37—Categories of notifiable data breach

37. (1) For the purpose of section 43 of the Act, a data breach is taken to result in real risk of harm to a data subject if that data breach relates to —

(a)  the data subject’s full name or identification number and any of the personal data or classes of personal data relating to the data subject set out in the Second Schedule; or

(b)  the following personal data relating to a data subject’s account with a data controller or data processor—

(i)  the data subject’s account identifier, such as an account name or number; and

(ii)  any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individual’s account.

(2) A breach of any personal data envisaged under sub-regulation (1) amounts to notifiable data breach under section 43 of the Act.

(3) The personal data or classes of personal data set out in the Second Schedule excludes —

(a)  any personal data that is publicly available; or

(b)  any personal data that is disclosed to the extent that is required or permitted under any written law.

(4) The personal data referred to in sub-paragraph (3) (a) shall not be publicly available solely because of any data breach.

197  PART VI—NOTIFICATION OF PERSONAL DATA BREACHES