NSWIn ForceAct
Privacy and Personal Information Protection Act 1998
59YPrivacy Commissioner may make directions and recommendations
Start here
Get a plain-English read of 59Y
Turn the raw legal text into a practical explanation grounded in Privacy and Personal Information Protection Act 1998.
#### 59Y Privacy Commissioner may make directions and recommendations
59Y Privacy Commissioner may make directions and recommendations
> > (1) This section applies if there are reasonable grounds for the Privacy Commissioner to believe there has been an eligible data breach of a public sector agency (a suspected breach).
>
> > (2) The Privacy Commissioner may, by written notice given to the head of the public sector agency, direct the head of the agency to—
> >
> > > (a) prepare a statement that includes the following—
> > >
> > > > (i) the name and contact details of the agency,
> > >
> > > > (ii) a description of the suspected breach,
> > >
> > > > (iii) the kind of information involved in the suspected breach,
> > >
> > > > (iv) recommendations about the steps a notifiable individual should take in response to the breach,
> > >
> > > > (v) information, specified by the Privacy Commissioner, that relates to the suspected breach, and
> >
> > > (b) give a copy of the statement to the Privacy Commissioner.
>
> > (3) The Privacy Commissioner may recommend the head of the public sector agency notify notifiable individuals under section 59N(1), or publish a notification under section 59N(2), as if the suspected breach were an eligible data breach.
> >
> > Note—
> >
> > See section 59R in relation to the collection, use and disclosure of information by public sector agencies for the purpose of confirming particular details of a notifiable individual.
>
> > (4) Before making a direction or recommendation, the Privacy Commissioner must invite the head of the agency to make a submission to the Privacy Commissioner within a specified period.
>
> > (5) In deciding whether to make a direction or recommendation, the Privacy Commissioner must have regard to the following—
> >
> > > (a) advice, if any, given to the Privacy Commissioner by a law enforcement agency,
> >
> > > (b) a submission, if any, made by the head of the agency within the period specified by the Privacy Commissioner in response to the invitation under subsection (4),
> >
> > > (c) other matters the Privacy Commissioner considers relevant.
>
> > (6) Subsection (5)(a) does not limit the advice to which the Privacy Commissioner may have regard.
>
> > (7) If the Privacy Commissioner is aware there are reasonable grounds to believe the access, disclosure or loss that constituted the suspected breach involved 1 or more other public sector agencies, a direction may also require the statement specified in subsection (2)(a) to include the name and contact details of the other agencies.
>
> > (8) In this section—
> >
> > notifiable individual means a person who, if the suspected breach were an eligible data breach—
> >
> > > (a) would be notified under section 59N(1), or
> >
> > > (b) may be notified by operation of section 59N(2).
>
> **s 59Y:** Ins 2022 No 74, Sch 1\[11\].