sec.61Information commissioner may direct agency to give statement and make recommendations

### sec.61 Information commissioner may direct agency to give statement and make recommendations This section applies if the information commissioner reasonably suspects a data breach of an agency may be an eligible data breach of the agency. The information commissioner may, after complying with subsections (5) and (6) , direct the agency by written notice to prepare and give to the commissioner a statement providing the following information— the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; a description of the data breach, including the kind of personal information involved in the data breach; recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach; any other information related to the data breach requested by the commissioner. The agency must comply with the direction. If a direction is given under subsection (2) , the information commissioner may also, after complying with subsections (5) and (6) , recommend to the agency that the agency notify individuals under section 53 as if the agency reasonably believed the data breach were an eligible data breach. Before giving a direction under subsection (2) or making a recommendation under subsection (4) , the information commissioner must invite the agency to make a submission to the commissioner, within a reasonable period, about the data breach. Without limiting the matters the information commissioner may consider, in deciding whether to give a direction under subsection (2) or make a recommendation under subsection (4) , the information commissioner must have regard to the following— any advice given to the information commissioner by a law enforcement agency; any submission made by the agency under subsection (5) . s 61 sub 2023 No. 32 s 33 (sec.61-ssec.1) This section applies if the information commissioner reasonably suspects a data breach of an agency may be an eligible data breach of the agency. (sec.61-ssec.2) The information commissioner may, after complying with subsections (5) and (6) , direct the agency by written notice to prepare and give to the commissioner a statement providing the following information— the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; a description of the data breach, including the kind of personal information involved in the data breach; recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach; any other information related to the data breach requested by the commissioner. (sec.61-ssec.3) The agency must comply with the direction. (sec.61-ssec.4) If a direction is given under subsection (2) , the information commissioner may also, after complying with subsections (5) and (6) , recommend to the agency that the agency notify individuals under section 53 as if the agency reasonably believed the data breach were an eligible data breach. (sec.61-ssec.5) Before giving a direction under subsection (2) or making a recommendation under subsection (4) , the information commissioner must invite the agency to make a submission to the commissioner, within a reasonable period, about the data breach. (sec.61-ssec.6) Without limiting the matters the information commissioner may consider, in deciding whether to give a direction under subsection (2) or make a recommendation under subsection (4) , the information commissioner must have regard to the following— any advice given to the information commissioner by a law enforcement agency; any submission made by the agency under subsection (5) . - (a) the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; - (b) a description of the data breach, including the kind of personal information involved in the data breach; - (c) recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach; - (d) any other information related to the data breach requested by the commissioner. - (a) any advice given to the information commissioner by a law enforcement agency; - (b) any submission made by the agency under subsection (5) .