court did not directly contrast ACL’s conduct with that of other APP entities, the Court distinguished ACL’s failures by applying established legal principles from other regulatory and corporate law cases. This approach allowed the Court to contextualise the seriousness of ACL’s Privacy Act contraventions and to set a benchmark for future privacy enforcement actions.

For assistance on data privacy issues, please contact our Privacy team.

This article was prepared by partner Steven Hunwicks, a specialist data privacy, cybersecurity and technology lawyer at Thomson Geer.

‍

‍