Privacy Act 1988
PART IIIC
-
NOTIFICATION OF ELIGIBLE DATA BREACHES
Division 2
-
Eligible data breach
SECTION 26WE
ELIGIBLE DATA BREACH
Scope
26WE(1)
This section applies if:
(a) both:
(b) both:
(c) both:
(d) both:
Eligible data breach
26WE(2)
For the purposes of this Act, if:
(a) both of the following conditions are satisfied:
(b) the information is lost in circumstances where:
(c) the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
(d) an individual covered by subparagraph (a)(ii) or (b)(ii) is at risk from the eligible data breach.
26WE(3)
Subsection (2) has effect subject to section 26WF .
View history note
Hide history noteScope
26WE(1)
This section applies if:
(a) both:
(i) an APP entity holds personal information relating to one or more individuals; and
(ii) the APP entity is required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; or
(b) both:
(i) a credit reporting body holds credit reporting information relating to one or more individuals; and
(ii) the credit reporting body is required to comply with section 20Q in relation to the credit reporting information; or
(c) both:
(i) a credit provider holds credit eligibility information relating to one or more individuals; and
(ii) the credit provider is required to comply with subsection 21S(1) in relation to the credit eligibility information; or
(d) both:
(i) a file number recipient holds tax file number information relating to one or more individuals; and
(ii) the file number recipient is required under section 18 not to do an act, or engage in a practice, that breaches a section 17 rule that relates to the tax file number information.
Eligible data breach
26WE(2)
For the purposes of this Act, if:
(a) both of the following conditions are satisfied:
(i) there is unauthorised access to, or unauthorised disclosure of, the information;
(ii) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
[ CCH Note: No 12 of 2017, s 3 and Sch 1 item 6(1) provides that para (a) is applicable to an access or disclosure that happens after the commencement of this item.]
(b) the information is lost in circumstances where:
(i) unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
(ii) assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;
[ CCH Note: No 12 of 2017, s 3 and Sch 1 item 6(2) provides that para (b) is applicable to a loss that happens after the commencement of this item.]
then:
(c) the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
(d) an individual covered by subparagraph (a)(ii) or (b)(ii) is at risk from the eligible data breach.
26WE(3)
Subsection (2) has effect subject to section 26WF .
This information is provided by CCH Australia Limited Link opens in new window. View the disclaimer and notice of copyright.