§ 26D — Duty to notify occurrence of notifiable data breach

26D.—(1) Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.[40/2020]

(2) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances.[40/2020]

(3) The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose.[40/2020]

(4) The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission.[40/2020]

(5) Subsection (2) does not apply to an organisation in relation to an affected individual if the organisation —(a)

on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or

(b)

had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.[40/2020]

(6) An organisation must not notify any affected individual in accordance with subsection (2) if —(a)

a prescribed law enforcement agency so instructs; or

(b)

the Commission so directs.[40/2020]

(7) The Commission may, on the written application of an organisation, waive the requirement to notify an affected individual under subsection (2) subject to any conditions that the Commission thinks fit.[40/2020]

(8) An organisation is not, by reason only of notifying the Commission under subsection (1) or an affected individual under subsection (2), to be regarded as being in breach of —(a)

any duty or obligation under any written law or rule of law, or any contract, as to secrecy or other restriction on the disclosure of information; or

(b)

any rule of professional conduct applicable to the organisation.[40/2020]

(9) Subsections (1) and (2) apply concurrently with any obligation of the organisation under any other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach.[40/2020]

—(1) Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.[40/2020]

(2) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances.[40/2020]

(3) The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose.[40/2020]

(4) The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission.[40/2020]

(5) Subsection (2) does not apply to an organisation in relation to an affected individual if the organisation —(a)

on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or

(b)

had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.[40/2020]

(6) An organisation must not notify any affected individual in accordance with subsection (2) if —(a)

a prescribed law enforcement agency so instructs; or

(b)

the Commission so directs.[40/2020]

(7) The Commission may, on the written application of an organisation, waive the requirement to notify an affected individual under subsection (2) subject to any conditions that the Commission thinks fit.[40/2020]

(8) An organisation is not, by reason only of notifying the Commission under subsection (1) or an affected individual under subsection (2), to be regarded as being in breach of —(a)

any duty or obligation under any written law or rule of law, or any contract, as to secrecy or other restriction on the disclosure of information; or

(b)

any rule of professional conduct applicable to the organisation.[40/2020]

(9) Subsections (1) and (2) apply concurrently with any obligation of the organisation under any other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach.[40/2020]