For IT managers, DPOs, CISOs, and CIOs in the Australian public service, data protection is paramount. You must implement safeguards to properly dispose of data and data-bearing assets when they are no longer required. Holding onto data unnecessarily or adhering to practices that result in data breaches can result in major fines.

With the recent amendments to the Privacy Act 1988 (Privacy Act) and the ongoing guidance from the Australian Government Information Security Manual (ISM), understanding and implementing robust data destruction practices is more critical than ever.

Data privacy regulations are responding to a changing world

While the Privacy Act and the ISM provide a framework for data handling throughout its lifecycle, including disposal, they continue to be updated in line with new threats and technologies.

The recent Privacy and Other Legislation Amendment Act 2024 represents the most substantial reform to Australia’s privacy regime since the Privacy Act’s inception. It introduces new compliance obligations, strengthens regulatory enforcement powers, and imposes stricter penalties for noncompliance. These amendments underscore the growing importance of proactive data protection strategies and align Australia with global privacy standards, like the EU’s GDPR.

This year’s changes were big. They created a tort for serious invasion of privacy, a Children’s Online Privacy Code, requirements for automated decision-making to be clear, more power for the Office of the Australian Information Commissioner (OAIC), new rules for sending data overseas, made doxxing illegal, strengthened security requirements under the Privacy Act, and better ways to handle data breaches.

The idea that data is too vital to handle carelessly unites all these developments.

When that time comes, all organisations must set up procedures to ensure the permanent, complete destruction of unnecessary data.

 Data sanitisation: your route to compliance

The Privacy Act’s 13 Australian Privacy Principles (APPs) include guidance on how personal information should be processed, protected, and corrected, with APP 11 (Security of Personal Information) dealing most directly with data destruction.

APP 11 states that entities, with a few exceptions, must take reasonable steps to:

• Protect personal information from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure.
• Once the APP entity no longer requires personal information, please proceed to destroy it or ensure its deidentification.

Likewise, the ISM emphasises the need for the secure management of ICT equipment. This includes the need for onsite data sanitisation if equipment is sent for maintenance or disposal.

The ISM defines media sanitisation as the process of erasing or overwriting information so that it cannot be retrieved or reconstructed, a definition echoed by the OAIC’s “Guide to Securing Personal Information.”

What does the OAIC say?

OAIC’s “Guide to Securing Personal Information,” while not legally binding, complements the 13 APP Guidelines and emphasises the importance of destroying or de-identifying personal information as a key risk mitigation strategy.

It clarifies that the obligation to destroy or de-identify data applies even when the entity does not physically possess the information but has the right or power to deal with it. This means organisations are responsible for data destruction regardless of whether it resides on their networks, backups, or third-party vendor systems, including cloud providers. The guide also stresses the importance of verifying that data destruction has been carried out effectively.

All three resources—the Privacy Act, the ISM, and the OAIC Guide—advocate for destroying data at various stages of the asset and data lifecycles to ensure irretrievability.

Your partner in data sanitisation

Effective data sanitisation requires more than just formatting or deleting files. These methods are often insufficient and leave data recoverable.

Blancco’s software-based data erasure solutions provide a comprehensive approach to data destruction, targeting specific files or folders, sanitising entire devices, and removing data from LUNs and virtual machine environments. Blancco’s solutions—including Blancco Drive Eraser, which holds two Common Criteria certifications—erase data to more than 25 recognised standards and provide tamper-proof erasure certificates that simplify compliance auditing.

• Blancco File Eraser: Targets and erases specific files on computers and servers.
• Blancco Drive Eraser: Securely erases all data on laptops, desktops, servers, and other data-bearing assets.
• Blancco Mobile Diagnostics & Erasure: Erases data on iOS and Android mobile devices.
• Blancco LUN Eraser and Blancco Virtual Machine Eraser: Target data on virtual volumes and machines.

Meet compliance requirements with Blancco

Blancco’s solutions map directly to the data destruction requirements outlined in the Privacy Act and the ISM.

They enable organisations to automate data erasure according to retention policies; securely sanitise data before equipment disposal or maintenance; and provide comprehensive reporting for audit purposes.

Tested, approved, and certified by 13+ international security and regulatory bodies, Blancco’s data erasure solutions help you achieve data protection compliance across your entire organisation.

Visit Blancco.com to learn more.

George Janssen

Website |  + postsBio

George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. George has significant legal experience in international organisations focused on technology and software. He specialises in data privacy, data governance, data classification, intellectual property management, and technology partnerships.