Perth Breach Notification Timelines - City Law Guide

Technology and Data Western Australia 4 Minutes Read ยท published February 11, 2026 Flag of Western Australia

Perth, Western Australia businesses must act promptly when personal information is compromised. This guide explains notification timelines, which agencies enforce reporting, and practical steps for compliance under City of Perth handling and the national Notifiable Data Breaches scheme. It summarises where to report breaches affecting council-held records and how federal obligations under the Privacy Act interact with local reporting. Use the contact and form links to notify the City and the national regulator as relevant and follow the staged actions below to limit harm and meet legal duties.[1]

Notify affected individuals promptly and document every action.

When to notify

Under the national Notifiable Data Breaches (NDB) framework businesses covered by the Privacy Act must assess suspected eligible data breaches and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where an eligible breach is likely to result in serious harm. Local council-held records follow the City of Perth privacy procedures for reporting breaches of City systems. For national obligations see the OAIC guidance and the Privacy Act references below.[2][3]

Penalties & Enforcement

Enforcement can be taken by the national regulator for Privacy Act breaches and by the City of Perth for breaches of council-held records or local procedures. Exact monetary penalties for failing to comply with the NDB notification process are not specified on the OAIC guidance page; consult the Privacy Act text for statutory penalty provisions and the City of Perth pages for council-specific sanctions where applicable.[2][3]

  • Fine amounts: not specified on the cited page; see the Privacy Act and OAIC links for statutory penalty provisions.[2][3]
  • Escalation: first, repeat or continuing offences: not specified on the cited page; enforcement depends on regulator assessment and may lead to court action.[2]
  • Non-monetary sanctions: orders to comply, remediation directions, enforceable undertakings, or court remedies are available under the Privacy Act and council powers.
  • Enforcer and complaint pathway: OAIC handles federal Privacy Act matters and City of Perth handles council records; use the official contact pages listed in Resources.
  • Appeal/review routes: judicial review or statutory appeals may apply; time limits are governed by the relevant legislation and tribunal/court rules and are not specified on the cited guidance pages.
  • Defences/discretion: regulators consider reasonable excuse, prompt remediation and cooperation; specific defences depend on case facts and are not exhaustively listed on the cited pages.
Council-held record breaches should be reported to the City using its published privacy process.

Applications & Forms

For the OAIC notification there is an online form and template guidance for the NDB statement; the OAIC site provides the form and submission instructions. For council-held breaches the City of Perth publishes its own reporting procedure and contact points; if a specific council form is required it is shown on the City page.[1][2]

Practical steps after a suspected breach

  • Assess the incident and document what occurred, when, and what data was affected.
  • Contain the breach: isolate systems, revoke access and secure backups.
  • Decide if the breach is an eligible NDB incident and prepare a notification statement if required.
  • Notify affected individuals and the OAIC where required, and notify the City of Perth for council records.
  • Record remedial actions and consider offering credit monitoring or support where appropriate.

Common violations

  • Unsecured databases or cloud storage exposures leading to mass data access.
  • Misconfigured access controls or broken authentication.
  • Loss or theft of devices containing personal information.
  • Delayed or no notification following discovery of an eligible breach.

FAQ

Who must notify when a breach occurs?
Entities covered by the Privacy Act must assess and notify under the NDB scheme; the City of Perth must be notified for breaches of council-held records.[1][2]
How quickly must notifications be made?
Notifications should be made as soon as practicable after determining an eligible breach; exact statutory time limits are not specified on the OAIC guidance page.[2]
Where do I report a breach affecting City systems?
Report council-record breaches via the City of Perth privacy/reporting contacts listed on the City website.[1]

How-To

  1. Confirm and document the incident, including scope and data types affected.
  2. Contain the breach and mitigate immediate risks, such as revoking credentials.
  3. Use the OAIC NDB guidance and template to assess whether the breach is eligible for notification and prepare the statement.
  4. Notify affected individuals and submit the notification to the OAIC; notify the City of Perth if council records are affected.
  5. Review systems, adopt remedial controls, and keep records of actions taken.

Key Takeaways

  • Act promptly: the NDB scheme requires timely assessment and notification.
  • Contact both the OAIC and City of Perth when council-held data is involved.
  • Document all steps and remediation for enforcement and review.

Help and Support / Resources

  1. [1] City of Perth privacy policy and reporting
  2. [2] OAIC Notifiable Data Breaches guidance
  3. [3] Privacy Act 1988 (consolidated)

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data