[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2013-2014
The Parliament of the
Commonwealth of Australia
THE SENATE
Presented and read a first time
Privacy Amendment (Privacy Alerts) Bill
2014
No. , 2014
(Senator Singh)
A Bill for an Act to amend the Privacy Act 1988,
and for related purposes
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
i
Contents
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 1
3
Schedule(s) ........................................................................................ 2
Schedule 1--Amendments
3
Privacy Act 1988
3
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
1
A Bill for an Act to amend the Privacy Act 1988,
1
and for related purposes
2
The Parliament of Australia enacts:
3
1 Short title
4
This Act may be cited as the Privacy Amendment (Privacy Alerts)
5
Act 2014.
6
2 Commencement
7
(1) Each provision of this Act specified in column 1 of the table
8
commences, or is taken to have commenced, in accordance with
9
column 2 of the table. Any other statement in column 2 has effect
10
according to its terms.
11
12
2
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
Commencement information
Column 1
Column 2
Column 3
Provision(s)
Commencement
Date/Details
1. Sections 1 to 3
and anything in
this Act not
elsewhere covered
by this table
The day this Act receives the Royal Assent.
2. Schedule 1
A single day to be fixed by Proclamation.
However, if the provision(s) do not
commence within the period of 6 months
beginning on the day this Act receives the
Royal Assent, they commence on the day
after the end of that period.
Note:
This table relates only to the provisions of this Act as originally
1
enacted. It will not be amended to deal with any later amendments of
2
this Act.
3
(2) Any information in column 3 of the table is not part of this Act.
4
Information may be inserted in this column, or information in it
5
may be edited, in any published version of this Act.
6
3 Schedule(s)
7
Each Act that is specified in a Schedule to this Act is amended or
8
repealed as set out in the applicable items in the Schedule
9
concerned, and any other item in a Schedule to this Act has effect
10
according to its terms.
11
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
3
Schedule 1
--Amendments
1
2
Privacy Act 1988
3
1 Subsection 6(1)
4
Insert:
5
serious data breach has the meaning given by section 26X, 26Y,
6
26Z or 26ZA.
7
2 Subsection 6(1)
8
Insert:
9
significantly affected, in relation to an individual and in relation to
10
a serious data breach, has the meaning given by section 26X, 26Y,
11
26Z or 26ZA.
12
3 After subsection 13(4)
13
Insert:
14
Data breach notification
15
(4A) If an entity (within the meaning of Part IIIC) contravenes
16
section 26ZB or 26ZC, the contravention is taken to be an act that
17
is an interference with the privacy of an individual.
18
4 After Part IIIB
19
Insert:
20
Part IIIC--Data breach notification
21
Division 1--Serious data breach
22
26X Serious data breach--APP entities
23
Unauthorised access or disclosure of personal information
24
(1) For the purposes of this Act, if:
25
Schedule 1 Amendments
4
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
(a) an APP entity holds personal information relating to one or
1
more individuals; and
2
(b) the APP entity is required under section 15 not to do an act,
3
or engage in a practice, that breaches Australian Privacy
4
Principle 11.1 in relation to the personal information; and
5
(c) there is unauthorised access to, or unauthorised disclosure of,
6
the personal information; and
7
(d) either:
8
(i) the access or disclosure will result in a real risk of
9
serious harm to any of the individuals to whom the
10
personal information relates; or
11
(ii) any of the personal information is of a kind specified in
12
the regulations;
13
then:
14
(e) the access or disclosure is a serious data breach of the APP
15
entity in relation to the personal information; and
16
(f) if subparagraph (d)(i) applies--an individual is significantly
17
affected by the serious data breach if, and only if, the
18
individual is an individual to whom the risk mentioned in that
19
subparagraph relates; and
20
(g) if subparagraph (d)(ii) applies--an individual is significantly
21
affected by the serious data breach if, and only if, the
22
individual is:
23
(i) an individual to whom the personal information relates;
24
and
25
(ii) an individual who, under the regulations, is taken to be
26
significantly affected by the serious data breach.
27
Note 1:
For harm, see section 26ZE.
28
Note 2:
For real risk, see section 26ZF.
29
Loss of personal information
30
(2) For the purposes of this Act, if:
31
(a) an APP entity holds personal information relating to one or
32
more individuals; and
33
(b) the APP entity is required under section 15 not to do an act,
34
or engage in a practice, that breaches Australian Privacy
35
Principle 11.1 in relation to the personal information; and
36
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
5
(c) the personal information is lost in circumstances where
1
unauthorised access to, or unauthorised disclosure of, the
2
personal information may occur; and
3
(d) either:
4
(i) assuming that unauthorised access to, or unauthorised
5
disclosure of, the personal information were to occur,
6
the access or disclosure will result in a real risk of
7
serious harm to any of the individuals to whom the
8
personal information relates; or
9
(ii) any of the personal information is of a kind specified in
10
the regulations;
11
then:
12
(e) the loss is a serious data breach of the APP entity in relation
13
to the personal information; and
14
(f) if subparagraph (d)(i) applies--an individual is significantly
15
affected by the serious data breach if, and only if, the
16
individual is an individual to whom the risk mentioned in that
17
subparagraph relates; and
18
(g) if subparagraph (d)(ii) applies--an individual is significantly
19
affected by the serious data breach if, and only if, the
20
individual is:
21
(i) an individual to whom the personal information relates;
22
and
23
(ii) an individual who, under the regulations, is taken to be
24
significantly affected by the serious data breach.
25
Note 1:
For harm, see section 26ZE.
26
Note 2:
For real risk, see section 26ZF.
27
Overseas recipients
28
(3) If:
29
(a) an APP entity has disclosed personal information about one
30
or more individuals to an overseas recipient; and
31
(b) Australian Privacy Principle 8.1 applied to the disclosure of
32
the personal information; and
33
(c) the overseas recipient holds the personal information;
34
this section has effect as if:
35
(d) the personal information were held by the APP entity; and
36
Schedule 1 Amendments
6
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
(e) the APP entity were required under section 15 not to do an
1
act, or engage in a practice, that breaches Australian Privacy
2
Principle 11.1 in relation to the personal information.
3
26Y Serious data breach--credit reporting bodies
4
Unauthorised access or disclosure of credit reporting information
5
(1) For the purposes of this Act, if:
6
(a) a credit reporting body holds credit reporting information
7
relating to one or more individuals; and
8
(b) the credit reporting body is required to comply with
9
section 20Q in relation to the credit reporting information;
10
and
11
(c) there is unauthorised access to, or unauthorised disclosure of,
12
the credit reporting information; and
13
(d) either:
14
(i) the access or disclosure will result in a real risk of
15
serious harm to any of the individuals to whom the
16
credit reporting information relates; or
17
(ii) any of the credit reporting information is of a kind
18
specified in the regulations;
19
then:
20
(e) the access or disclosure is a serious data breach of the credit
21
reporting body in relation to the credit reporting information;
22
and
23
(f) if subparagraph (d)(i) applies--an individual is significantly
24
affected by the serious data breach if, and only if, the
25
individual is an individual to whom the risk mentioned in that
26
subparagraph relates; and
27
(g) if subparagraph (d)(ii) applies--an individual is significantly
28
affected by the serious data breach if, and only if, the
29
individual is:
30
(i) an individual to whom the credit reporting information
31
relates; and
32
(ii) an individual who, under the regulations, is taken to be
33
significantly affected by the serious data breach.
34
Note 1:
For harm, see section 26ZE.
35
Note 2:
For real risk, see section 26ZF.
36
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
7
Loss of credit reporting information
1
(2) For the purposes of this Act, if:
2
(a) a credit reporting body holds credit reporting information
3
relating to one or more individuals; and
4
(b) the credit reporting body is required to comply with
5
section 20Q in relation to the credit reporting information;
6
and
7
(c) the credit reporting information is lost in circumstances
8
where unauthorised access to, or unauthorised disclosure of,
9
the credit reporting information may occur; and
10
(d) either:
11
(i) assuming that unauthorised access to, or unauthorised
12
disclosure of, the credit reporting information were to
13
occur, the access or disclosure will result in a real risk
14
of serious harm to any of the individuals to whom the
15
credit reporting information relates; or
16
(ii) any of the credit reporting information is of a kind
17
specified in the regulations;
18
then:
19
(e) the loss is a serious data breach of the credit reporting body
20
in relation to the credit reporting information; and
21
(f) if subparagraph (d)(i) applies--an individual is significantly
22
affected by the serious data breach if, and only if, the
23
individual is an individual to whom the risk mentioned in that
24
subparagraph relates; and
25
(g) if subparagraph (d)(ii) applies--an individual is significantly
26
affected by the serious data breach if, and only if, the
27
individual is:
28
(i) an individual to whom the credit reporting information
29
relates; and
30
(ii) an individual who, under the regulations, is taken to be
31
significantly affected by the serious data breach.
32
Note 1:
For harm, see section 26ZE.
33
Note 2:
For real risk, see section 26ZF.
34
Schedule 1 Amendments
8
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
26Z Serious data breach--credit providers
1
Unauthorised access or disclosure of credit eligibility information
2
(1) For the purposes of this Act, if:
3
(a) a credit provider holds credit eligibility information relating
4
to one or more individuals; and
5
(b) the credit provider is required to comply with
6
subsection 21S(1) in relation to the credit eligibility
7
information; and
8
(c) there is unauthorised access to, or unauthorised disclosure of,
9
the credit eligibility information; and
10
(d) either:
11
(i) the access or disclosure will result in a real risk of
12
serious harm to any of the individuals to whom the
13
credit eligibility information relates; or
14
(ii) any of the credit eligibility information is of a kind
15
specified in the regulations;
16
then:
17
(e) the access or disclosure is a serious data breach of the credit
18
provider in relation to the credit eligibility information; and
19
(f) if subparagraph (d)(i) applies--an individual is significantly
20
affected by the serious data breach if, and only if, the
21
individual is an individual to whom the risk mentioned in that
22
subparagraph relates; and
23
(g) if subparagraph (d)(ii) applies--an individual is significantly
24
affected by the serious data breach if, and only if, the
25
individual is:
26
(i) an individual to whom the credit eligibility information
27
relates; and
28
(ii) an individual who, under the regulations, is taken to be
29
significantly affected by the serious data breach.
30
Note 1:
For harm, see section 26ZE.
31
Note 2:
For real risk, see section 26ZF.
32
Loss of credit eligibility information
33
(2) For the purposes of this Act, if:
34
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
9
(a) a credit provider holds credit eligibility information relating
1
to one or more individuals; and
2
(b) the credit provider is required to comply with
3
subsection 21S(1) in relation to the credit eligibility
4
information; and
5
(c) the credit eligibility information is lost in circumstances
6
where unauthorised access to, or unauthorised disclosure of,
7
the credit eligibility information may occur; and
8
(d) either:
9
(i) assuming that unauthorised access to, or unauthorised
10
disclosure of, the credit eligibility information were to
11
occur, the access or disclosure will result in a real risk
12
of serious harm to any of the individuals to whom the
13
credit eligibility information relates; or
14
(ii) any of the credit eligibility information is of a kind
15
specified in the regulations;
16
then:
17
(e) the loss is a serious data breach of the credit provider in
18
relation to the credit eligibility information; and
19
(f) if subparagraph (d)(i) applies--an individual is significantly
20
affected by the serious data breach if, and only if, the
21
individual is an individual to whom the risk mentioned in that
22
subparagraph relates; and
23
(g) if subparagraph (d)(ii) applies--an individual is significantly
24
affected by the serious data breach if, and only if, the
25
individual is:
26
(i) an individual to whom the credit eligibility information
27
relates; and
28
(ii) an individual who, under the regulations, is taken to be
29
significantly affected by the serious data breach.
30
Note 1:
For harm, see section 26ZE.
31
Note 2:
For real risk, see section 26ZF.
32
Bodies or persons with no Australian link
33
(3) If:
34
(a) either:
35
(i) a credit provider has disclosed, under
36
paragraph 21G(3)(b) or (c), credit eligibility information
37
Schedule 1 Amendments
10
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
about one or more individuals to a related body
1
corporate, or person, that does not have an Australian
2
link; or
3
(ii) a credit provider has disclosed, under
4
subsection 21M(1), credit eligibility information about
5
one or more individuals to a body or person that does
6
not have an Australian link; and
7
(b) the related body corporate, body or person holds the credit
8
eligibility information;
9
this section has effect as if:
10
(c) the credit eligibility information were held by the credit
11
provider; and
12
(d) the credit provider were required to comply with
13
subsection 21S(1) in relation to the credit eligibility
14
information.
15
Note:
See section 21NA.
16
26ZA Serious data breach--file number recipients
17
Unauthorised access or disclosure of tax file number information
18
(1) For the purposes of this Act, if:
19
(a) a file number recipient holds tax file number information
20
relating to one or more individuals; and
21
(b) the file number recipient is required under section 18 not to
22
do an act, or engage in a practice, that breaches a section 17
23
rule that relates to the tax file number information; and
24
(c) there is unauthorised access to, or unauthorised disclosure of,
25
the tax file number information; and
26
(d) either:
27
(i) the access or disclosure will result in a real risk of
28
serious harm to any of the individuals to whom the tax
29
file number information relates; or
30
(ii) any of the tax file number information is of a kind
31
specified in the regulations;
32
then:
33
(e) the access or disclosure is a serious data breach of the file
34
number recipient in relation to the tax file number
35
information; and
36
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
11
(f) if subparagraph (d)(i) applies--an individual is significantly
1
affected by the serious data breach if, and only if, the
2
individual is an individual to whom the risk mentioned in that
3
subparagraph relates; and
4
(g) if subparagraph (d)(ii) applies--an individual is significantly
5
affected by the serious data breach if, and only if, the
6
individual is:
7
(i) an individual to whom the tax file number information
8
relates; and
9
(ii) an individual who, under the regulations, is taken to be
10
significantly affected by the serious data breach.
11
Note 1:
For harm, see section 26ZE.
12
Note 2:
For real risk, see section 26ZF.
13
Loss of tax file number information
14
(2) For the purposes of this Act, if:
15
(a) a file number recipient holds tax file number information
16
relating to one or more individuals; and
17
(b) the file number recipient is required under section 18 not to
18
do an act, or engage in a practice, that breaches a section 17
19
rule that relates to the tax file number information; and
20
(c) the tax file number information is lost in circumstances
21
where unauthorised access to, or unauthorised disclosure of,
22
the tax file number information may occur; and
23
(d) either:
24
(i) assuming that unauthorised access to, or unauthorised
25
disclosure of, the tax file number information were to
26
occur, the access or disclosure will result in a real risk
27
of serious harm to any of the individuals to whom the
28
tax file number information relates; or
29
(ii) any of the tax file number information is of a kind
30
specified in the regulations;
31
then:
32
(e) the loss is a serious data breach of the file number recipient
33
in relation to the tax file number information; and
34
(f) if subparagraph (d)(i) applies--an individual is significantly
35
affected by the serious data breach if, and only if, the
36
Schedule 1 Amendments
12
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
individual is an individual to whom the risk mentioned in that
1
subparagraph relates; and
2
(g) if subparagraph (d)(ii) applies--an individual is significantly
3
affected by the serious data breach if, and only if, the
4
individual is:
5
(i) an individual to whom the tax file number information
6
relates; and
7
(ii) an individual who, under the regulations, is taken to be
8
significantly affected by the serious data breach.
9
Note 1:
For harm, see section 26ZE.
10
Note 2:
For real risk, see section 26ZF.
11
Division 2--Notifying serious data breaches
12
26ZB Entity must notify serious data breach
13
(1) If an entity believes on reasonable grounds that there has been a
14
serious data breach of the entity in relation to:
15
(a) personal information; or
16
(b) credit reporting information; or
17
(c) credit eligibility information; or
18
(d) tax file number information;
19
the entity must, as soon as practicable after forming that belief:
20
(e) prepare a statement that complies with subsection (2); and
21
(f) give a copy of the statement to the Commissioner; and
22
(g) if the general publication conditions are not satisfied--take
23
such steps as are reasonable in the circumstances to notify the
24
contents of the statement to each of the individuals
25
significantly affected by the serious data breach that the
26
entity believes has happened; and
27
(h) if the general publication conditions are satisfied:
28
(i) publish a copy of the statement on the entity's website
29
(if any); and
30
(ii) cause a copy of the statement to be published in each
31
State by being published in at least one newspaper
32
circulating generally in that State.
33
Note:
For general publication conditions, see subsection (12).
34
(2) The statement referred to in paragraph (1)(e) must set out:
35
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
13
(a) the identity and contact details of the entity; and
1
(b) a description of the serious data breach that the entity
2
believes has happened; and
3
(c) the kinds of information concerned; and
4
(d) recommendations about the steps that individuals should take
5
in response to the serious data breach that the entity believes
6
has happened; and
7
(e) such other information (if any) as specified in the regulations.
8
Method of providing the statement to an individual
9
(3) If the entity normally communicates with an individual using a
10
particular method, the notification to the individual under
11
paragraph (1)(g) may use that method. This subsection does not
12
limit paragraph (1)(g).
13
Exception--enforcement related activities
14
(4) Paragraphs (1)(g) and (h) do not apply if:
15
(a) the entity is an enforcement body; and
16
(b) the enforcement body believes on reasonable grounds that
17
compliance with those paragraphs would be likely to
18
prejudice one or more enforcement related activities
19
conducted by, or on behalf of, the enforcement body.
20
Exception--Commissioner's notice
21
(5) The Commissioner may, by written notice given to an entity,
22
exempt the entity from subsection (1) in such circumstances as are
23
specified in the notice.
24
(6) The Commissioner must not give a notice under subsection (5)
25
unless the Commissioner is satisfied that it is in the public interest
26
to do so.
27
(7) The Commissioner may give a notice under subsection (5) to an
28
entity:
29
(a) on the Commissioner's own initiative; or
30
(b) on application made to the Commissioner by the entity.
31
(8) If:
32
Schedule 1 Amendments
14
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
(a) an entity applies to the Commissioner under
1
paragraph (7)(b); and
2
(b) the Commissioner decides to refuse the application;
3
the Commissioner must give written notice of the refusal to the
4
entity.
5
(9) If:
6
(a) an entity forms a belief about a serious data breach as
7
mentioned in subsection (1); and
8
(b) as soon as practicable after forming that belief, the entity
9
applies to the Commissioner for a notice under subsection (5)
10
in relation to the serious data breach;
11
then:
12
(c) subsection (1) does not apply to the entity in relation to the
13
serious data breach during the period:
14
(i) beginning when the entity formed the belief; and
15
(ii) ending when the Commissioner makes a decision in
16
relation to the application for the notice; and
17
(d) if the Commissioner makes a decision to refuse to give the
18
notice--subsection (1) has effect as if the entity had formed
19
the belief when the Commissioner made the decision.
20
Exception--inconsistency with secrecy provisions
21
(10) If compliance by an entity with paragraph (1)(f), (g) or (h) would,
22
to any extent, be inconsistent with a provision of a law of the
23
Commonwealth (other than a provision of this Act) that prohibits
24
or regulates the use or disclosure of information, subsection (1)
25
does not apply to the entity to the extent of the inconsistency.
26
Exception--data breach notified under the Personally Controlled
27
Electronic Health Records Act 2012
28
(11) Subsection (1) does not apply to a serious data breach if the breach
29
has been notified under section 75 of the Personally Controlled
30
Electronic Health Records Act 2012.
31
General publication conditions
32
(12) The regulations may declare that one or more specified conditions
33
are general publication conditions for the purposes of this section.
34
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
15
26ZC Commissioner may direct entity to notify serious data breach
1
(1) If the Commissioner believes on reasonable grounds that there has
2
been a serious data breach of an entity in relation to:
3
(a) personal information; or
4
(b) credit reporting information; or
5
(c) credit eligibility information; or
6
(d) tax file number information;
7
the Commissioner may, by written notice given to the entity, direct
8
the entity to:
9
(e) prepare a statement that complies with subsection (2); and
10
(f) give a copy of the statement to the Commissioner; and
11
(g) if the general publication conditions are not satisfied--take
12
such steps as are reasonable in the circumstances to notify the
13
contents of the statement to each of the individuals
14
significantly affected by the serious data breach that the
15
Commissioner believes has happened; and
16
(h) if the general publication conditions are satisfied:
17
(i) publish a copy of the statement on the entity's website
18
(if any); and
19
(ii) cause a copy of the statement to be published in each
20
State by being published in at least one newspaper
21
circulating generally in that State.
22
Note:
For general publication conditions, see subsection (8).
23
(2) The statement referred to in paragraph (1)(e) must set out:
24
(a) the identity and contact details of the entity; and
25
(b) a description of the serious data breach that the
26
Commissioner believes has happened; and
27
(c) the kinds of information concerned; and
28
(d) recommendations about the steps that individuals should take
29
in response to the serious data breach that the Commissioner
30
believes has happened; and
31
(e) such other information (if any) as specified in the regulations.
32
Method of providing the statement to an individual
33
(3) If the entity normally communicates with an individual using a
34
particular method, the notification to the individual mentioned in
35
Schedule 1 Amendments
16
Privacy Amendment (Privacy Alerts) Bill 2014
No. , 2014
paragraph (1)(g) may use that method. This subsection does not
1
limit paragraph (1)(g).
2
Compliance with direction
3
(4) An entity must comply with a direction under subsection (1) as
4
soon as practicable after the direction is given.
5
Exception--enforcement related activities
6
(5) The Commissioner must not give a direction under subsection (1)
7
to an entity if:
8
(a) the entity is an enforcement body; and
9
(b) the chief executive officer of the enforcement body has given
10
the Commissioner a certificate stating that the enforcement
11
body believes on reasonable grounds that compliance with
12
the direction would be likely to prejudice one or more
13
enforcement related activities conducted by, or on behalf of,
14
the enforcement body.
15
Exception--inconsistency with secrecy provisions
16
(6) If compliance by an entity with so much of a direction under
17
subsection (1) as is covered by paragraph (1)(f), (g) or (h) would,
18
to any extent, be inconsistent with a provision of a law of the
19
Commonwealth (other than a provision of this Act) that prohibits
20
or regulates the use or disclosure of information, paragraph (1)(f),
21
(g) or (h), as the case may be, does not apply to the entity to the
22
extent of the inconsistency.
23
Exception--data breach notified under the Personally Controlled
24
Electronic Health Records Act 2012
25
(7) The Commissioner must not give a direction under subsection (1)
26
in relation to a serious data breach if the breach has been notified
27
under section 75 of the Personally Controlled Electronic Health
28
Records Act 2012.
29
General publication conditions
30
(8) The regulations may declare that one or more specified conditions
31
are general publication conditions for the purposes of this section.
32
Amendments Schedule 1
No. , 2014
Privacy Amendment (Privacy Alerts) Bill 2014
17
Division 3--General
1
26ZD Entity
2
For the purposes of this Part, entity includes a person who is a file
3
number recipient.
4
26ZE Harm
5
For the purposes of this Part, harm includes:
6
(a) harm to reputation; and
7
(b) economic harm; and
8
(c) financial harm.
9
26ZF Real risk
10
For the purposes of this Part, real risk means a risk that is not a
11
remote risk.
12
5 After paragraph 96(1)(b)
13
Insert:
14
(ba) a decision under section 26ZB to refuse to give a notice
15
under subsection 26ZB(5);
16
(bb) a decision under subsection 26ZC(1) to give a direction;
17
6 Application of amendments
--serious data breaches
18
(1)
Paragraphs 26X(1)(c), 26Y(1)(c), 26Z(1)(c) and 26ZA(1)(c) of the
19
Privacy Act 1988 (as amended by this Schedule) apply to an access or
20
disclosure that happens after the commencement of this item.
21
(2)
Paragraphs 26X(2)(c), 26Y(2)(c), 26Z(2)(c) and 26ZA(2)(c) of the
22
Privacy Act 1988 (as amended by this Schedule) apply to a loss that
23
happens after the commencement of this item.
24