The Superloop Security series will take you inside the myriad of issues and challenges posed by data security, privacy and business continuity.  Today Superloop security expert, Andrew Lawrence discusses the key implications of the Australian Privacy Act and how it is tied up with data sovereignty.

The widespread use of cloud services means Australian businesses will need to examine their exposure to these data sovereignty rules.

Outside of financial services and healthcare organisations, most Australian businesses haven’t needed to grapple with data sovereignty issues (needing to keep data onshore) as well as having the ‘Right To Audit’ embedded within operating procedures. However that is set to change.

Soon, a great number of businesses will need to start viewing where customer and organisational data resides. More specifically, what’s in the small print of cloud services and whether their provider is transparent.

What rules relate to Australian data sovereignty?

Data sovereignty is now covered in many countries’ legislation. It refers to data that is subject to the laws of the country in which the information is located or stored.

One of the key impacts of data sovereignty is in how companies and governments protect and secure their data. It is covered by regulations around data privacy, data storage, data processing, and data transfers across country boundaries.

In Australia, data sovereignty is covered by the Australian Privacy Act (1988), which gave rise to the Australian Privacy Principles (APP). APPs have created rules for handling data sovereignty, and in particular section 8 of the APP discusses the disclosure of personal data across borders.

Tightening of global data sovereignty laws, such as the introduction of European GDPR, are becoming a key impediment to cloud-based storage of data. As such, businesses will need to fully understand and take into account when storing information that is created in one country but moved to another for processing or analytics.  

Why should you care where your data lives?

Cloud services have delivered organisations value and choice. But these new laws have now moved the goalposts – data sovereignty is now front and centre for businesses worldwide.

It used to be only tightly regulated industries, such as financial services and healthcare, who needed to be concerned with deep evaluations of which cloud providers they selected (if any). Now everyone needs to be aware of how it will impact their business or risk facing huge fines for data breaches.

Businesses using cloud providers now need to be clear on exactly where their data is stored. Some providers have chosen to locate data centres overseas due to lower costs, and their customers have undoubtedly benefited from lowered costs. But, will these same providers now guarantee that the data residing in their services can be held to the standards the regulations require? And can you be sure that you can meet your future compliance burden?

Many organisations are now starting to ask their cloud providers to create a something to store and protect their data locally. Or, they are looking for new providers with these options already in place.

Once again, the physical location of data is vital.

Australia’s legislation surrounding data, security, privacy and mandatory breach reporting have undergone changes in the last two years, so it’s important to understand whether you are still up to date.  Changes to the APP in March 2015 highlighted the particular importance of APP Chapter 8 – cross-border disclosure of personal information.

“Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.” ~ APP C8

What This Means

  • Know the location where your cloud apps are processing or storing data;
  • Take security measures to protect personal information from loss, alteration or processing from unauthorised sources;
  • Collect only necessary data;
  • Be sure that you are compliant if data is not stored locally;
  • Don’t use cloud apps to process data for purposes other than what they were intended for;
  • Understand the consequences if you are not compliant; and
  • Ensure that you can erase the data when you stop using the cloud services.