sec.47Meaning of eligible data breach

### sec.47 Meaning of eligible data breach An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if— both of the following apply— the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or the data breach involves the personal information being lost in circumstances where— unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) . For subsection (1) (a) (ii) and (b)(ii), the matters are— the kind of personal information accessed, disclosed or lost; and the sensitivity of the personal information; and whether the personal information is protected by 1 or more security measures; and if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and the nature of the harm likely to result from the data breach; and any other relevant matter. s 47 sub 2023 No. 32 s 33 (sec.47-ssec.1) An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if— both of the following apply— the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or the data breach involves the personal information being lost in circumstances where— unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) . (sec.47-ssec.2) For subsection (1) (a) (ii) and (b)(ii), the matters are— the kind of personal information accessed, disclosed or lost; and the sensitivity of the personal information; and whether the personal information is protected by 1 or more security measures; and if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and the nature of the harm likely to result from the data breach; and any other relevant matter. - (a) both of the following apply— (i) the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; (ii) the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or - (i) the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; - (ii) the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or - (b) the data breach involves the personal information being lost in circumstances where— (i) unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and (ii) if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) . - (i) unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and - (ii) if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) . - (i) the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; - (ii) the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or - (i) unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and - (ii) if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) . - (a) the kind of personal information accessed, disclosed or lost; and - (b) the sensitivity of the personal information; and - (c) whether the personal information is protected by 1 or more security measures; and - (d) if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and - (e) the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and - (f) the nature of the harm likely to result from the data breach; and - (g) any other relevant matter.