Scope
(1) This section applies if:
(a) an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity; and
(b) the entity has prepared a statement that:
(i) complies with subsection 26WK(3); and
(ii) relates to the eligible data breach that the entity has reasonable grounds to believe has happened.
Notification
(2) The entity must:
(a) if it is practicable for the entity to notify the contents of the statement to each of the individuals to whom the relevant information relates--take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or
(b) if it is practicable for the entity to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach--take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or
(c) if neither paragraph (a) nor (b) applies:
(i) publish a copy of the statement on the entity's website (if any); and
(ii) take reasonable steps to publicise the contents of the statement.
Note: See also subsections 26WF(2) and (5), which deal with remedial action.
(3) The entity must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.
Method of providing a statement to an individual
(4) If the entity normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).