In a landmark ruling, the Federal Court has imposed $5.8 million in civil penalties on Australian Clinical Labs (ACL) for breaching the Privacy Act. This is the first court-ordered penalty of its kind under the Act, signalling a significant move toward stricter privacy enforcement and underscoring the serious repercussions organisations face when they fail to safeguard personal information.

The Federal Court has made orders imposing the following penalties:

• A penalty of $4.2 million for ACL's failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems under Australian Privacy Principle 11.1, which amounted to more than 223,000 contraventions of s 13G(a) of the Privacy Act;
• A penalty of $800,000 for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT systems in February 2022, in contravention of s 26WH(2) of the Privacy Act; and
• A penalty of $800,000 for ACL’s failure to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of s 26WK(2) of the Privacy Act.

If you’re unsure whether your organisation is meeting its obligations under the Privacy Act, contact us to discuss how we can help you strengthen your privacy governance and data handling procedures.