Just so I understand, the test is an objective one, but it is subjective with respect to the private sector if they determine or believe they have breached that level. So, am I to understand that if there were this two-step model in place whereby there was mandatory disclosure to the Privacy Commissioner, then it would be up to the commissioner to determine if the breach should in fact be reported to the individuals affected?
On March 10th, 2015. See this statement in context.