Directors' Duties


  • Directors of corporations are subject to a series of duties owed to the company, shareholders and others that arise primarily under the Corporations Act 2001 (Cth) as well as at common law and in equity. For directors of publicly-listed corporations, additional duties may arise under contininuous disclosure obligations.
  • Other laws and regulations may apply to directors and the exercise of their duties, depending on the subject matter (e.g. notifiable data breaches under the Privacy Act 1988 (Cth)) or the industry of the corporation (e.g. information security obligations of financial institutions under the Banking Act 1959 (Cth)).


Corporations Act 2001 (Cth)

ASX Listing Rules

  • Under ASX Listing Rule 3.1, a listed entity must immediately report to the ASX any market-sensitive information that can have a material consequence on the price or value of the securities of that entity (as soon as it is aware or ought to reasonably have been aware).
  • Section 677 of the Corporations Act 2001 (Cth) requires that the information would, or be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of them. A listed entity must form a view of whether the direct and indirect effects of a data breach satisfies this test prior to notifying the ASX, considering all surrounding circumstances.
  • Both ASIC and the ASX can institute punitive and enforcement measures when an entity breaches its continuous disclosure obligations. See Memorandum of Understanding between Australian Securities and investments Commission and ASX Limited ABN 98 008 624 691 (Memorandum of Understanding, 28 October 2011).
  • A court will generally examine the reaction of the market when considering whether an entity breached its continuous disclosure obligations: see Grant-Taylor v Babcock & Brown Limited (In Liquidation) [2015] FCA 149.
  • See ASX Listing Rules - Chapter 3: Continous Disclosure
  • See ASX Listing Rules - Guidance Note 8: Continuous Disclosure: Listing Rules 3.1-3.1B

Banking Act 1959 (Cth)

  • Under Part IIAA of the Banking Act 1959 (Cth), authorised deposit-taking institutions (ADIs) must nominate 1 or more 'accountable persons' - either a director or other appropriate senior executive - who is responsible for the conduct of the financial institution's regulatory compliance and reporting to the Australian Prudential Regulation Authority.
  • Under APRA Prudential Standard CPS 234: Information Security, the board of directors of an APRA-regulated entity (including all banks and financial institutions, general insurers and private health insurers) is responsible for:
    • ensuring the entity maintains information security (and an information security capability) in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity; and
    • clearly defining the information security-related roles and responsibilities of the board of directors, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.

Privacy Act 1988 (Cth)

  • Under Part IIIC of the Privacy Act 1988 (Cth), organisations with an annual turnover exceeding $3 million (plus private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients) are subject to the notifiable data breach scheme. These organisations must promptly inform individuals whose personal information has been affected in a data breach that is likely to cause serious harm.
  • A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost, and a reasonable person would determine this is likely to cause serious harm (or risk thereof) to affected entities.
  • An affected organisation must undertake a reasonable and speedy assessment and report its results to the Office of the Australian Information Commissioner within 30 days, and distribute these details to the people at risk of serious harm.
  • Part VIB of the Privacy Act 1988 (Cth) contains penalties for non-compliance and gives the Commissioner investigative powers.

Regulatory & Policy Framework

Relevant Organisations

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine