Where the breach, tampering, or loss of personal information occurs or may occur, a personal information handler shall immediately take remedial measures and notify the departments with personal information protection duties and the relevant individuals. The notice shall include the following items:
- the categories of personal information that has been or may be breached, tampered with or lost, and the reasons and possible harm of the breach, tampering and loss;
- the remedial measures adopted by the personal information handler and the measures the individuals may take to mitigate the harm; and
- the contact information of the personal information handler.
Where the measures taken by the personal information handler can effectively avoid the harm caused by breach, tampering, or loss of personal information, the personal information handler is not required to notify individuals; where the departments with personal information protection duties consider that harm may be caused, they have the authority to request the personal information handler to notify individuals.
Related provisions: