- The Act provides for the circumstances and manner in which notification must be made to the Regulator, time periods applicable and consequences of non-compliant processing.
- The failure to notify processing subject to prior authorisation is an offence
- Where there are security compromises or breaches the responsible party needs to:
- notify the Regulator and
- the data subject unless the identity of such data subject cannot be established.
- The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
The notification to a data subject where there are security compromises must be in writing and communicated to the data subject in at least one of the following ways:
- Mailed to the data subject’s last known physical or postal address;
- sent by e-mail to the data subject’s last known e-mail address;
- placed in a prominent position on the website of the responsible party;
- published in the news media; or
- as may be directed by the Regulator.
The responsible party also needs to must provide sufficient information allow the data subject to take protective measures against the potential consequences of the compromise.