Guide to Giving
MEDIA, JOBS & RESOURCES FOR THE COMMON GOOD
NEWS  |  Social Innovation, Technology

Data Sovereignty: The Dangerous Legal Side of Cloud Computing


Thursday, 30th October 2014 at 10:24 am
Xavier Smerdon, Journalist
Australian Not for Profits need to ensure their cloud service providers are compliant with Australian Privacy Principles (APPs) and local laws or face putting Government funding at risk, writes Gordon Tan from R & G Technologies.

Thursday, 30th October 2014
at 10:24 am
Xavier Smerdon, Journalist


0 Comments


FREE SOCIAL
SECTOR NEWS

 Print
Data Sovereignty: The Dangerous Legal Side of Cloud Computing
Thursday, 30th October 2014 at 10:24 am

Australian Not for Profits need to ensure their cloud service providers are compliant with Australian Privacy Principles (APPs) and local laws or face putting Government funding at risk, writes Gordon Tan from R & G Technologies.

In July 2014, Australia’s Department of Defence terminated the contract of a supplier after it became apparent they were storing client information on overseas servers.

This move signals a strong possibility that any organisation receiving funding from the Government could be at risk of a similar fate.

Over the past three years, we have become accustomed to using cloud computing technologies, applications and tools. But have you ever thought about where all your data is being hosted?

Most US-based cloud providers will be hosting your data overseas. This becomes a problem when you consider that your organisation needs to be compliant with the Australian Privacy Principles (APP).

Changes to the APP in March highlighted the particular importance of APP Chapter 8 – cross-border disclosure of personal information.

APP Chapter 8 reads, “Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.”

To ensure your organisation is not breaching any APPs, you’ll need to take reasonable steps to ensure your overseas cloud service provider does not breach any of the acts or practices. If they do, the Government will hold your organisation accountable – not the provider.

Are you breaching any APPs? Learn how you can ensure your organisation’s compliance.

Where is your data stored?

The first question you need to ask yourself is where your data is stored. You need to do this with every one of the cloud applications and tools that your organisation uses. Popular applications like Office 365 and Google Apps do not actually host your data in Australia. This might be a concern if you don’t take ‘reasonable steps’ to ensure they are not breaching any APPs.

If your provider does have their data centre in Australia, you should be fine. However, you can never be 100 per cent certain. You will want to make sure they are not replicating data overseas.

What are considered ‘reasonable steps?’

Even back in 2010, when the Australian Government first released a draft of the APPs, there was a lot of concern from organisations as to what were considered ‘reasonable steps.’

The public and third sectors wanted better guidelines and clarity around what they needed to be doing to ensure they and their overseas cloud providers were compliant.

Fortunately, the latest update to the APP includes just that. As a requirement to ensure an overseas cloud service provider does not breach any APPs, the Government says you must “enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs.”

Long story short – you need a contractual agreement that includes:

  •     The types of information to be disclosed to the overseas recipient
  •     An agreement from the overseas recipient that they will comply with the APPs
  •     A clear privacy complaint-handling process
  •     A data breach response plan that notifies your organisation

The challenge of data sovereignty

Unfortunately, most overseas cloud service providers will not agree to your amended contract. Their lawyers generally will advise against signing it. Your business to them is very small and won’t justify the risk that they will have to take by meeting the strict requirements in accordance with the APPs.

This puts you in a sticky situation– one where you can’t confidently use the provider.

Consequences of a breach

If you do not take ‘reasonable steps’ as described, then the Government will hold your organisation accountable for any breaches made by the overseas cloud service provider. In the Government’s eyes, it’s as if you have committed the breach yourself.

So where does that leave us?

Data governance is still a very grey area. The safest thing to do to ensure that your organisation remains compliant and does not risk losing funding is to use cloud service providers that store their data in Australia.

Connecting Up’s IaaS product is an example of an Australian-based solution that hosts your data on local Australian servers. This ensures the responsibility and accountability is on the provider and you will not have to worry so much about any of these challenges that might put your compliance – and funding – at risk.

Are you compliant with Australian data sovereignty laws?

I challenge you take it upon yourself to get a better understanding of where you data is currently being stored. Contact your existing cloud providers and find out which ones are compliant and which are not. For those who aren’t compliant, you can either look for local alternatives, which can be more expensive, or request they sign an amended contractual agreement.

Are you and your cloud service providers compliant with APPs and local laws? Find out today by downloading our free data sovereignty checklist.

About the Author

Gordon Tan is the Managing Director of R & G Technologies – an IT support and Cloud consulting firm that specialises in the Not for Profit sector. Tan was listed in the top 250 most influential experts in the Managed IT Services industry by MSP Mentor in 2013 and is also a presenter for Connecting Up in their technology leadership academy program.

 


Xavier Smerdon  |  Journalist |  @XavierSmerdon

Xavier Smerdon is a journalist specialising in the Not for Profit sector. He writes breaking and investigative news articles.

Guide to Giving

FEATURED SUPPLIERS


HLB Mann Judd is a specialist Accounting and Advisory firm t...

HLB Mann Judd

Brennan IT helps not-for-profit (NFP) organisations drive gr...

Brennan IT

...


Yes we’re lawyers, but we do a lot more....

Moores

More Suppliers

Get more stories like this

FREE SOCIAL
SECTOR NEWS

YOU MAY ALSO LIKE

NFPs Need Social Media More Than They Know

Alecia Hancock

Thursday, 21st September 2017 at 8:33 am

Social Media ‘Inspires’ Fundraising Globally – New Research

Lina Caneva

Wednesday, 20th September 2017 at 4:03 pm

Technology as a Force For Good

Wendy Williams

Wednesday, 13th September 2017 at 3:40 pm

Finalists Named in Inaugural Indigenous Digital Excellence Awards  

Lina Caneva

Wednesday, 30th August 2017 at 1:26 pm

POPULAR

Moves to Stop Volunteering at Overseas Orphanages

Luke Michael

Wednesday, 13th September 2017 at 1:54 pm

Future Uncertain for Disability Organisations Following Funding Cuts

Wendy Williams

Tuesday, 19th September 2017 at 8:29 am

Majority of NFPs Are Not Believed to be Well-Run, According to New Survey

Luke Michael

Tuesday, 12th September 2017 at 4:14 pm

More Australians Are Giving Time Not Money

Wendy Williams

Monday, 11th September 2017 at 5:07 pm

Write a Reply or Comment

Your email address will not be published. Required fields are marked *


Guide to Giving
pba inverse logo
Subscribe Twitter Facebook

The social sector's most essential news coverage. Delivered free to your inbox every Tuesday and Thursday morning.

You have Successfully Subscribed!