Privacy Act 1988

PART IIIC - NOTIFICATION OF ELIGIBLE DATA BREACHES  

Division 5 - Dealing with personal information involved in eligible data breaches  

Subdivision A - Eligible data breach declaration  

SECTION 26X   ELIGIBLE DATA BREACH DECLARATION  

Minister may make eligible data breach declaration

26X(1)    
The Minister may, by writing, make a declaration under this subsection if:

(a)    there is an eligible data breach of an entity; and

(b)    the Minister is satisfied that making the declaration is:

(i) necessary or appropriate to prevent; or

(ii) necessary or appropriate to reduce;

a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.

Note:

A declaration under this subsection is relevant for the operation of section 26XB (authorisation of collection, use and disclosure of personal information) and related provisions.

Matters covered by declaration

26X(2)    
Without limiting subsection (1) , the declaration must specify the following matters:

(a)    the kind or kinds of personal information to which the declaration applies;

(b)    the entity or class of entities that may collect, use or disclose the personal information;

(c)    the entity or class of entities that the personal information may be disclosed to;

(d)    one or more permitted purposes of the collection, use or disclosure.

Specified entities

26X(3)    
An entity or class of entities specified for the purposes of paragraph (2)(c) :

(a)    may include a State or Territory authority; and

(b)    must not be or include a media organisation, the Australian Broadcasting Corporation or the Special Broadcasting Service Corporation.

Specified permitted purposes

26X(4)    
A permitted purpose specified for the purposes of paragraph (2)(d) in relation to an eligible data breach must be a purpose that is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b) to one or more individuals at risk from the eligible data breach.

26X(5)    
Without limiting subsection (4) , any of the following things may be specified as a permitted purpose in relation to an eligible data breach, to the extent that it is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b) :

(a)    preventing a cyber security incident (within the meaning of the Security of Critical Infrastructure Act 2018 ), fraud, scam activity or identity theft;

(b)    responding to a cyber security incident, fraud, scam activity or identity theft;

(c)    responding to the consequences of a cyber security incident, fraud, scam activity, identity crime and misuse, financial loss, emotional and psychological harm, family violence and physical harm or intimidation;

(d)    addressing malicious cyber activity.

26X(6)    
Without limiting subsection 33(3A) of the Acts Interpretation Act 1901 , or any other provision of this Act, an eligible data breach declaration may provide differently for:

(a)    different kinds of personal information; and

(b)    different entities or classes of entities; and

(c)    different permitted purposes.

Conditions

26X(7)    
The declaration may specify a matter mentioned in subsection (2) subject to conditions.

Consultation

26X(8)    
Before the Minister makes a declaration under subsection (1) , the Minister may consult with any person or body, including the Commissioner and the Director-General of the Australian Signals Directorate.

26X(9)    
Despite subsection 29(1) of the Australian Information Commissioner Act 2010 and any provision of this Act, the Commissioner may disclose information to the Minister for the purposes of consultation under subsection (8) .

Declaration is a legislative instrument

26X(10)    
A declaration under subsection (1) is a legislative instrument, but section 42 (disallowance) of the Legislation Act 2003 does not apply to the declaration.