sec.57Exemption—agency has taken remedial action

### sec.57 Exemption—agency has taken remedial action This section applies in relation to an eligible data breach of an agency if— for a data breach involving unauthorised access to, or disclosure of, personal information— the agency takes action to mitigate the harm caused by the data breach; and the action is taken before the access or disclosure results in serious harm to any individual; and as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or for a data breach involving the loss of personal information— the agency takes action to mitigate the loss; and the action is taken before there is unauthorised access to, or disclosure of, the personal information; and as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or for a data breach involving the loss of personal information— the agency takes action to mitigate the loss; and the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual. The agency need not comply with section 53 in relation to the eligible data breach. s 57 sub 2023 No. 32 s 33 (sec.57-ssec.1) This section applies in relation to an eligible data breach of an agency if— for a data breach involving unauthorised access to, or disclosure of, personal information— the agency takes action to mitigate the harm caused by the data breach; and the action is taken before the access or disclosure results in serious harm to any individual; and as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or for a data breach involving the loss of personal information— the agency takes action to mitigate the loss; and the action is taken before there is unauthorised access to, or disclosure of, the personal information; and as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or for a data breach involving the loss of personal information— the agency takes action to mitigate the loss; and the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual. (sec.57-ssec.2) The agency need not comply with section 53 in relation to the eligible data breach. - (a) for a data breach involving unauthorised access to, or disclosure of, personal information— (i) the agency takes action to mitigate the harm caused by the data breach; and (ii) the action is taken before the access or disclosure results in serious harm to any individual; and (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or - (i) the agency takes action to mitigate the harm caused by the data breach; and - (ii) the action is taken before the access or disclosure results in serious harm to any individual; and - (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or - (b) for a data breach involving the loss of personal information— (i) the agency takes action to mitigate the loss; and (ii) the action is taken before there is unauthorised access to, or disclosure of, the personal information; and (iii) as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or - (i) the agency takes action to mitigate the loss; and - (ii) the action is taken before there is unauthorised access to, or disclosure of, the personal information; and - (iii) as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or - (c) for a data breach involving the loss of personal information— (i) the agency takes action to mitigate the loss; and (ii) the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual. - (i) the agency takes action to mitigate the loss; and - (ii) the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and - (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual. - (i) the agency takes action to mitigate the harm caused by the data breach; and - (ii) the action is taken before the access or disclosure results in serious harm to any individual; and - (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or - (i) the agency takes action to mitigate the loss; and - (ii) the action is taken before there is unauthorised access to, or disclosure of, the personal information; and - (iii) as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or - (i) the agency takes action to mitigate the loss; and - (ii) the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and - (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.