NSWIn ForceAct
Privacy and Personal Information Protection Act 1998
59XExemption for compromised cyber security
Start here
Get a plain-English read of 59X
Turn the raw legal text into a practical explanation grounded in Privacy and Personal Information Protection Act 1998.
#### 59X Exemption for compromised cyber security
59X Exemption for compromised cyber security
> > (1) The head of a public sector agency may decide to exempt the agency from Division 3, Subdivision 3 for an eligible data breach if the head of the agency reasonably believes notification would—
> >
> > > (a) worsen the agency’s cyber security, or
> >
> > > (b) lead to further data breaches.
>
> > (2) The head of the agency must have regard to the guidelines, prepared by the Privacy Commissioner, in making a decision to exempt the agency under this section.
>
> > (3) The head of the agency must, by written notice given to the Privacy Commissioner, notify the Privacy Commissioner—
> >
> > > (a) that the exemption under this section is relied on, and
> >
> > > (b) when the exemption is expected to end, and
> >
> > > (c) of the way in which the agency will review the exemption.
>
> > (4) The head of the agency must—
> >
> > > (a) review the use of the exemption each month, and
> >
> > > (b) provide an update to the Privacy Commissioner on the review of the exemption.
>
> > (5) The exemption applies only for the period of time the head of the agency reasonably believes the notification would—
> >
> > > (a) worsen the agency’s cyber security, or
> >
> > > (b) lead to further data breaches.
>
> **s 59X:** Ins 2022 No 74, Sch 1\[11\].