Privacy Act 1988
PART IIIC
-
NOTIFICATION OF ELIGIBLE DATA BREACHES
Division 2
-
Eligible data breach
SECTION 26WG
26WG
WHETHER ACCESS OR DISCLOSURE WOULD BE LIKELY, OR WOULD NOT BE LIKELY, TO RESULT IN SERIOUS HARM
-
RELEVANT MATTERS
For the purposes of this Division, in determining whether a reasonable person would conclude that an access to, or a disclosure of, information:
(a) would be likely; or
(b) would not be likely;
(c) the kind or kinds of information;
(d) the sensitivity of the information;
(e) whether the information is protected by one or more security measures;
(f) if the information is protected by one or more security measures - the likelihood that any of those security measures could be overcome;
(g) the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
(h) if a security technology or methodology:
(i) the nature of the harm;
(j) any other relevant matters.
View history note
Hide history noteFor the purposes of this Division, in determining whether a reasonable person would conclude that an access to, or a disclosure of, information:
(a) would be likely; or
(b) would not be likely;
to result in serious harm to any of the individuals to whom the information relates, have regard to the following:
(c) the kind or kinds of information;
(d) the sensitivity of the information;
(e) whether the information is protected by one or more security measures;
(f) if the information is protected by one or more security measures - the likelihood that any of those security measures could be overcome;
(g) the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
(h) if a security technology or methodology:
(i) was used in relation to the information; and
the likelihood that the persons, or the kinds of persons, who:
(ii) was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;
(iii) have obtained, or who could obtain, the information; and
have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;
(iv) have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
(i) the nature of the harm;
(j) any other relevant matters.
Note:
If the security technology or methodology mentioned in paragraph (h) is encryption, an encryption key is an example of information required to circumvent the security technology or methodology.