Data Sovereignty: The Dangerous Legal Side of Cloud Computing
30 October 2014 at 10:24 am
Australian Not for Profits need to ensure their cloud service providers are compliant with Australian Privacy Principles (APPs) and local laws or face putting Government funding at risk, writes Gordon Tan from R & G Technologies.
In July 2014, Australia’s Department of Defence terminated the contract of a supplier after it became apparent they were storing client information on overseas servers.
This move signals a strong possibility that any organisation receiving funding from the Government could be at risk of a similar fate.
Over the past three years, we have become accustomed to using cloud computing technologies, applications and tools. But have you ever thought about where all your data is being hosted?
Most US-based cloud providers will be hosting your data overseas. This becomes a problem when you consider that your organisation needs to be compliant with the Australian Privacy Principles (APP).
Changes to the APP in March highlighted the particular importance of APP Chapter 8 – cross-border disclosure of personal information.
APP Chapter 8 reads, “Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.”
To ensure your organisation is not breaching any APPs, you’ll need to take reasonable steps to ensure your overseas cloud service provider does not breach any of the acts or practices. If they do, the Government will hold your organisation accountable – not the provider.
Are you breaching any APPs? Learn how you can ensure your organisation’s compliance.
Where is your data stored?
The first question you need to ask yourself is where your data is stored. You need to do this with every one of the cloud applications and tools that your organisation uses. Popular applications like Office 365 and Google Apps do not actually host your data in Australia. This might be a concern if you don’t take ‘reasonable steps’ to ensure they are not breaching any APPs.
If your provider does have their data centre in Australia, you should be fine. However, you can never be 100 per cent certain. You will want to make sure they are not replicating data overseas.
What are considered ‘reasonable steps?’
Even back in 2010, when the Australian Government first released a draft of the APPs, there was a lot of concern from organisations as to what were considered ‘reasonable steps.’
The public and third sectors wanted better guidelines and clarity around what they needed to be doing to ensure they and their overseas cloud providers were compliant.
Fortunately, the latest update to the APP includes just that. As a requirement to ensure an overseas cloud service provider does not breach any APPs, the Government says you must “enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs.”
Long story short – you need a contractual agreement that includes:
- The types of information to be disclosed to the overseas recipient
- An agreement from the overseas recipient that they will comply with the APPs
- A clear privacy complaint-handling process
- A data breach response plan that notifies your organisation
The challenge of data sovereignty
Unfortunately, most overseas cloud service providers will not agree to your amended contract. Their lawyers generally will advise against signing it. Your business to them is very small and won’t justify the risk that they will have to take by meeting the strict requirements in accordance with the APPs.
This puts you in a sticky situation– one where you can’t confidently use the provider.
Consequences of a breach
If you do not take ‘reasonable steps’ as described, then the Government will hold your organisation accountable for any breaches made by the overseas cloud service provider. In the Government’s eyes, it’s as if you have committed the breach yourself.
So where does that leave us?
Data governance is still a very grey area. The safest thing to do to ensure that your organisation remains compliant and does not risk losing funding is to use cloud service providers that store their data in Australia.
Connecting Up’s IaaS product is an example of an Australian-based solution that hosts your data on local Australian servers. This ensures the responsibility and accountability is on the provider and you will not have to worry so much about any of these challenges that might put your compliance – and funding – at risk.
Are you compliant with Australian data sovereignty laws?
I challenge you take it upon yourself to get a better understanding of where you data is currently being stored. Contact your existing cloud providers and find out which ones are compliant and which are not. For those who aren’t compliant, you can either look for local alternatives, which can be more expensive, or request they sign an amended contractual agreement.
Are you and your cloud service providers compliant with APPs and local laws? Find out today by downloading our free data sovereignty checklist.
About the Author
Gordon Tan is the Managing Director of R & G Technologies – an IT support and Cloud consulting firm that specialises in the Not for Profit sector. Tan was listed in the top 250 most influential experts in the Managed IT Services industry by MSP Mentor in 2013 and is also a presenter for Connecting Up in their technology leadership academy program.