NET Defender Data Storage Policy

Document Information

• Policy Owner: Shahrouz Nasrollahi, CEO & Data Protection Officer
• Effective Date: 14/11/25
• Last Reviewed: 11/12/25
• Version: 1.1

1. Purpose and Scope

1.1 Purpose

This Data Storage Policy establishes NET Defender’s standards for secure storage, retention, and disposal of all data collected in providing IT services to Australian healthcare practices.

1.2 Objectives

• Store data securely with appropriate technical and organisational controls
• Comply with Privacy Act 1988, Australian Privacy Principles, and healthcare regulations
• Protect confidentiality, integrity, and availability of client and patient information
• Define retention periods and secure disposal procedures
• Enable efficient data retrieval and business continuity

1.3 Scope

This policy applies to all data collected, processed, or stored by NET Defender, including:

• Client business information and health information (accessed during service delivery)
• All staff, contractors, and third parties with system access
• All storage locations (cloud, servers, workstations, mobile devices, physical records)

2. Governance and Responsibility

Policy Owner: Shahrouz Nasrollahi, CEO & Data Protection Officer

• Overall accountability for policy compliance
• Authority to approve exceptions and amendments
• Annual policy review and updates

All Staff Must:

• Comply with data storage requirements
• Report security incidents immediately
• Complete required training
• Protect authentication credentials

Third-Party Providers:

• Contractually bound to equivalent standards
• Subject to due diligence and monitoring
• Limited to necessary access only

3. Data Classification

Default Classification: Confidential unless specified
Health Information: Automatically classified as Critical

4. Data Storage Infrastructure

4.1 Primary Cloud Storage

Amazon Web Services (AWS) – Sydney Region (ap-southeast-2) Only

Services:

• EC2 (compute), S3 (object storage), RDS (databases), EBS (block storage)
• Multi-availability zone redundancy within Australia
• ISO 27001, SOC 2, IRAP certified

Security Controls:

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.3
• 24/7 monitoring and intrusion detection
• Network segmentation and firewalls
• Automated backup and disaster recovery

4.2 Client Premises Storage

When managing on-premises infrastructure:

• Full disk encryption mandatory on all devices
• Multi-factor authentication required
• Regular security updates and patches
• Physical security (locked server rooms)
• Automated encrypted offsite backups

4.3 Backup Infrastructure

Primary Backup: AWS S3 (Sydney) with versioning

Frequency:

• Critical data: Continuous/hourly
• Confidential data: Daily
• Internal data: Weekly

Features:

• AES-256 encryption
• Multi-availability zone storage
• Monthly restoration testing
• Geographic redundancy within Australia

Recovery Objectives:

• Recovery Time (RTO): 4 hours for critical systems
• Recovery Point (RPO): 1 hour maximum data loss for critical systems

4.4 Mobile and Portable Devices

• Full disk encryption mandatory (BitLocker, FileVault)
• Mobile Device Management (MDM) enforced
• Remote wipe capability
• No local storage of Critical data (cloud access only)
• 5-minute screen lock timeout

4.5 Physical Records

• Locked filing cabinets in restricted areas
• Sign-in/sign-out procedures
• Annual inventory and audit
• Secure shredding for disposal

5. Security Controls

5.1 Encryption Standards

Data at Rest:

• Critical/Confidential: AES-256 mandatory
• Internal: AES-128 minimum
• Key management: AWS KMS with automated rotation

Data in Transit:

• TLS 1.3 for all communications (TLS 1.2 minimum)
• VPN (IPsec/OpenVPN) for remote access
• SFTP/SCP for file transfers (FTP prohibited)
• HTTPS only (HTTP disabled)

5.2 Access Controls

Authentication:

• Multi-factor authentication (MFA) required for Critical/Confidential data
• Strong passwords: 12+ characters, complexity rules, 90-day expiry
• No shared accounts
• Service account credentials regularly rotated

Authorisation:

• Role-based access control (RBAC)
• Least privilege principle
• Quarterly access reviews
• Immediate revocation upon termination (within 1 hour)

Logging:

• Comprehensive audit logs for all data access
• Logs include: user, timestamp, action, data accessed
• Retention: 7 years (Critical), 3 years (other)
• Regular review for suspicious activity

5.3 Network Security

• Enterprise-grade firewalls
• Network segmentation by data classification
• Intrusion detection/prevention (IDS/IPS)
• DDoS protection (AWS Shield, CloudFlare)
• Weekly vulnerability scans, monthly penetration testing
• Critical patches within 48 hours, other patches within 30 days

5.4 Monitoring

24/7 Automated Alerts For:

• Unusual data access patterns
• Failed login attempts (5+)
• Privilege escalation attempts
• Large data downloads/exports
• Access from unusual locations
• Malware/ransomware detection

Response Times:

• Critical alerts: 5 minutes
• High-priority alerts: 15 minutes
• CEO escalation for potential breaches

6. Data Retention Schedules

6.1 Client and Business Data

6.2 Health Information

Note: We do not independently retain health information. Health records remain under healthcare practice control. We apply equivalent retention to incidental copies accessed during support.

6.3 Employee Data

6.4 Website and Marketing

6.5 Retention Management

• Quarterly review of deletion-eligible data
• Automated deletion where feasible
• Manual review before deleting Critical/Confidential data
• Client notification 30 days before deleting client-owned data
• Deletion documentation maintained

7. Secure Data Disposal

7.1 Digital Disposal Methods

Overwriting (Confidential/Internal):

• Minimum 3-pass overwrite (DBAN, Eraser)
• Suitable for hard drives being repurposed

Cryptographic Erasure (Critical – including health info):

• Delete encryption keys rendering data irrecoverable
• Used for cloud storage, encrypted backups, SSDs
• Fastest method for large encrypted volumes

Physical Destruction (Critical hardware end-of-life):

• Hard drive shredding or degaussing
• SSD physical shredding (degaussing ineffective)
• Certified destruction with Certificate of Destruction

7.2 Physical Document Disposal

• Cross-cut shredding (minimum DIN P-4)
• On-site shredding for Critical documents
• Certified service for bulk disposal
• Certificate of Destruction retained 3 years

7.3 Disposal Procedures

1. Verify retention period expired or legal deletion required
2. Obtain data owner approval
3. Identify all data locations (production, backup, archives, logs)
4. Apply appropriate disposal method
5. Verify successful disposal
6. Document completion (date, method, person responsible)
7. Retain disposal records 7 years

7.4 Client Data Upon Service Termination

30-Day Transition:

• Written notice before deletion
• Data available for client retrieval (standard formats)
• Technical migration assistance provided

Secure Deletion:

• All client data deleted within 5 business days after transition
• Certificate of Data Destruction provided
• Includes production, backups, archives, logs

Exception: Data under legal hold retained until hold lifted

8. Compliance and Monitoring

8.1 Regulatory Compliance

• Privacy Act 1988 (Cth)
• Australian Privacy Principles (APPs)
• Notifiable Data Breaches (NDB) Scheme
• Taxation Administration Act 1953 (7-year retention)
• Fair Work Act 2009 (employee records)
• Health Records Legislation (state-specific alignment)

8.2 Healthcare-Specific

Medical Record Retention:

• 7 years minimum (aligned with most states)
• Queensland: Adults 7 years, paediatric until 25 years
• Victoria/NSW: 7 years minimum
• Practices remain responsible; NET Defender supports compliance

Practice Management Systems:

• Best Practice, Medical Director, Genie compliance configurations
• Automated backup supporting obligations
• Audit logging for patient information access

8.3 Compliance Monitoring

Internal:

• Annual comprehensive audit
• Quarterly access control spot checks
• Monthly backup restoration testing
• Weekly vulnerability scanning

External:

• Annual penetration testing (third-party)
• AWS compliance certification review
• Client-requested audits accommodated

9. Data Access and Portability

9.1 Client Rights

Clients may:

• Access their data anytime during service relationship
• Request data exports (standard formats)
• Receive backup copies
• Review access logs

Export Process:

1. Written request submitted
2. Identity verification
3. Data prepared in requested format
4. Secure delivery via encrypted transfer
5. Completion within 5 business days

9.2 Standard Export Formats

• Practice management: Native formats (Best Practice .bps, Medical Director)
• Databases: SQL dumps, CSV
• Documents: PDF, Office formats
• Email: PST, MBOX
• Logs: CSV, JSON

10. Third-Party Storage Providers

10.1 Current Providers

10.2 Vendor Requirements

Before Engagement:

• Privacy/security policy review
• Australian data location verification
• Compliance certification review
• Data breach history check
• Financial stability assessment

Contractual:

• Written data protection obligations
• Australian Privacy Principles compliance
• Data location restrictions
• Right to audit
• Breach notification (immediate to NET Defender)
• Data ownership and return provisions

10.3 Vendor Monitoring

• Annual contract/compliance review
• Quarterly security bulletin review
• Immediate assessment of vendor breaches
• Vendor must notify NET Defender within 12 hours of breaches

11. Business Continuity

11.1 Recovery Objectives

RTO (Recovery Time Objective):

• Critical: 4 hours maximum
• Confidential: 24 hours maximum
• Internal: 72 hours maximum

RPO (Recovery Point Objective):

• Critical: 1 hour maximum data loss
• Confidential: 24 hours maximum
• Internal: 7 days maximum

11.2 Disaster Recovery

Scenarios Covered:

• Data centre failure/natural disaster
• Ransomware/cyber attack
• Hardware failure
• Data corruption/accidental deletion
• Regional network outage

Recovery Process:

1. Disaster declared by CEO
2. Impact assessed
3. Clients notified
4. Data restored from clean backup
5. Integrity validated
6. Operations resumed
7. Post-incident review

Infrastructure:

• Cloud-based failover (AWS)
• Alternative region restoration capability if needed
• Offline documentation (physical copies)
• Emergency contact lists

12. Special Handling

12.1 Health Information

Additional Controls:

• Access strictly need-to-know only
• Enhanced audit logging
• Mandatory additional staff training
• Immediate deletion when no longer required
• Client notification when accessed
• AES-256 encryption (no exceptions)

12.2 Sensitive Attributes

Extra care for information revealing:

• Racial/ethnic origin
• Political opinions
• Religious beliefs
• Sexual orientation/gender identity
• Criminal records
• Biometric/genetic information

Handling:

• Access restricted to absolute necessity
• Enhanced logging and review
• Strict consent requirements
• Enhanced disposal procedures

13. Training and Compliance

13.1 Mandatory Training

All Staff:

• Policy training during onboarding (before system access)
• Annual refresher training
• Quarterly security awareness updates
• Immediate training upon policy updates

Technical Staff:

• Advanced security training
• Incident response procedures
• Backup/recovery procedures

13.2 Acknowledgments

Upon Hiring:

• Signed policy acknowledgment
• Confidentiality agreement
• Acceptable use policy

Annually:

• Re-acknowledgment of updated policies
• Compliance confirmation

13.3 Non-Compliance Consequences

Staff:

• Minor: Remedial training, written warning
• Moderate: Disciplinary action, access suspension
• Serious: Termination, legal action

Vendors:

• Contract breach notification
• Service suspension pending remediation
• Termination for serious violations

14. Policy Review

14.1 Review Schedule

• Annual comprehensive review
• Quarterly technical controls review
• Ad-hoc upon: security incidents, legislation changes, new technology, client feedback

14.2 Change Communication

Material Changes:

• Direct email to clients
• Mandatory staff training
• Website posting
• 30-day notice before enforcement

Minor Changes:

• Website posting
• Quarterly newsletter
• Staff notification

15. Exceptions

15.1 Exception Process

Exceptions require:

1. Written request with justification
2. Risk assessment
3. Compensating controls
4. Time limitation
5. CEO approval

Documentation:

• All exceptions logged
• Quarterly review
• Automatic expiry unless renewed

15.2 Emergency Exceptions

• CEO authorisation within 24 hours
• Documented justification
• Return to compliance ASAP
• Post-incident review

16. Definitions

Critical Data: Health information requiring maximum security
Cryptographic Erasure: Deletion of encryption keys rendering data irrecoverable
Data Custodian: Healthcare practice controlling patient information
Health Information: Individual health, medical history, treatment data
Personal Information: Information about identified or identifiable individuals
RPO: Maximum acceptable data loss (time-based)
RTO: Maximum acceptable system downtime

17. Contact Information

Policy Owner & Data Protection Officer:

Shahrouz Nasrollahi
CEO & Data Protection Officer
NET Defender Pty Ltd

Address: 27 Kittani Crescent, Ashmore, Gold Coast, QLD 4214, Australia
Phone: 0450 088 667 / 0467 770 020
Email: shahrouz@netdefender.com.au
Website: www.netdefender.com.au

For:

• General inquiries: shahrouz@netdefender.com.au
• Security incidents: 0450 088 667 (24/7)
• Compliance matters: Shahrouz Nasrollahi