NSWIn ForceAct
Privacy and Personal Information Protection Act 1998
59HAssessment of data breach—factors for consideration
Start here
Get a plain-English read of 59H
Turn the raw legal text into a practical explanation grounded in Privacy and Personal Information Protection Act 1998.
#### 59H Assessment of data breach—factors for consideration
59H Assessment of data breach—factors for consideration
> Without limiting the factors that may be considered by the assessor carrying out the assessment, the assessor may consider the following—
>
> > (a) the types of personal information involved in the breach,
>
> > (b) the sensitivity of the personal information involved in the breach,
>
> > (c) whether the personal information is or was protected by security measures,
>
> > (d) the persons to whom the unauthorised access to, or unauthorised disclosure of, the personal information involved in the breach was, or could be, made or given,
>
> > (e) the likelihood the persons specified in paragraph (d)—
> >
> > > (i) have or had the intention of causing harm, or
> >
> > > (ii) could or did circumvent security measures protecting the information,
>
> > (f) the nature of the harm that has occurred or may occur,
>
> > (g) other matters specified in guidelines issued by the Privacy Commissioner about whether the disclosure is likely to result in serious harm to an individual to whom the personal information relates.
>
> **s 59H:** Ins 2009 No 54, Sch 1 \[1\] (transferred from the Freedom of Information Act 1989 No 5). Renumbered and am 2009 No 54, Sch 1 \[1\]–\[11\]). Rep 2010 No 71, Sch 1 \[10\]. Ins 2022 No 74, Sch 1\[11\].