Identifying when notification is required

Notification to both the Privacy Commissioner and affected individuals will be required when an entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred.

However, notification is not required, or only required in a limited manner, even if an entity has experienced an eligible data breach where:

  • the eligible data breach is an eligible data breach of another entity who has already fulfilled notification obligations under this regime;
  • notification would be inconsistent with a secrecy provision;
  • the Privacy Commissioner has given a declaration that no notification is required in regard to the eligible data breach; or
  • notification would be likely to prejudice enforcement-related activities.