Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Enforceable undertakings

The Australian Information Commissioner (Information Commissioner) can accept an enforceable undertaking from an entity under s 33E of the Privacy Act 1988 (Privacy Act), or a person under s 94 of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), where the Information Commissioner considers there is a reasonable basis to suggest that the person or entity has interfered with the privacy of an individual.

The Information Commissioner will generally accept an enforceable undertaking where the respondent has co-operated with a Commissioner initiated investigation, an enquiry into a data breach incident or a Privacy Complaint investigation conducted by the Office of the Australian Information Commissioner (OAIC), and the Information Commissioner has formed the view that accepting an enforceable undertaking would provide an appropriate regulatory outcome to the matter.

If the Information Commissioner considers that the agency, private sector organisation or person has breached the enforceable undertaking, the Information Commissioner may apply to enforce the undertaking in court, under s 33F of the Privacy Act or s 95 of the PCEHR Act, respectively.