Data Breach Incidents:
To the extent the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 applies to Supplier:
a) if Supplier becomes aware of a Data Incident, Supplier will:
(i) notify Client of the Data Incident by telephone and email;
(ii) retain system logs and other information that may be relevant to the Data Incident, or to assessing the cause or impact of the Data Incident;
(iii) provide all information Supplier deems relevant to the Data Incident reasonably requested by Client for the purpose of investigating the Data Incident; and
(iv) immediately take all action reasonably necessary to:
(i) mitigate the impact of the Data Incident (including to restore or recover any lost data); and
(ii) prevent any repeat of the Data Incident in the future.
b) If Supplier suspects that a Data Incident has occurred, it will, within 30 days, prepare an assessment to determine whether there are reasonable grounds to believe that a Data Incident has occurred.
c) Where Client suspects that a Data Incident has occurred, Supplier will, within 30 days of receiving notice from Client of its suspicion, prepare an assessment to determine whether there are reasonable grounds to believe that a Data Incident has occurred, the costs of such assessment must be paid by Client.
d) If Supplier believes a Data Incident has occurred it will provide notice to the OAIC of such Data Incident and it will be the sole Party to notify the individuals who are likely to be at risk of serious harm arising from the Data Incident.
Data Incident means any actual or Supplier suspected:
(I) breach of Supplier’s obligations relating to protection of Personal Information under this Agreement;
(II) unauthorised access to, or unauthorised disclosure of, any Personal Information; or
(III) loss of Personal Information, including where Personal Information is damaged or corrupted so that it becomes unusable, where, as determined by Supplier, the access or disclosure is likely to result in serious harm to one or more individuals and Supplier has not been able to prevent the likely risk of serious harm with remedial action.
Last update: 19 November, 2019