The Australian Information Commissioner (Information Commissioner) can accept an enforceable undertaking from an entity under s 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act), or a person under s 94 of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), where the Information Commissioner considers there is a reasonable basis to suggest that the person or entity has interfered with the privacy of an individual.
The Information Commissioner will generally accept an enforceable undertaking where the respondent has cooperated with a Commissioner-initiated investigation, an enquiry into a data breach incident or a privacy complaint investigation conducted by the OAIC, and the Information Commissioner has formed the view that accepting an enforceable undertaking would provide an appropriate regulatory outcome to the matter.
If the Information Commissioner considers that the agency, private sector organisation or person has breached the enforceable undertaking, the Information Commissioner may apply to enforce the undertaking in court, under s 115 of the Regulatory Powers Act or s 95 of the PCEHR Act, respectively.
