When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:
(a)
any action taken by the agency to reduce the risk of harm following the breach:
(b)
whether the personal information is sensitive in nature:
(c)
the nature of the harm that may be caused to affected individuals:
(d)
the person or body that has obtained or may obtain personal information as a result of the breach (if known):
(e)
whether the personal information is protected by a security measure:
(f)
any other relevant matters.