Scope
(1) This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.
(2) The entity must:
(a) both:
(i) prepare a statement that complies with subsection (3); and
(ii) give a copy of the statement to the Commissioner; and
(b) do so as soon as practicable after the entity becomes so aware.
(3) The statement referred to in subparagraph (2)(a)(i) must set out:
(a) the identity and contact details of the entity; and
(b) a description of the eligible data breach that the entity has reasonable grounds to believe has happened; and
(c) the particular kind or kinds of information concerned; and
(d) recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
(4) If the entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, the statement referred to in subparagraph (2)(a)(i) may also set out the identity and contact details of those other entities.