Clause 80

Subject to subsections (3), (4) and (5), a relevant person must, on or after notifying the Minister under section 79(1), notify each affected individual affected by a notifiable data breach mentioned in section 77(1)(a) in any manner that is reasonable in the circumstances.

The notification under subsection (1) must contain, to the best of the knowledge and belief of the relevant person at the time the relevant person notifies the affected individual, all the information that is prescribed for this purpose.

Subsection (1) does not apply to a System Operator in respect of a notifiable data breach mentioned in section 77(1)(a) that has occurred in relation to health information processed by or in the national electronic records system.

Subsection (1) does not apply if the relevant person —

A relevant person must not notify any affected individual in accordance with subsection (1) if —

The Minister may, on the written application of a relevant person, waive the requirement to notify an affected individual under subsection (1) subject to any conditions that the Minister thinks fit.

A relevant person is not, by reason only of notifying an affected individual under subsection (1), to be regarded as being in breach of —