Receiving a direction to notify from the Privacy Commissioner

If the Privacy Commissioner is aware that there are reasonable grounds to believe an entity has experienced an eligible data breach, the Privacy Commissioner may direct the entity to prepare a notification statement. An entity must comply with this direction as soon as practicable.

However, the Privacy Commissioner must first invite the entity to make a submission in relation to the direction. The Privacy Commissioner will consider the contents of this submission, along with other relevant advice given by third parties and any other such relevant matters, before deciding whether to give a direction to notify.

The notification statement required to be produced under the direction will need to be provided to the Privacy Commissioner and affected individuals.

The Privacy Commissioner’s decision to give a direction may be reviewed by application to the Administrative Appeals Tribunal.