Your task is to assume the hypothetical positions of Cyber Risk Officers with Latitude. Your group is responsible for assisting Latitude's Board of Directors to respond to this incident in accordance with the requirements of Australian law.

Note that, according to the information presented on Latitude's website, the data of customers, past customers, and applicants across both Australia and New Zealand hasbeen exposed.

This assessment requires you to addressAustralian law only, and in particular,only the Commonwealth laws that we have covered in our lectures and in our course materials. You are not required to address the specific provisions of the Privacy Act 1988 (Cth) that deal with financial institutions, as these are not part of our syllabus. You are also not to address New Zealand law, or Australian State or Territory law, as these are also not within the scope of our Data Protection and Privacy syllabus.

As part of your group's role, the Latitude Board of Directors have asked you to memorandum that will assist it in seeking further detailed advice from its external lawyers in managing the consequences of this data breach.

Your memorandum needs toidentify, with reference to relevant sources of law,relevant legal issues arising, and their implications for Latitude's data protection and privacy obligations both now, and into the future. Without necessarily limiting the scope of what your group's memorandum covers, please ensure that it at least addresses:

1. Whether Latitude is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles;

2. Whether the types of data stolen from Latitude (as described in the linked documents above) were personal information and/or sensitive information;

3. Whether Latitude may have engaged in an interference with privacy, as defined in the Privacy Act 1988 (Cth);

4. Whether there are any relevant exceptions to the application of the Australian Privacy Principles that would apply in this case; and

5. Assuming that an interference with privacy did occur, what the rights are of individuals affected by the breach, what the obligations of Latitude are following the breach, and what the role of the Australian Information Commissioner is with respect to the breach.