NDIS Criterion
MEDIA, JOBS & RESOURCES FOR THE COMMON GOOD
NEWS  |  Social Innovation, Technology

Data Sovereignty: The Dangerous Legal Side of Cloud Computing


Thursday, 30th October 2014 at 10:24 am
Xavier Smerdon, Journalist
Australian Not for Profits need to ensure their cloud service providers are compliant with Australian Privacy Principles (APPs) and local laws or face putting Government funding at risk, writes Gordon Tan from R & G Technologies.

Thursday, 30th October 2014
at 10:24 am
Xavier Smerdon, Journalist


0 Comments


FREE SOCIAL
SECTOR NEWS

 Print
Data Sovereignty: The Dangerous Legal Side of Cloud Computing
Thursday, 30th October 2014 at 10:24 am

Australian Not for Profits need to ensure their cloud service providers are compliant with Australian Privacy Principles (APPs) and local laws or face putting Government funding at risk, writes Gordon Tan from R & G Technologies.

In July 2014, Australia’s Department of Defence terminated the contract of a supplier after it became apparent they were storing client information on overseas servers.

This move signals a strong possibility that any organisation receiving funding from the Government could be at risk of a similar fate.

Over the past three years, we have become accustomed to using cloud computing technologies, applications and tools. But have you ever thought about where all your data is being hosted?

Most US-based cloud providers will be hosting your data overseas. This becomes a problem when you consider that your organisation needs to be compliant with the Australian Privacy Principles (APP).

Changes to the APP in March highlighted the particular importance of APP Chapter 8 – cross-border disclosure of personal information.

APP Chapter 8 reads, “Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.”

To ensure your organisation is not breaching any APPs, you’ll need to take reasonable steps to ensure your overseas cloud service provider does not breach any of the acts or practices. If they do, the Government will hold your organisation accountable – not the provider.

Are you breaching any APPs? Learn how you can ensure your organisation’s compliance.

Where is your data stored?

The first question you need to ask yourself is where your data is stored. You need to do this with every one of the cloud applications and tools that your organisation uses. Popular applications like Office 365 and Google Apps do not actually host your data in Australia. This might be a concern if you don’t take ‘reasonable steps’ to ensure they are not breaching any APPs.

If your provider does have their data centre in Australia, you should be fine. However, you can never be 100 per cent certain. You will want to make sure they are not replicating data overseas.

What are considered ‘reasonable steps?’

Even back in 2010, when the Australian Government first released a draft of the APPs, there was a lot of concern from organisations as to what were considered ‘reasonable steps.’

The public and third sectors wanted better guidelines and clarity around what they needed to be doing to ensure they and their overseas cloud providers were compliant.

Fortunately, the latest update to the APP includes just that. As a requirement to ensure an overseas cloud service provider does not breach any APPs, the Government says you must “enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs.”

Long story short – you need a contractual agreement that includes:

  •     The types of information to be disclosed to the overseas recipient
  •     An agreement from the overseas recipient that they will comply with the APPs
  •     A clear privacy complaint-handling process
  •     A data breach response plan that notifies your organisation

The challenge of data sovereignty

Unfortunately, most overseas cloud service providers will not agree to your amended contract. Their lawyers generally will advise against signing it. Your business to them is very small and won’t justify the risk that they will have to take by meeting the strict requirements in accordance with the APPs.

This puts you in a sticky situation– one where you can’t confidently use the provider.

Consequences of a breach

If you do not take ‘reasonable steps’ as described, then the Government will hold your organisation accountable for any breaches made by the overseas cloud service provider. In the Government’s eyes, it’s as if you have committed the breach yourself.

So where does that leave us?

Data governance is still a very grey area. The safest thing to do to ensure that your organisation remains compliant and does not risk losing funding is to use cloud service providers that store their data in Australia.

Connecting Up’s IaaS product is an example of an Australian-based solution that hosts your data on local Australian servers. This ensures the responsibility and accountability is on the provider and you will not have to worry so much about any of these challenges that might put your compliance – and funding – at risk.

Are you compliant with Australian data sovereignty laws?

I challenge you take it upon yourself to get a better understanding of where you data is currently being stored. Contact your existing cloud providers and find out which ones are compliant and which are not. For those who aren’t compliant, you can either look for local alternatives, which can be more expensive, or request they sign an amended contractual agreement.

Are you and your cloud service providers compliant with APPs and local laws? Find out today by downloading our free data sovereignty checklist.

About the Author

Gordon Tan is the Managing Director of R & G Technologies – an IT support and Cloud consulting firm that specialises in the Not for Profit sector. Tan was listed in the top 250 most influential experts in the Managed IT Services industry by MSP Mentor in 2013 and is also a presenter for Connecting Up in their technology leadership academy program.

 


Xavier Smerdon  |  Journalist |  @XavierSmerdon

Xavier Smerdon is a journalist specialising in the Not for Profit sector. He writes breaking and investigative news articles.

FEATURED SUPPLIERS


HLB Mann Judd is a specialist Accounting and Advisory firm t...

HLB Mann Judd

Brennan IT helps not-for-profit (NFP) organisations drive gr...

Brennan IT

Helping the helpers fund their mission…...

FrontStream Pty Ltd (FrontStream AsiaPacific)

Yes we’re lawyers, but we do a lot more....

Moores

More Suppliers

Get more stories like this

FREE SOCIAL
SECTOR NEWS

YOU MAY ALSO LIKE

Case Study: Act for Kids

Contributor

Monday, 6th November 2017 at 5:18 pm

‘Sorry No Cash’ – the Digital Disruptor for NFP’s

Contributor

Tuesday, 31st October 2017 at 8:44 am

What NFPs Need to Know About Finding the Right IT Partner

Contributor

Tuesday, 24th October 2017 at 8:10 am

Winning Pitch Delivers $25,000 Funding For Disability Vehicle Share Project

Contributor

Tuesday, 24th October 2017 at 8:00 am

POPULAR

Disability Advocacy Group Fights to Restore State Funding

Luke Michael

Thursday, 9th November 2017 at 8:37 am

Red Cross Moves to Wage-Based Fundraising Model

Lina Caneva

Thursday, 16th November 2017 at 8:30 am

New Same-Sex Marriage Bill Looks to Protect Faith-Based Charities

Luke Michael

Monday, 13th November 2017 at 5:25 pm

Donors Looking for a Personalised Experience to Give More – Study

Lina Caneva

Wednesday, 8th November 2017 at 1:43 pm

Write a Reply or Comment

Your email address will not be published. Required fields are marked *


NDIS Criterion
pba inverse logo
Subscribe Twitter Facebook

Get the social sector's most essential news coverage. Delivered free to your inbox every Tuesday and Thursday morning.

You have Successfully Subscribed!