Commonwealth Consolidated Acts Commonwealth Consolidated ActsScope
(1) This section applies if:
(a) a data custodian of public sector data that is personal information about one or more individuals has shared the personal information with or through an accredited entity under section 13; and
(b) the accredited entity holds the personal information.
Deemed holding of personal information by data custodian
(2) Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) has effect as if:
(a) the personal information were held by the data custodian; and
(b) the data custodian were required under section 15 of that Act not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information.
Note: This has the effect that the data custodian has responsibilities under Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) in relation to the personal information held by the accredited entity.
(3) If the accredited entity reasonably suspects or becomes aware that a data breach of the entity has occurred (within the meaning of section 35), the accredited entity must give the data custodian written notice of the suspected or actual data breach:
(a) in sufficient time; and
(b) containing sufficient detail;
to enable the data custodian to comply with its obligations under Part IIIC of the Privacy Act 1988 as that Part applies because of subsection (2) of this section.
(4) Subsections (2) and (3) do not apply if:
(a) the accredited entity is an APP entity that is required under section 15 of the Privacy Act 1988 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; and
(b) the data sharing agreement under which the personal information was shared with the entity provides that subsections (2) and (3) are not to apply in relation to the personal information.
Note: This has the effect that only the entity with which the personal information was shared, and not the data custodian, has responsibilities under Part IIIC of the Privacy Act 1988 (notification of eligible data breaches) in relation to the personal information held by the entity.
Copy of eligible data breach statements given to Information Commissioner
(5) A data scheme entity must, as soon as practicable, give the National Data Commissioner a copy of any statement the entity is required to give the Information Commissioner under section 26WK of the Privacy Act 1988 (statement about eligible data breach), if the eligible data breach to which the statement relates involves scheme data.
(5A) The Information Commissioner may give the National Data Commissioner a copy of any statement given to the Commissioner under section 26WK of the Privacy Act 1988 , if the Information Commissioner is satisfied that the matters dealt with in the statement are relevant to the National Data Commissioner's functions.
Meaning of hold
(6) A reference in this section to an entity holding personal information is a reference to the entity holding the information within the meaning of the Privacy Act 1988 .