•   This Part sets up a scheme for notification of eligible data breaches.

•   An eligible data breach happens if:

  (a)   there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and

  (b)   the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

•   An entity must give a notification if:

  (a)   it has reasonable grounds to believe that an eligible data breach has happened; or

  (b)   it is directed to do so by the Commissioner.

•   The Commissioner may obtain information or documents in relation to actual or suspected eligible data breaches.