Case Study: A Thursday Morning Nobody Planned For

Picture this: it is Thursday morning. The compliance manager at a mid-size Australian organisation arrives at the office, coffee in hand, ready for an ordinary day.

By 10 am, three employees are sitting in front of them, visibly upset.

What followed was a serious employee privacy breach: staff names and personal details shared with a third party, with no warning, no consent, and no legitimate reason anyone could identify.

The employees had found out by accident. Now they wanted to know why it had happened, and what the organisation was going to do about it.

The answer was costly. The organisation was ordered to pay $60,000 in damages, issue a written apology to every affected employee, undertake an independent review of its privacy policies, and repeat that review six months later to demonstrate genuine improvement.

It was not a rogue actor or a sophisticated cyberattack that caused this.

It was a process failure: a decision to share employee details without checking whether doing so was legal, appropriate, or necessary.

The law was very clear about where the responsibility sat.

Key insight: The most common and costly employee privacy breach in Australian workplaces is not caused by hackers. It is caused by internal decisions that lack proper process, training, and oversight.

Why This Matters More Than Ever in 2025 and 2026

The case above is not ancient history. The risk of an employee privacy breach has grown, not shrunk.

Australian workplaces are generating and handling more employee personal information than ever: through digital employee onboarding systems, cloud-based HR platforms, remote access tools, and third-party service providers.

Every one of those touch points is a potential exposure.

Australian Privacy Breach: By the Numbers
532 Data breach notifications received by the OAIC in the first half of 2025 alone – roughly three every working day.
(Source: OAIC Notifiable Data Breaches Report, Jan-Jun 2025)
37% Of all reported data breaches in Australia, human error, not malicious attacks, is the cause. Preventable process failures are the leading cause.
(Source: OAIC, 2025)
AUD $4.26M Average total cost of a data breach for an Australian organisation in 2024 – a 27% increase since 2020.
(Source: IBM Cost of a Data Breach Report, 2024)
AUD $50M The maximum civil penalty for serious or repeated privacy breaches is now available under the Privacy and Other Legislation Amendment Act 2024.
June 2025 When a new statutory tort for serious invasions of privacy came into force, enabling individuals to sue employers directly without first going through the OAIC.

 

These numbers represent something more than legal exposure.

They represent employees whose trust was broken, organisations whose reputations took years to rebuild, and leadership teams that had to explain publicly what went wrong and why it was allowed to happen.

The Legal Landscape: What Australian Law Actually Requires

To understand what the employer in the case study should have done, it helps to understand what the law demands.

Australian workplace privacy sits across several legislative frameworks that work together.

Privacy Act 1988 (Cth)

The Privacy Act is the centrepiece of Australia’s privacy framework.

It governs how organisations with an annual turnover above AUD $3 million collect, store, use, and disclose personal information, including that of their employees and job applicants.

Important: The small business exemption (for organisations with turnover below $3 million) is under active review and proposed for removal in upcoming reforms. Organisations that currently rely on it should plan.

The 13 Australian Privacy Principles (APPs)

The APPs sit within the Privacy Act and impose specific obligations.

Three are especially relevant to the case study and to most workplace privacy situations:

  • APP 3 (Collection of personal information): Employers must only collect personal information that is reasonably necessary for their functions. They must also be transparent about what they collect and why.
  • APP 6 (Use or disclosure of personal information): Personal information may only be used or disclosed for the primary purpose for which it was collected. Sharing an employee’s name with a third party without consent or a legitimate legal basis is a direct breach of this principle.
  • APP 11 (Security of personal information): Employers must take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, or disclosure. Reasonable steps are context-dependent, but they include training, policies, and access controls.

The Employee Records Exemption – and Its Limits

Many employers assume a broad exemption covers all handling of employee information.

The exemption in Section 7B (3) of the Privacy Act does exist, but it is narrower than most people realise.

It only applies when the handling of an employee record is directly related to the current or former employment relationship.

In the case study, sharing employee names with a third party had no clear connection to managing those employment relationships.

That is exactly why the exemption did not apply – and why the employer was found liable.

Practical rule: If you cannot clearly articulate how sharing an employee’s personal information is directly necessary for managing their employment, the exemption likely does not protect you.

The Notifiable Data Breaches (NDB) Scheme

Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, organisations covered by the Privacy Act must notify both the OAIC and affected individuals when a data breach is likely to result in serious harm.

This obligation is mandatory. Failure to notify within the required timeframes is itself a breach of the Act.

The Privacy and Other Legislation Amendment Act 2024

Passed in late 2024, this legislation significantly strengthens the enforcement framework.

Key changes include:

  • Substantially higher civil penalties – up to AUD $50 million for serious or repeated breaches
  • New OAIC powers to investigate proactively, issue compliance notices, and initiate civil penalty proceedings without needing to wait for a complaint
  • A new statutory tort for serious invasions of privacy, in force from June 2025, enabling individuals to pursue employers directly in court
  • Proposed removal of the small business exemption and reform of the employee records exemption – both flagged for future legislative action

State and Territory Laws

Federal law is not the complete picture. State-based legislation adds obligations in certain jurisdictions:

  • Privacy and Personal Information Protection Act 1998 (NSW): applies to NSW public sector agencies
  • Health Records Act 2001 (VIC): governs health information held by Victorian organisations
  • Information Privacy Act 2009 (QLD): covers Queensland public sector entities

Three Warning Signs Your Organisation Is Already at Risk

In the case study, the breach was the visible outcome.

But the root causes were present long before any information was shared.

These warning signs tend to appear in organisations that have not yet built a mature privacy practice.

Warning Sign 1: Staff Handle Employee Data Without Knowing What the Rules Are

If your team does not know what counts as personal information, when sharing it is permitted, or what to do when a privacy concern arises, you are operating on assumptions.

That is exactly where most employee privacy breaches begin.. A manager who forwards a list of employee names without thinking is not acting maliciously.

They simply do not know the rules. Ignorance is not a defence, but it is entirely preventable.

Warning Sign 2: You Have a Privacy Policy, But It Sits in a Folder Nobody Opens

Policies that have not been communicated, read, and acknowledged by staff provide limited legal protection.

Courts and regulators look at whether the policy was embedded in everyday practice – not merely whether it existed in a document library.

If you cannot demonstrate that employees were trained on the policy and that they understood it, the policy is not doing its job.

Warning Sign 3: There Is No Formal Process for Reviewing or Reporting Privacy Issues

In the case study, the employer was required to conduct a formal review and then repeat it six months later.

This is a remedial requirement – imposed because no robust review process existed beforehand.

Organisations without structured incident reporting and periodic risk review processes tend to discover gaps only after a breach has already occurred.

What the Employer Should Have Done Differently

Every root cause in this case is preventable. Here is what a privacy-mature organisation looks like in practice.

Step 1: Educate Staff Through Structured Privacy Training

Awareness is the foundation of every effective privacy programme.

Every employee who handles personal information – and in most organisations, that is the vast majority of the workforce – needs to understand what that means and what their obligations are under Australian law.

Effective privacy training covers: what personal information is, what the APPs require in practice, when information can and cannot be shared, and what to do when something goes wrong.

Completion should be documented and auditable.

It is not a tick-box exercise. It is the primary line of defence against human error, which accounts for 37% of Australian data breaches.

Step 2: Build a Privacy Policy That Employees Actually Receive, Read, and Acknowledge

Creating a privacy policy is the starting point – not the finish line.

What gives a policy force is whether employees received it, read it, and confirmed their understanding.

An acknowledged policy creates a documented record that staff were informed, which matters significantly if a breach occurs and the organisation needs to demonstrate it took reasonable steps.

Policies also need to be living documents. As the organisation changes – new HR systems, new third-party providers, new team structures – the policy needs to keep pace.

A review cycle with staff notification of changes is part of reasonable practice, not an optional extra.

Step 3: Manage Employee Records Systematically and Review Processes Regularly

Knowing what employee data, you hold, where it sits, who can access it, and how long you retain it is fundamental.

The Fair Work Act 2009 prescribes a minimum seven-year retention period for most employee records, while the Privacy Act requires that records are accurate, up to date, and protected from unauthorised access.

Regular internal reviews – and a clear process for reporting and responding to privacy incidents – ensure that gaps are identified before regulators or affected employees find them first.

How Sentrient Supports Employee Privacy Compliance

Sentrient’s platform brings together the tools Australian organisations need to build and demonstrate a strong employee privacy practice: training, policy management, records, incident reporting, and risk review – in a single connected system.

Sentrient Module What It Does Relevant Law
Privacy Training Course
(Compliance > Pre-built
Courses)		 Delivers mandatory, trackable online privacy training to all staff. Covers APPs, employee records, consent, and breach response. Completion is recorded and auditable. Privacy Act 1988, APPs 3, 6, 11
Policy Acknowledgement
(Compliance > Policy
Management)		 Distributes the privacy policy to all employees, captures digital acknowledgement, and notifies staff of changes. Creates a documented compliance trail. Privacy Act 1988, APP 1 (open and transparent management)
Records Management
(Compliance > Records
Management)		 Stores and manages employee records with defined access controls, retention schedules, and audit logs. Supports Fair Work Act record-keeping obligations. Privacy Act 1988, Fair Work Act 2009 (ss.535-536)
Incident Management
(GRC > Incident
Management)		 Provides a structured process for reporting, recording, and responding to potential privacy breaches internally, including assessment of NDB notification obligations. Privacy Amendment (Notifiable Data Breaches) Act 2017
Risk Management (GRC >
Risk Management)		 Enables ongoing identification, assessment, and mitigation of privacy risks across the organisation. Supports the periodic review expected under the Privacy Act. Privacy Act 1988, APP 11
Online Surveys
(Compliance > Online
Surveys)		 Measures staff awareness and understanding of privacy obligations. Useful both as a diagnostic tool and as evidence of a culture of compliance. Privacy Act 1988 (reasonable steps to comply)

 

Used together, these modules give organisations the structure to move from reactive to proactive: building a compliance culture rather than managing crises.

The Bottom Line

The $60,000 fine was not the worst outcome of the employee privacy breach – case study.

The worst outcome was what it represented: employees whose trust was broken, an organisation that had to learn its legal obligations under public scrutiny, and a leadership team that had to confront retrospectively that this was entirely preventable.

Australian privacy law is clear about what employers owe their people.

The Australian Privacy Principles, the Notifiable Data Breaches scheme, and the 2024 legislative reforms have collectively raised both the standard of care expected and the consequences of falling short.

Privacy compliance is not a legal formality. It is part of how a responsible employer operates – one that earns the trust of its team and handles the personal information people share as part of their working lives with genuine care.

The organisations that handle this well are not necessarily the ones with the most complex legal teams.

They are the ones who have built privacy understanding into everyday practice: through structured training, clear and current policies, proper record management, and the systems that support it all.

See How Sentrient Can Help Your Organisation – Schedule a free consultation

From privacy training to policy management, records, and incident response, Sentrient brings your compliance tools together in one place.

Frequently Asked Questions

1. We are a small business. Does the Privacy Act apply to us?

Currently, organisations with a turnover below AUD $3 million may qualify for an exemption, with exceptions for health information and government contracts. However, this exemption is proposed for removal. State-based laws may also apply. Plan for compliance now rather than waiting for reform to pass.

2. We already have a privacy policy. Is that enough?

No. A policy only protects you if employees receive it, read it, and acknowledge it. Regulators look at whether it was followed in practice, not just documented. It also needs to be kept up to date as your systems and providers change.

3. What exactly counts as an employee record under Australian law?

It includes health information, contact details, tax and super records, leave, salary, performance notes, and union membership. Information unrelated to the employment relationship, such as personal messages on a work device, is generally excluded. When in doubt, document your reasoning.

4. We use cloud-based HR software and a third-party payroll provider. Are we still responsible for that data?

Yes. Responsibility stays with you even when a third party processes the data. APP 8 and APP 11 require contractual obligations and periodic compliance checks with providers. The employee records exemption does not extend to third-party processors.

5. If we discover a breach, how quickly do we need to report it to the OAIC?

Notify the OAIC and affected individuals as soon as practicable, and within 30 days of becoming aware that the breach is likely to cause serious harm. The clock starts when you have reasonable grounds to suspect a reportable breach – not when your investigation is complete.

Last Updated: May, 2026

You May Also Like To Explore:

Free Webinar – Respect At Work Free Webinar – NDIS Compliance Free Webinar – Right To Disconnect Free Webinar on Performance Management and Law Compliance Outlook 2025 - Webinar