Privacy Act 1988

PART IIIC - NOTIFICATION OF ELIGIBLE DATA BREACHES  

Division 3 - Notification of eligible data breaches  

Subdivision C - Commissioner may direct entity to notify eligible data breach  

SECTION 26WR   COMMISSIONER MAY DIRECT ENTITY TO NOTIFY ELIGIBLE DATA BREACH  

26WR(1)    
If the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity, the Commissioner may, by written notice given to the entity, direct the entity to:

(a)    prepare a statement that complies with subsection (4) ; and

(b)    give a copy of the statement to the Commissioner.

26WR(2)    
The direction must also require the entity to:

(a)    if it is practicable for the entity to notify the contents of the statement to each of the individuals to whom the relevant information relates - take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or

(b)    if it is practicable for the entity to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach - take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or

(c)    if neither paragraph (a) nor (b) applies:


(i) publish a copy of the statement on the entity ' s website (if any); and

(ii) take reasonable steps to publicise the contents of the statement.
Note:

See also subsections 26WF(2) and (5) , which deal with remedial action.


26WR(3)    
Before giving a direction to an entity under subsection (1) , the Commissioner must invite the entity to make a submission to the Commissioner in relation to the direction within the period specified in the invitation.

26WR(4)    
The statement referred to in paragraph (1)(a) must set out:

(a)    the identity and contact details of the entity; and

(b)    a description of the eligible data breach that the Commissioner has reasonable grounds to believe has happened; and

(c)    

the particular kind or kinds of information concerned; and

(d)    recommendations about the steps that individuals should take in response to the eligible data breach that the Commissioner has reasonable grounds to believe has happened.


26WR(5)    
A direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out specified information that relates to the eligible data breach that the Commissioner has reasonable grounds to believe has happened.

26WR(6)    
In deciding whether to give a direction to an entity under subsection (1) , the Commissioner must have regard to the following:

(a)    

any relevant advice given to the Commissioner by:

(i) an enforcement body; or

(ii) the Australian Signals Directorate;

(b)    any relevant submission that was made by the entity:


(i) in response to an invitation under subsection (3) ; and

(ii) within the period specified in the invitation;

(c)    such other matters (if any) as the Commissioner considers relevant.


26WR(7)    
Paragraph (6)(a) does not limit the advice to which the Commissioner may have regard.

26WR(8)    
If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out the identity and contact details of those other entities.

Method of providing a statement to an individual

26WR(9)    
If an entity normally communicates with a particular individual using a particular method, the notification to the individual mentioned in paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b) .

Compliance with direction

26WR(10)    
An entity must comply with a direction under subsection (1) as soon as practicable after the direction is given.


 

Disclaimer and notice of copyright applicable to materials provided by CCH Australia Limited

CCH Australia Limited ("CCH") believes that all information which it has provided in this site is accurate and reliable, but gives no warranty of accuracy or reliability of such information to the reader or any third party. The information provided by CCH is not legal or professional advice. To the extent permitted by law, no responsibility for damages or loss arising in any way out of or in connection with or incidental to any errors or omissions in any information provided is accepted by CCH or by persons involved in the preparation and provision of the information, whether arising from negligence or otherwise, from the use of or results obtained from information supplied by CCH.

The information provided by CCH includes history notes and other value-added features which are subject to CCH copyright. No CCH material may be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, except that you may download one copy for your personal use only, provided you keep intact all copyright and other proprietary notices. In particular, the reproduction of any part of the information for sale or incorporation in any product intended for sale is prohibited without CCH's prior consent.