The new Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed Feb 13 2017 but will not apply immediately. The government has to nominate a starting date during the next 12 months.
The requirement to notify cyber breaches to the Privacy Commissioner and affected persons only applies to organizations for which the Privacy Act applies - not state government agencies, local councils and organizations with an annual turnover of less than $3million.
Not all cyber-breaches are notifiable. It depends on whether it is judged that it is likely the breach will likely result in serious harm to affected individuals.
Sanctions for non-compliance are graded from an apology and compensation to those affected to (eventually) implementation of financial penalties by the Privacy Commissioner for serious or repeated non-compliance.
Resources
http://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r5747_ems_ed12b5bb-d3b3-4a6a-9536-53bb459a00df/upload_pdf/6000003.pdf;fileType=application%2Fpdf
https://www.itnews.com.au/news/what-does-data-breach-notification-mean-for-you-451025
Privacy Amendment (Notifiable Data Breaches) Bill 2016