Received a compliance notice from the Privacy Commissioner? Here is what to do

A compliance notice from the Office of the Privacy Commissioner (OPC) is a formal order requiring you to do something — or stop doing something — to comply with the Privacy Act. Non-compliance is an offence.

Step 1: Read the notice carefully

Compliance notices specify:

• The provision of the Privacy Act you are allegedly breaching
• The action you must take to remedy the breach
• The timeframe for compliance (usually 20–40 working days)
• Your right to challenge the notice in the Human Rights Review Tribunal

Step 2: Gather evidence

This is where your DEIS evidence log becomes critical. Export the relevant entries to demonstrate your compliance history. If the notice relates to a specific individual or data source, filter accordingly.

Step 3: Seek legal advice

Compliance notices can be challenged in the Human Rights Review Tribunal. Get legal advice on whether to comply, challenge, or negotiate.

Step 4: Remediate

If you decide to comply, implement the required changes within the timeframe. Document every step.

Step 5: Respond

Confirm to the OPC that you have complied, with supporting evidence. DEIS evidence exports are designed to meet OPC evidential requirements.

Prevention

The best response to a compliance notice is never receiving one. DEIS captures IPP3A compliance evidence automatically, creating the documentation trail the OPC expects to see.