sec.48Obligations of agencies in relation to data breaches

### sec.48 Obligations of agencies in relation to data breaches This section applies in relation to a data breach of an agency if the agency knows, or reasonably suspects, that the data breach is an eligible data breach of the agency. The agency must— immediately, and continue to, take all reasonable steps to— contain the data breach; and mitigate the harm caused by the data breach; and if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency. An assessment under subsection (2) (b) must be completed within— 30 days after the suspicion mentioned in subsection (1) was formed; or if the period mentioned in paragraph (a) is extended under section 49 —the extended period. If, at any time, the agency becomes aware the data breach may affect another agency, the agency must give a written notice to the other agency of the data breach that includes— a description of the data breach; and a description of the kind of personal information the subject of the data breach, without including any personal information in the description. The agency need not comply with subsections (2) (b) and (3) in relation to the data breach if— all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach. s 48 sub 2023 No. 32 s 33 (sec.48-ssec.1) This section applies in relation to a data breach of an agency if the agency knows, or reasonably suspects, that the data breach is an eligible data breach of the agency. (sec.48-ssec.2) The agency must— immediately, and continue to, take all reasonable steps to— contain the data breach; and mitigate the harm caused by the data breach; and if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency. (sec.48-ssec.3) An assessment under subsection (2) (b) must be completed within— 30 days after the suspicion mentioned in subsection (1) was formed; or if the period mentioned in paragraph (a) is extended under section 49 —the extended period. (sec.48-ssec.4) If, at any time, the agency becomes aware the data breach may affect another agency, the agency must give a written notice to the other agency of the data breach that includes— a description of the data breach; and a description of the kind of personal information the subject of the data breach, without including any personal information in the description. (sec.48-ssec.5) The agency need not comply with subsections (2) (b) and (3) in relation to the data breach if— all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach. - (a) immediately, and continue to, take all reasonable steps to— (i) contain the data breach; and (ii) mitigate the harm caused by the data breach; and - (i) contain the data breach; and - (ii) mitigate the harm caused by the data breach; and - (b) if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency. - (i) contain the data breach; and - (ii) mitigate the harm caused by the data breach; and - (a) 30 days after the suspicion mentioned in subsection (1) was formed; or - (b) if the period mentioned in paragraph (a) is extended under section 49 —the extended period. - (a) a description of the data breach; and - (b) a description of the kind of personal information the subject of the data breach, without including any personal information in the description. - (a) all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and - (b) at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach.