A sea change in data security in Australia is on its way, as Federal Parliament prepares to pass a new legal obligation to notify a data breach to the Privacy Commissioner, anyone adversely impacted and inevitably, the public.

Mandatory data breach notification 3.0 (MDBN) has every prospect of passing both houses and becoming law a year from proclamation some time in 2017.

Good data security builds trust. However, many organisations see data security as a cost to be minimised. If an Australian business or Commonwealth agency suffers a hack, makes an unauthorised disclosure and/or loses information, it is not required to inform the data subjects or Privacy Commissioner. Guidelines issued by the Privacy Commissioner encourage notification as a matter of transparency but notification is not required by law.

The new law will require that any suspected data breach be investigated to determine whether a data breach has in fact occurred and, if a reasonable person would consider that the security of personal information has been compromised, obliges the body that held the information to notify the Privacy Commissioner, all relevant data subjects or, if possible, only those likely to suffer serious harm, as soon as practicable.

MDBN links the real quality of data security with the customer's assessment of the brand potentially impacting perceptions of reliability and trustworthiness. In this way MDBN significantly increases the importance of data security. Not surprisingly, the industry association for security professionals, AISA, has supported introduction of the new law.

MDBN will be part of the Privacy Act and therefore relates only to information about identified or identifiable individuals, credit reference information and tax file numbers. The Privacy Act applies only to Commonwealth agencies and to businesses with an annual turnover greater than $3 million and which provide a health service, trade in personal information or contract with the Commonwealth; but MDBN will apply to small businesses holding regulated information from one of these entities.

MDBN 3.0 is more user friendly than earlier drafts.  There is no automatic obligation to notify if credit reference information is lost. Notice is required only where the compromised information is "likely" to cause serious harm.  Where possible, notice is required to be given to only data subjects that are likely to suffer  serious harm (and the Privacy Commissioner). An expansive definition of "harm" that included emotional and psychological harm has been removed and there is a mechanism that removes the need for multiple breach notices where a number of entities are involved in a breach.

On the other hand, the bill is an escape mechanism for government agencies.  Generally, agencies are exempt where the notice would be "inconsistent" with any Commonwealth rule that "prohibits or regulates" the disclosure of information. Enforcement agencies are exempt from notifying if the agency believes the notification would be likely to prejudice any "enforcement-related activities" even when the notification has been directed by the Privacy Commissioner.

Mandatory notification of serious data breaches was almost legislated in 2013. A new draft bill was published for comment in December 2015.  Now substantially rewritten, mandatory data retention is reborn as the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which is before Federal Parliament.   

MDBN is an important change to the legal landscape that will have far-reaching consequences for every organisation that holds data in Australia. It's time to pull out the ASIC security health check, call up the security incident reports from the CIO, consider the adequacy of internal policies and employee training, and make sure all that your organisation is doing all it can to deliver effective data security.

Patrick Fair is a partner at law firm Baker & McKenzie