PRIVACY ACT 1988

PART IIIC - NOTIFICATION OF ELIGIBLE DATA BREACHES  

Division 3 - Notification of eligible data breaches  

Subdivision B - General notification obligations  

SECTION 26WQ   EXCEPTION - DECLARATION BY COMMISSIONER  

26WQ(1)  
If the Commissioner:


(a) is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity; or


(b) is informed by an entity that the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity;

the Commissioner may, by written notice given to the entity:


(c) declare that sections 26WK and 26WL do not apply in relation to:


(i) the eligible data breach of the entity; and

(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities - such an eligible data breach of those other entities; or


(d) declare that subsection 26WL(3) has effect in relation to:


(i) the eligible data breach of the entity; and

(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities - such an eligible data breach of those other entities;

as if that subsection required compliance with subsection 26WL(2) before the end of a period specified in the declaration.

26WQ(2)  
The Commissioner ' s power in paragraph (1)(d) may only be used to extend the time for compliance with subsection 26WL(2) to the end of a period that the Commissioner is satisfied is reasonable in the circumstances.

26WQ(3)  
The Commissioner must not make a declaration under subsection (1) unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the following:


(a) the public interest;


(b) any relevant advice given to the Commissioner by:


(i) an enforcement body; or

(ii) the Australian Signals Directorate;


(c) such other matters (if any) as the Commissioner considers relevant.

26WQ(4)  
Paragraph (3)(b) does not limit the advice to which the Commissioner may have regard.

26WQ(5)  
The Commissioner may give a notice of a declaration to an entity under subsection (1):


(a) on the Commissioner ' s own initiative; or


(b) on application made to the Commissioner by the entity. Applications

26WQ(6)  
An application by an entity under paragraph (5)(b) may be expressed to be:


(a) an application for a paragraph (1)(c) declaration; or


(b) an application for a paragraph (1)(d) declaration; or


(c) an application for:


(i) a paragraph (1)(c) declaration; or

(ii) in the event that the Commissioner is not disposed to make such a declaration - a paragraph (1)(d) declaration.

26WQ(7)  
If an entity applies to the Commissioner under paragraph (5)(b):


(a) the Commissioner may refuse the application; and


(b) if the Commissioner does so - the Commissioner must give written notice of the refusal to the entity.

26WQ(8)  
If:


(a) an application for a paragraph (1)(d) declaration nominates a period to be specified in the declaration; and


(b) the Commissioner makes the declaration, but specifies a different period in the declaration;

the Commissioner is taken not to have refused the application.

26WQ(9)  
If an entity applies to the Commissioner under paragraph (5)(b) for a declaration that, to any extent, relates to an eligible data breach of the entity, sections 26WK and 26WL do not apply in relation to:


(a) the eligible data breach; or


(b) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities - such an eligible data breach of those other entities;

until the Commissioner makes a decision in response to the application for the declaration.

26WQ(10)  
An entity is not entitled to make an application under paragraph (5)(b) in relation to an eligible data breach of the entity if:


(a) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities; and


(b) one of those other entities has already made an application under paragraph (5)(b) in relation to the eligible data breach of the other entity. Extension of specified period

26WQ(11)  
If notice of a paragraph (1)(d) declaration has been given to an entity, the Commissioner may, by written notice given to the entity, extend the period specified in the declaration.




This information is provided by CCH Australia Limited Link opens in new window. View the disclaimer and notice of copyright.