Document Chunk

(3) An entity or class of entities specified for the purposes of paragraph (2)(c): (a) may include a State or Territory authority; and (b) must not be or include a media organisation, the Australian Broadcasting Corporation or the Special Broadcasting Service Corporation. Specified permitted purposes (4) A permitted purpose specified for the purposes of paragraph (2)(d) in relation to an eligible data breach must be a purpose that is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b) to one or more individuals at risk from the eligible data breach. (5) Without limiting subsection (4), any of the following things may be specified as a permitted purpose in relation to an eligible data breach, to the extent that it is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b): (a) preventing a cyber security incident (within the meaning of the Security of Critical Infrastructure Act 2018 ), fraud, scam activity or identity theft; (b) responding to a cyber security incident, fraud, scam activity or identity theft; (c) responding to the consequences of a cyber security incident, fraud, scam activity, identity crime and