Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) A data scheme entity must notify the Commissioner, in an approved form (if any), within the period applicable under subsection (1A) and in accordance with any requirements prescribed by a data code, if:
(a) the entity reasonably suspects or becomes aware that a data breach of the entity has occurred; and
(b) data involved in the breach is not personal information about one or more individuals.
Note: Breaches involving personal information are dealt with under Part IIIC of the Privacy Act 1988 (see section 37).
Civil penalty: 300 penalty units.
(1A) The period for notifying the Commissioner is:
(a) the period applicable under a data code; or
(b) if there is no period applicable under a data code--as soon as practicable after the end of the financial year in which the breach occurs.
(2) A data code may prescribe different periods for the purposes of paragraph (1A)(a), according to whether the breach is, or is not, a breach that a reasonable person would conclude would be likely to result in serious harm to an entity, a group of entities or a thing to which the data relates.
(3) In determining whether a reasonable person would conclude that the breach would, or would not, be likely to result in serious harm to an entity, a group of entities or a thing to which the data involved in the breach relates, have regard to the following:
(a) the kind or kinds of data;
(b) the sensitivity of the data;
(c) whether the data is protected by one or more security measures and, if so, the nature of those measures;
(d) the persons, or the kinds of persons, who have obtained, or who could obtain, the data;
(e) the nature of the harm;
(f) any other relevant matters.