Press Release: Avtel Data Destruction responds to Commonwealth Bank data loss

AdobeStock_97974649 lower res.jpeg

Press Release 04/05/2018:

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry

The recent revelation at the Royal Commission that the Commonwealth Bank of Australia could not confirm whether two magnetic tapes containing account information for almost 20 million CBA customers had been destroyed in 2016 is symptomatic of the flaws in e-waste disposal.

Avtel’s Simon Zola, an expert in e-waste security, says:

What I've discovered in the industry is that up until now, it's been the service provider's responsibility to remove the drives from the location, take them to another location, either wipe them and repurpose them or destroy them, and I don't think CBA had a clear vision of what was taking place with those drives. 

What's been happening to Australian businesses' data has been woeful in a lot of cases. In many instances, Australian businesses are not fully aware of how their e-waste is disposed of, but they need to clearly understand the chain of custody for their drives and content.

CBA's response this week has been very professional and transparent, which highlights the importance of the recent legislation changes requiring those affected by a data breach to be notified.

Myles Hick, Director and Co-Founder of Avtel, explains:

This news comes a few months after the new Notifiable Data Breaches Act came into play in Australia. This new data legislation will result in businesses being liable to fines and possible criminal charges if they do not report data breaches. I believe that it would be fair to say that the Australian public and business sector are woefully ill-informed about these new laws, so they need to begin educating themselves about what their obligations are. The takeaway from all of this is that Australian businesses need to start taking their e-waste security as seriously as they take the security of their online systems.

For further information or other media enquires please contact:
Simon Zola  simon.zola@avtel.asia  +61 406 404 794


GDPR: The lay of the land

This year sees major changes for data protection and privacy laws the world over. Arguably the most significant and comprehensive data protection legislation in history, the General Data Protection Regulation (GDPR) will replace existing EU privacy laws and change the face of privacy protection. The new law has far-reaching global implications, applying not only to businesses operating in the EU, but also to any business worldwide that collects personal information from EU data subjects.

This is a massive change when it comes to privacy protection legislation, and is provoking a flurry of activity worldwide in 2018 from businesses affected by the change, as well as those offering legal and practical services. There is a strong feeling among privacy experts, however, that not enough has been done by organisations preparing for the GDPR; it is not too late, but all businesses need to make sure they prepare now to reach full compliance before the change on 25th May 2018


What changes are required under the GDPR?

Essentially, the GDPR requires a comprehensive reimagining of privacy standards, and includes many new regulations that are proving a headache for the underprepared. The regulation introduces the right to be forgotten, mandatory consent for collection of data, mandatory data breach notification, a call for specificity and relevance in data collected, and the exemption from profiling by algorithms, and the mandatory destruction of data once it is no longer relevant.

In addition, it offers regulatory power to data protection authorities like the European Data Protection Board super-watchdog, and requires the appointment of data protection officers in companies that handle large amounts of personal data. Most of these changes require a total policy and practice overhaul, including changes to collection, handling, storage, and disposal of data.

The GDPR should not be taken lightly, with non-compliance attracting fines of up to €20 million, or 4% of annual worldwide turnover (whichever is greater). Advice and information about the change is becoming more accessible to businesses this year as the change date draws closer. It is clear from the current mood in the press that, until recently, many companies have failed to recognise the significance of the changes and the vast quantity of practical and software changes required when preparing for the GDPR in order to bring businesses up to the high standard required.

How are organisations preparing for the GDPR?

Now, with less than 100 days to go before the GDPR cracks down in May, businesses are becoming more aware of the implications, as the reality and complexity of the new laws hits home and they begin preparing for the GDPR. However, some reports suggest that by the time the GDPR comes into play, more than half of the affected companies will still not be fully compliant, while around half will still be struggling to achieve full compliance even by the end of this year. This is not ideal for non-compliant organisations, as it soon leaves them open to huge penalties in the case of a data breach. In essence, the time to start preparing your business – if you haven’t started already – is now.

Data breaches are becoming more common and more severe every year — large companies like Yahoo, Uber, Equifax, and many more still face ongoing publicity and repercussions from recent breaches. Cases like these have brought data protection into the limelight. In addition to the 2018 legislative changes including the GDPR, the Notifiable Data Breaches (NDB) Act in Australia, and the proposed Breach of Security Safeguard Regulations in Canada this year, widespread publicity has brought data protection to the forefront of awareness for both consumers and organisations. But businesses are still proving largely underprepared for the change.

Though the law is now imminent, there is a tangible level of uncertainty surrounding the GDPR and how it will affect organisations. Lawyers and data protection experts are working hard to prepare companies for the overhaul, with training programs, software expertise, and legal guidance available in most countries, both within the EU and further afield.

It’s important for every organisation worldwide that handles EU data subjects — even just a single EU customer — to understand what changes will be required to get current privacy practices up to speed and avoid the heavy penalties of the GDPR.

Over the coming weeks leading up to the change, we’ll underline key aspects of the GDPR and keep you up-to-date with relevant information that will help your business in preparing for the GDPR.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.


Privacy Amendment (Notifiable Data Breaches) Act 2017: How data destruction helps with compliance

This is Part 5 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read the rest of the series.

So far in this series we’ve covered the most essential components of the Notifiable Data Breaches amendment to the Privacy Act, including who is affected, the implications, and what constitutes an eligible breach. This week, we discuss the changes we face under the NDB Act and how to prepare for the new law.

Digital security practices and the NDB Act

Digital security practice in Australia is likely to undergo significant change with the introduction of the NDB Act this year. The legislation will introduce a whole new way of thinking about data protection for Australian businesses.

Each year, cyber crimes are estimated to cost Australians $2 billion. Data breaches supply identity criminals with personal information — PayPal accounts, credit card details, bank log-in credentials, names, addresses, passports, and driver’s licences — that are in turn used in fraudulent acts.

When notification of an individual is voluntary it can be many months, or even years, before affected individuals are made aware of a breach. This leaves individuals completely in the dark when potentially malicious parties hold their information and renders them unable to take action to safeguard themselves. Right now, it takes companies an average of one year to process a notification, if they do so at all. Compare that to the average time it takes for cyber criminals to use information fraudulently — just 3 days — and it’s clear that most Australians will benefit from the mandatory notification scheme.

For businesses, there’s a strong incentive under the NDB Act to avoid data breaches; regardless of if they report the breach, the consequences can be severe. A Ponemon Institute report last year found that data breaches can incur an average of $2.51 million in costs and losses for a single business, through disruption and profit loss resulting from a decline in customer trust.

Mandatory notification will inevitably bring about a shift in public awareness of digital security issues — Australians are likely to hear about more data breaches in the coming years and become more aware of how companies handle their data. Companies will be legally obliged to respond sooner, resulting in individuals being made aware of breaches sooner, allowing them to better protect themselves. The NDB Act will eventually mean tighter digital security Australia wide.

Avtel Data Destruction.jpg

Data destruction and the NDB Act

As part of their strategy to comply with the new law, companies need to ensure data destruction is a part of their protection protocol. Businesses subject to the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principals (APPs) are obliged to put in place reasonable security safeguards to protect the information they hold from misuse, loss, unauthorised access, disclosure, or interference. They’re also required to destroy or de-identify personal information once it is no longer needed. Companies are legally obliged to employ appropriate data security for live data, and to destroy all end-of-life data.

This means that correct data destruction is not only an easy way to help avoid unnecessary data breaches, but also constitutes a legal obligation. When drives are stored under security, or no longer function normally, the data they contain can usually be retrieved. Properly destroying hard drives and other data storage devices is the only way to ensure data is completely eradicated, which will consequently help safeguard your company from data breaches and comply with the law.

The employment of secure data destruction methods is one of many changes that will need to happen within all Australian companies as the commencement of the NDB Act draws nearer.

Preparation for the NDB Act

A recent report found under half of the companies surveyed think they can respond well to a data breach involving business confidential information and intellectual property. That number indicates the confidence of individuals within the company and reflects the lack of faith Australians have in data-holding organisations. Studies indicate that in some sectors (especially telecommunications, government, and banking) close to half of Australians expect an imminent data breach.

In some ways, the legislation is going to further this mistrust in the short term by publicising more breaches. Therefore, it’s essential that businesses start preparing immediately for the change. As a business owner you must become confident in your business’s ability to handle data securely and enact a breach response plan, along with reporting the breach if one does occur. As an employee, know your responsibilities and the potential risks involved.

The Privacy Act and the APPs inform privacy protection in Australia. Being familiar with these documents and following the 10 steps recommended by AVTEL Data Destruction experts in this blog post is a good place to start for good digital security.

Next week: In our final blog post in this series, we discuss best practice for security and compliance with the NDB Act.


For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.


Data Protection Day: A timely reminder that data protection laws are changing


Data Protection Day falls on January 28th, acting as an annual international reminder of the importance of digital security. Since 2006, Data Protection Day (or Data Privacy Day) has reminded organisations to start each year with strong digital defences. The coming year will see significant changes to data protection legislation worldwide; new data protection laws are being introduced that will change the way organisations and individuals view and manage privacy protection.

The incidence of cyber crimes and identity theft has increased rapidly in recent years, inciting these large-scale legislative changes and making the message of Data Protection Day more potent in 2018 than ever before.

The changes will raise global awareness of data security in 2018. Changes to European Union law will govern any organisation worldwide that handles EU data subjects, demanding the attention of every international business. This year will see companies worldwide inspecting their data privacy policies, prevention practices, and breach response procedures in order to prepare for the changes.

What will change in 2018?

The two jurisdictions undergoing the most change this year are likely to be Australia and the EU, introducing the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) and the General Data Protection Regulation (GDPR), respectively. Canada is also working towards enacting data breach notification regulations this year, the Breach of Security Safeguard Regulations, similar to the NDB act in Australia.

The NDB act and the GDPR share a common goal: to increase privacy protection, to minimise the frequency of data breaches, and to create transparency in data handling and processing procedures. While the objectives of the two laws are similar, they are designed to achieve success in different ways.

The new Australian privacy law takes a principles-based approach, encouraging organisations to increase data protection in order to avoid an eligible data breach, and therefore to avoid fines and negative publicity. The new EU privacy law takes a practice-based approach, making increased data protection a legal obligation, rather than a suggested precaution against a data breach and its consequences. The GDPR also offers far greater financial penalties for non-compliance.

As well as clearly outlined steps to be taken by data processors, the GDPR involves several regulations not included in Australian law, including:

  • the mandatory appointment of protection officers where data is processed regularly;
  • a minimum standard of information technology systems and privacy protection programming;
  • the right to data portability (the right of a data subject to request access to, and share, their data) and;
  • the right to erasure (the mandatory destruction of data, once it is no longer relevant, or upon request).

Because of the comprehensive nature of the GDPR, it is set to become the gold standard of privacy protection legislation, and will have a pervasive impact on privacy protection worldwide.

A summary of the GDPR and the NDB Privacy Amendment

Avtel Data Destruction_GDPR and the NDB Privacy Amendment.jpg

How can your business prepare for the changes?

Staying informed about which legislative changes might affect your business is the first step to success as these new laws come into play. Access our best-practice guide to securing your business against cyber threats, for further steps you can take in-house. Contact Avtel Data Destruction for information on our unique and secure data destruction method that complies with new legislation.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this document does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.


Time to put the focus on digital security

Another blunder by a large-scale organisation is providing a loud reminder that digital security is not taken seriously enough in Australia.

With the upcoming legislation amendments, Australian businesses and the public need to be well informed about data security, and work towards two important changes: a refresh of security systems, and a shift in the mindset surrounding digital security.


The Department of Health blunder

The Department of Health is facing ongoing investigations by the OAIC after unintentionally exposing the health records of 1 in 10 Australians. The sensitive information included that of prominent Australians such as MPs and sportspeople. The information was made anonymous through de-identification and released to the public, as is common practice. Unfortunately for that 10% of the Australian population, a study conducted by the University of Melbourne’s School of Computing and Information found individuals were able to be re-identified.

The University of Melbourne study found these unique patient records are able to be matched to publicly available records, like past medical procedures and year of birth, allowing identities to be known with some confidence. This potentially exposes socially sensitive records like prescribed medications, termination of pregnancies, and information on personal mental health.

The information, released in 2016, includes data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS). A department spokesperson informed the media that the project has been halted and the dataset removed, and offered assurance that measures are being taken to protect and manage data.

The problem (now more than ever)

This is a perfect demonstration that Australian organisations both within and outside the government remain unprepared for the changes to the Privacy Act 1988 becoming effective in February next year. The Privacy Amendment (Notifiable Data Breaches) Act 2017 is bound to catch many businesses off guard.

Sloppy security measures constitute a huge breach of trust for the Australian public. When we work with organisations that collect sensitive personal data, we trust in the confidentiality offered by the organisation. When we work with an organisation that releases datasets publicly, we do so with faith in anonymity. Australians trust in the strength of the protections in place. Incidences like this recent security lapse prove to us that our trust is often misplaced. We’re led to question the strength of organisations’ security measures and, perhaps more importantly, to question whether they take our personal security seriously.

The core problem is not that the records can potentially be re-identified. The problem is that sufficient attention was not paid to security risks before the dataset release. It’s an issue of carelessness. Security was not given priority, and as such was compromised.

The lesson

Personal security is rarely as straightforward as ‘to share or not to share’. For the purposes of research and transparency, it is essential that some de-identified datasets are released, especially when it comes to government entities. What needs to be considered is the nature of the release — how and to whom information is accessible, whether it is secured with technology that keeps pace with technological advances, how effective the de-identification procedures are, and whether or not data are eventually removed or destroyed.

Introducing additional legislation against the re-identification of data may patch some parts of the issue, but it is a temporary and ultimately ineffective fix. It will do little in the light of the Privacy Amendment next year. The new amendment will see organisations penalised heavily for allowing data breaches to occur. In that way, it’s a step in the right direction when it comes to ensuring we all take digital security more seriously.

The lesson to be learnt here is not one unique to the digital age. Security always needs to keep pace with threats. When the enemy makes stronger battering rams, we must see that and build a stronger door. If the enemy can sneak up through the sewers, we must know that and guard the manholes. Businesses must know intimately the nature and severity of shifting digital security threats, and never let down their guard.

Here’s the crux: digital security must be given more weight. Simply by tightening security measures and keeping digital security at the very forefront of company consciousness, organisations will avoid the embarrassment, reputation damage, and financial burden of a security breach, ensuring the continued trust of all Australians.

With the new legislation fast approaching and public awareness rising, it’s time for companies to address digital security with the gravity it deserves.