sec.53Agencies must notify particular individuals

### sec.53 Agencies must notify particular individuals The agency must, as soon as practicable after the belief mentioned in section 50 is formed— if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2) ; or if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2) ; or if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions. A notification under subsection (1) must, to the extent it is reasonably practicable, include the following information— the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach; the date the data breach occurred; a description of the data breach, including the type of eligible data breach under section 47 ; information about how the data breach occurred; for a notification under subsection (1) (a) or (b) — a description of the personal information the subject of the data breach; and the agency’s recommendations about the steps the individual should take in response to the data breach; for a notification under subsection (1) (c) — a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and the agency’s recommendations about the steps individuals should take in response to the data breach; if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made; the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach; information about how an individual may make a privacy complaint to the agency under section 166A . The agency must, as soon as practicable after a notice is published under subsection (1) (c) , provide the information commissioner with information about how to access the notice. The information commissioner must, after receiving the information under subsection (3) , publish on the commissioner’s website information about how to access the notice for a period of at least 12 months. s 53 amd 2017 No. 17 s 119 sub 2023 No. 32 s 33 (sec.53-ssec.1) The agency must, as soon as practicable after the belief mentioned in section 50 is formed— if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2) ; or if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2) ; or if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions. (sec.53-ssec.2) A notification under subsection (1) must, to the extent it is reasonably practicable, include the following information— the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach; the date the data breach occurred; a description of the data breach, including the type of eligible data breach under section 47 ; information about how the data breach occurred; for a notification under subsection (1) (a) or (b) — a description of the personal information the subject of the data breach; and the agency’s recommendations about the steps the individual should take in response to the data breach; for a notification under subsection (1) (c) — a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and the agency’s recommendations about the steps individuals should take in response to the data breach; if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made; the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach; information about how an individual may make a privacy complaint to the agency under section 166A . (sec.53-ssec.3) The agency must, as soon as practicable after a notice is published under subsection (1) (c) , provide the information commissioner with information about how to access the notice. (sec.53-ssec.4) The information commissioner must, after receiving the information under subsection (3) , publish on the commissioner’s website information about how to access the notice for a period of at least 12 months. - (a) if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2) ; or - (b) if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2) ; or - (c) if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions. - (a) the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; - (b) the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach; - (c) the date the data breach occurred; - (d) a description of the data breach, including the type of eligible data breach under section 47 ; - (e) information about how the data breach occurred; - (f) for a notification under subsection (1) (a) or (b) — (i) a description of the personal information the subject of the data breach; and (ii) the agency’s recommendations about the steps the individual should take in response to the data breach; - (i) a description of the personal information the subject of the data breach; and - (ii) the agency’s recommendations about the steps the individual should take in response to the data breach; - (g) for a notification under subsection (1) (c) — (i) a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and (ii) the agency’s recommendations about the steps individuals should take in response to the data breach; - (i) a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and - (ii) the agency’s recommendations about the steps individuals should take in response to the data breach; - (h) if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made; - (i) the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach; - (j) information about how an individual may make a privacy complaint to the agency under section 166A . - (i) a description of the personal information the subject of the data breach; and - (ii) the agency’s recommendations about the steps the individual should take in response to the data breach; - (i) a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and - (ii) the agency’s recommendations about the steps individuals should take in response to the data breach;