Privacy Act 1988

PART IIIC - NOTIFICATION OF ELIGIBLE DATA BREACHES  

Division 2 - Eligible data breach  

SECTION 26WG  

26WG   WHETHER ACCESS OR DISCLOSURE WOULD BE LIKELY, OR WOULD NOT BE LIKELY, TO RESULT IN SERIOUS HARM - RELEVANT MATTERS  

For the purposes of this Division, in determining whether a reasonable person would conclude that an access to, or a disclosure of, information:

(a) would be likely; or

(b) would not be likely;

to result in serious harm to any of the individuals to whom the information relates, have regard to the following:

(c) the kind or kinds of information;

(d) the sensitivity of the information;

(e) whether the information is protected by one or more security measures;

(f) if the information is protected by one or more security measures - the likelihood that any of those security measures could be overcome;

(g) the persons, or the kinds of persons, who have obtained, or who could obtain, the information;

(h) if a security technology or methodology:

(i) was used in relation to the information; and

(ii) was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;

the likelihood that the persons, or the kinds of persons, who:

(iii) have obtained, or who could obtain, the information; and

(iv) have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;

have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;

(i) the nature of the harm;

(j) any other relevant matters.

Note:

If the security technology or methodology mentioned in paragraph (h) is encryption, an encryption key is an example of information required to circumvent the security technology or methodology.