37. (1) For the purpose of section 43 of the Act, a data breach is taken to result in real risk of harm to a data subject if that data breach relates to —
(a) the data subject’s full name or identification number and any of the personal data or classes of personal data relating to the data subject set out in the Second Schedule; or
(b) the following personal data relating to a data subject’s account with a data controller or data processor—
(i) the data subject’s account identifier, such as an account name or number; and
(ii) any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individual’s account.
(2) A breach of any personal data envisaged under sub-regulation (1) amounts to notifiable data breach under section 43 of the Act.
(3) The personal data or classes of personal data set out in the Second Schedule excludes —
(a) any personal data that is publicly available; or
(b) any personal data that is disclosed to the extent that is required or permitted under any written law.
(4) The personal data referred to in sub-paragraph (3) (a) shall not be publicly available solely because of any data breach.