Explore More Insight
21 October 2025
The Federal Court has ordered Australian Clinical Labs Limited (ACL) to pay a AUD 5.8 million civil penalty in connection with a data breach involving Medlab Pathology Pty Ltd ("Medlab"), which was acquired by ACL in December 2021. This is the first civil penalty proceeding brought by the Australian Information Commissioner ("Commissioner") in the history of the Privacy Act 1988 (Cth) ("Act").
The Court assessed the test for “reasonable steps” by organisations to protect personal information, and the delay by ACL in undertaking an eligible data breach assessment and issuing a notification to the Commissioner.
This case marks a shift towards stricter regulatory enforcement and highlights the need for organisations to be diligent in preventing and responding to eligible data breaches.