•       This Part sets up a scheme for notification of eligible data breaches.

•       An eligible data breach happens if:

       (a)     there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and

      (b)     the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

•       An entity must give a notification if:

       (a)     it has reasonable grounds to believe that an eligible data breach has happened; or

      (b)     it is directed to do so by the Commissioner.

•       The Commissioner may obtain information or documents in relation to actual or suspected eligible data breaches.