Commonwealth Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Previous] [Next] [Download] [Help]

PRIVACY ACT 1988 - SECT 26WR

Commissioner may direct entity to notify eligible data breach

  (1)   If the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity, the Commissioner may, by written notice given to the entity, direct the entity to:

  (a)   prepare a statement that complies with subsection   (4); and

  (b)   give a copy of the statement to the Commissioner.

  (2)   The direction must also require the entity to:

  (a)   if it is practicable for the entity to notify the contents of the statement to each of the individuals to whom the relevant information relates--take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or

  (b)   if it is practicable for the entity to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach--take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or

  (c)   if neither paragraph   (a) nor (b) applies:

  (i)   publish a copy of the statement on the entity's website (if any); and

  (ii)   take reasonable steps to publicise the contents of the statement.

Note:   See also subsections   26WF(2) and (5), which deal with remedial action.

  (3)   Before giving a direction to an entity under subsection   (1), the Commissioner must invite the entity to make a submission to the Commissioner in relation to the direction within the period specified in the invitation.

  (4)   The statement referred to in paragraph   (1)(a) must set out:

  (a)   the identity and contact details of the entity; and

  (b)   a description of the eligible data breach that the Commissioner has reasonable grounds to believe has happened; and

  (c)   the particular kind or kinds of information concerned; and

  (d)   recommendations about the steps that individuals should take in response to the eligible data breach that the Commissioner has reasonable grounds to believe has happened.

  (5)   A direction under subsection   (1) may also require the statement referred to in paragraph   (1)(a) to set out specified information that relates to the eligible data breach that the Commissioner has reasonable grounds to believe has happened.

  (6)   In deciding whether to give a direction to an entity under subsection   (1), the Commissioner must have regard to the following:

  (a)   any relevant advice given to the Commissioner by:

  (i)   an enforcement body; or

  (ii)   the Australian Signals Directorate;

  (b)   any relevant submission that was made by the entity:

  (i)   in response to an invitation under subsection   (3); and

  (ii)   within the period specified in the invitation;

  (c)   such other matters (if any) as the Commissioner considers relevant.

  (7)   Paragraph   (6)(a) does not limit the advice to which the Commissioner may have regard.

  (8)   If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection   (1) may also require the statement referred to in paragraph   (1)(a) to set out the identity and contact details of those other entities.

Method of providing a statement to an individual

  (9)   If an entity normally communicates with a particular individual using a particular method, the notification to the individual mentioned in paragraph   (2)(a) or (b) may use that method. This subsection does not limit paragraph   (2)(a) or (b).

Compliance with direction

  (10)   An entity must comply with a direction under subsection   (1) as soon as practicable after the direction is given.



AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback