New South Wales Consolidated Acts

PRIVACY AND PERSONAL INFORMATION PROTECTION ACT 1998 - SECT 59M

59M Public sector agencies must immediately notify eligible data breach

(1) The head of a public sector agency must, in the approved form, immediately notify the Privacy Commissioner of the eligible data breach.

(2) The approved form must request the following information be provided in relation to the eligible data breach--

(a) the information specified in section 59O, other than the information specified in section 59O(e),

(b) a description of the personal information that was the subject of the breach,

(c) whether the head of the agency is reporting on behalf of other agencies involved in the same breach,

(d) if the head of the agency is reporting on behalf of other agencies involved in the same breach--the details of the other agencies,

(e) whether the breach is a cyber incident,

(f) if the breach is a cyber incident--details of the cyber incident,

(g) the estimated cost of the breach to the agency,

(h) the total number, or estimated total number, of individuals--

(i) affected or likely to be affected by the breach, and

(ii) notified of the breach,

(i) whether the individuals notified under section 59N(1) have been advised of the complaints and internal review procedures under the Act.

(3) The information requested by the approved form must be completed unless it is not reasonably practicable for the information to be provided.