Is ShieldBox really hosted in Australia?

Yes. 100% of ShieldBox data — every email, attachment, and contact — is stored exclusively on servers physically located in Australia (Sydney and Melbourne data centres). No data ever leaves Australian soil.

Is ShieldBox compliant with the Australian Privacy Act 1988?

Yes. ShieldBox is fully compliant with the Australian Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs), and holds ISO 27001 certification. We also support IRAP-assessed environments for government users.

How does ShieldBox encryption work?

ShieldBox uses AES-256 encryption for all emails at rest and in transit. Users can optionally enable OpenPGP for zero-knowledge end-to-end encryption, meaning even ShieldBox staff cannot access your email content.

Can I use my own domain with ShieldBox?

Yes. ShieldBox supports custom domain hosting on all paid plans. You can use your own domain (e.g. you@yourcompany.com.au) with full DNS management, SPF, DKIM, and DMARC configuration.

Does ShieldBox offer a free plan?

Yes. ShieldBox offers a free plan with 5GB of Australian-hosted encrypted storage, no credit card required. Paid plans start from $9 AUD/month for additional features and storage.

How is ShieldBox different from Gmail or Outlook?

Unlike Gmail (USA) or Outlook (USA/Ireland), ShieldBox stores all data exclusively in Australia, does not scan emails for advertising, is compliant with Australian law, and uses military-grade encryption. Your data is never sold or shared with third parties.

Notifiable Data Breaches Scheme Australia: 30-Day Clock, OAIC Process & Email Breaches

Part IIIC of the Privacy Act 1988 (Cth) established the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018. Under the NDB scheme, all entities covered by the Privacy Act must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs — specifically, one that is likely to result in serious harm to any individual whose information was involved. The scheme has fundamentally changed the accountability landscape: before February 2018, Australian businesses could quietly manage a data breach internally. Today, the 30-day notification clock creates both a compliance obligation and a public accountability mechanism.

What Is an "Eligible Data Breach"?

An eligible data breach under the NDB scheme requires three elements to be present simultaneously: (1) there has been unauthorised access to, or unauthorised disclosure of, personal information — or personal information has been lost in circumstances where unauthorised access or disclosure is likely; (2) the personal information involved is of a specific kind covered by the scheme (almost all personal information qualifies); and (3) the breach is likely to result in serious harm to one or more individuals whose information was involved. The serious harm test is assessed objectively — not whether harm has actually occurred, but whether a reasonable person in the entity's position would conclude that the breach is likely to result in serious harm.

The "likely to result in serious harm" threshold is lower than it sounds. The OAIC has indicated that health information, financial account credentials, and personal contact details combined with financial information virtually always satisfy this threshold. If in doubt, notify.

The 30-Day Clock: When Does It Start?

The 30-day clock starts from the day an entity "becomes aware" that there are reasonable grounds to suspect that an eligible data breach may have occurred. This is the moment a staff member reports a suspicious login, IT detects an anomaly, or a phishing victim reports clicking a link — not the moment forensic analysis confirms it. Entities have 30 days from that awareness to complete their assessment and notify if required. If after 30 days the entity cannot determine whether an eligible breach has occurred, they must notify anyway on the basis that it is likely. Many organisations discover this rule too late: the 30-day clock is not a confirmation period, it is a maximum assessment period.

Email: The Primary NDB Trigger

Email is, by a significant margin, the most common cause of NDB notifications. The OAIC's quarterly NDB statistics consistently show that malicious or criminal attacks (primarily phishing leading to business email compromise) and human error (primarily misdirected emails) together account for approximately 65–70% of all notifications. Healthcare remains the highest-reporting sector — the OAIC received 104 health sector notifications in the six months to June 2025 alone — followed by finance at 63 and legal, accounting, and real estate at approximately 30 each.

Business email compromise (BEC): An attacker gains access to an email account — typically via phishing — and either exfiltrates information, intercepts payment requests, or uses the account to send further phishing to the victim's contacts. Almost always an eligible data breach.
Misdirected email: Sending an email containing personal information (even just a name and email address alongside sensitive context) to the wrong recipient. One of the most common human error triggers, particularly in healthcare and legal.
Ransomware affecting email systems: If ransomware encrypts email archives and there is a risk the attacker exfiltrated data before encrypting, this is typically an eligible breach. The exfiltration risk alone satisfies the "likely unauthorised access" element.
Email provider breach: If your email hosting provider is breached and customer personal information is exposed, your business remains the accountable APP entity. Their breach = your NDB obligation.
Misconfigured email server or shared inbox: Accidental public exposure of an email archive or shared inbox containing personal information is an eligible breach even without a malicious actor.

What the OAIC Notification Must Include

When notifying the OAIC, your notification must describe: (a) the nature of the breach — what happened and when; (b) the kinds of information involved; (c) the number of individuals affected or estimated to be affected; (d) what steps your entity has taken in response; and (e) what steps your entity recommends affected individuals take to protect themselves. The OAIC has a standard NDB notification form available on its website. Affected individuals must receive equivalent information, delivered as directly as practicable (usually by email or post — ironic given email was likely the breach vector).

Failure to Notify: What Happens

Failure to notify the OAIC or affected individuals when required is an "interference with the privacy of an individual" under the Privacy Act, and carries civil penalties of up to $50,340,000 for organisations. The OAIC has the power to investigate suspected failures to notify and has actively exercised this power following high-profile breaches. The OAIC's enforcement posture has hardened significantly since 2022: it has initiated investigations into the timeliness of notifications, the adequacy of affected-individual communications, and whether entities had reasonable systems in place to detect breaches.

Quick mitigation: Migrating your email to ShieldBox includes NDB-ready breach detection — automated alerts for compromised accounts, unusual bulk access, and suspicious forwarding — plus a built-in 30-day assessment workflow. See /compliance for the full technical documentation.

Building Your Data Breach Response Plan

Define your breach response team: security lead, privacy officer or legal counsel, communications lead, and executive sponsor.
Create a breach register and populate it immediately when a potential breach is identified — this establishes the 30-day clock date.
Draft OAIC notification and affected-individual communication templates in advance — you will not have time to write them from scratch under pressure.
Define your "serious harm" assessment criteria with legal advice specific to the kinds of information your business handles.
Test your plan annually with a tabletop exercise simulating a phishing-based email account compromise.
Ensure your plan is available offline — if your systems are compromised, a plan stored only in email or cloud docs may be inaccessible.

The Notifiable Data Breaches Scheme: A Complete Guide for Australian Businesses