Commonwealth Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Previous] [Next] [Download] [Help]

PRIVACY ACT 1988 - SECT 94S

Breach of requirement may be treated as an eligible data breach

             (1)  For the purposes of this Act, if:

                     (a)  the data store administrator; or

                     (b)  an officer or employee of the data store administrator; or

                     (c)  a contracted service provider for a government contract with the data store administrator;

breaches a requirement of this Part in relation to COVID app data:

                     (d)  the breach is taken to be an eligible data breach by the data store administrator; and

                     (e)  an individual to whom the data relates is taken to be at risk from the eligible data breach.

             (2)  For the purposes of this Act, if:

                     (a)  a State or Territory health authority; or

                     (b)  person employed by, or in the service of, the State or Territory health authority;

breaches a requirement of this Part in relation to COVID app data:

                     (c)  the breach is taken to be an eligible data breach by the State or Territory health authority; and

                     (d)  an individual to whom the data relates is taken to be at risk from the eligible data breach.

             (3)  Part IIIC applies in relation to such a breach as if:

                     (a)  subsection 26WE(3) and sections 26WF, 26WH and 26WJ did not apply in relation to the breach; and

                     (b)  Subdivision B of Division 3 of that Part:

                              (i)  required the data store administrator, or State or Territory health authority, to notify the Commissioner that there were reasonable grounds to believe that there had been an eligible data breach; and

                             (ii)  only required compliance with sections 26WK and 26WL in relation to the breach if the Commissioner required the administrator or authority so to comply; and

                     (c)  sections 26WN, 26WP, 26WQ, 26WS and 26WT did not apply in relation to the breach.

             (4)  Without limiting the circumstances in which the Commissioner may, under subparagraph (3)(b)(ii), require the administrator or authority so to comply, the Commissioner must so require if:

                     (a)  the Commissioner is satisfied that the breach may be likely to result in serious harm to any of the individuals to whom the information relates; and

                     (b)  subsection (5) does not apply.

             (5)  The Commissioner may decide not to require compliance, or to allow an extended period for compliance, if the Commissioner is satisfied on reasonable grounds that requiring compliance, or requiring compliance within the ordinary period for compliance, would not be reasonable in the circumstances, having regard to the following:

                     (a)  the public interest;

                     (b)  any relevant advice given to the Commissioner by:

                              (i)  an enforcement body; or

                             (ii)  the Australian Signals Directorate;

                     (c)  such other matters (if any) as the Commissioner considers relevant.

             (6)  Paragraph (5)(b) does not limit the advice to which the Commissioner may have regard.



AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback