Why should you store data securely and keep a backup?
Accidental Data Loss: Human error, system failures, or natural disasters (especially true for Australia) can lead to data loss. Regular backups prevent permanent loss and allow for smooth recovery.
Protection Against Cyber Threats: Ransomware can lock or destroy your data.Having backups ensures you can recover quickly without feeling pressured to pay a ransom or suffering major losses.
Business Continuity: In the event of data corruption or theft, having safely stored backups enables your business to continue operating with minimal downtime, protecting revenue and reputation.
Regulatory Compliance: Depending on your industry, you may be legally required to securely store and back up data to protect customer information and meet privacy laws.
Customer Trust: Safeguarding sensitive data like customer records ensures you maintain trust and avoid costly breaches that can damage your reputation.
Getting Started
Identify the type of data your business collects
This can include personal information (like customer, supplier or staff names and contact details), financial records, identity information (images of driver licences of your staff for example), sensitive contract information or other types of data that you collect when delivering your services.
Understand your legal obligations
All Australian businesses must comply with the Privacy Act 1988 and the Australian Privacy Principles (APP). These Acts and requirements specify that data should be stored securely and not kept for longer than is necessary for business or legal purposes. Additionally, if you operate in a specialised industry (such as the health, accounting or financial services industry), you may have other obligations under the Privacy Act to follow. Visit the Office of the Australian Information Commissioner (OAIC) website to determine what obligations you have for the data you store.
Identify where your data is stored and who can access this information
You may collect documents, like customer invoices, in your email inbox or store them in your Google drive. You may also collect form submissions via your website or social media page. It is important to understand where this information is stored, in the event that you require access to it. Similarly, if employees do not need access to certain documents or files, it is best practise to restrict access to this information, to reduce the likelihood of accidental disclosure or exposure of sensitive information.
Identify the data that needs to be backed up and how
Your business should ensure that data is backed up in more than one place. While Google drive is an example of a storage solution on its own, what would happen if this account was compromised? To complete this step, it is useful to create a ‘register’ of the types of files and information your business collects on a daily basis – including the storage location of this information. Additionally, you must consider how you can restore your data from the backup in the event of a natural disaster or other unforeseen event. Practise this and keep a detailed guideline on hand so staff know how to resume normal operations in an emergency. Ensure passwords are kept secure, please see IDCARE’s Password Manager Fact Sheet.
Considerations when backing up your data
Ensure Your Storage Solution Is Secure
If you store staff documents in a filing cabinet, make sure it is locked. Ifyou are storing data on a hard drive or USB, ensure it is kept within a locked safe, and where possible, encrypt the drive to prevent any unauthorised access should the drive go missing. If you are using a cloud storage solution (such as Google drive, OneDrive etc.), make sure the account that is used to access it has multifactor authentication enabled and has a password that is not used in ANY other account. Many small businesses make the mistake of setting up business accounts in their personal email account, which they have had for years and may already be compromised.
Regular Data Backups and Diversification
Where you can, set up automated backups of your critical business data (platforms such as Google Drive and OneDrive offer options for configuring this). Backup copies should be stored in a separate location (preferably offsite or in the cloud) to protect against hardware failures, cyber-attacks, or natural disasters. For example, if you store data in SharePoint, the backup location should not also be in SharePoint.
Access Controls
Consider who in your business needs access to certain information. Implement strict access controls so only authorised personnel can view or modify the data. Restricting access to only those who require it will assist in mitigating against potential information exposure risks, be it accidental or deliberate.
Consider a Hybrid Approach
Use a mix of cloud and on-premises storage to ensure data redundancy. Cloud storage offers scalability and offsite protection, while local storage allows for quick access when needed.
Regular Reviews of Data
Implement processes to regularly review what data is stored and delete or archive information no longer needed. Your policy should ensure compliance withthe "data minimisation" principle, where only the necessary data iskept for the required period. If you need to dispose of paper-based files, consider engaging the services of a data destruction company, for secure file shredding. Sensitive business information should never be thrown in the bin as it is an insecure environment and may be accessed and targeted by criminals.
Third-Party Data Handling
If third-party vendors or services are used to store or manage data (e.g., cloud providers), ensure that they comply with Australian privacy regulations and your internal policies. Your policy should address how third-party relationships are managed and what contractual safeguards are in place.
OAIC Guidance and Resources
The OAIC provides guidance on how businesses should manage personal information, including recommendations for data retention. They emphasize that data retention policies should:
Align with the Australian Privacy Principles (APPs), especially APP 11 (security of personal information) and APP 12 (access to personal information).
Consider the Notifiable Data Breaches scheme, which outlines the actions to take if a breach impacts data security.
For additional support or information, contact IDCARE by submitting a or call 1800 595 170
Disclaimer
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
- IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
- The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
- While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
- IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
- If you would like to provide feedback please use our Feedback Form.
