Notifying the affected individuals

After providing a copy of the statement to the Privacy Commissioner, an entity is also required to notify individuals affected by the eligible data breach by one of the following options:

  • if practicable, by notifying each individual to whom the relevant information relates;
  • if practicable, by notifying each individual who is at risk from the eligible data breach; or
  • if neither of the above apply, by publishing a copy of the statement on the entity's website and taking reasonable steps to publicise the contents of the statement.

An entity can notify individuals by whichever communication method it normally uses with those particular individuals.