Australian Privacy Act - What you need to know for your business

The widespread use of cloud services means Australian businesses will need to examine their exposure to data sovereignty rules and take into account the implications of the Australian Privacy Act.

Outside of financial services and healthcare organisations, most Australian businesses haven’t needed to grapple with data sovereignty issues (needing to keep data onshore) as well as having the ‘Right to Audit’ embedded within operating procedures. However, that is changing.

Today, almost all businesses will need to start viewing where customer and organisational data resides. More specifically, what’s in the small print of cloud services and whether their provider is transparent.

Superloop's security expert, Andrew Lawrence takes us inside the myriad of issues and challenges posed by data security, privacy, and business continuity. He discusses the key implications of the Australian Privacy Act and how it is tied up with data sovereignty.

What rules relate to Australian data sovereignty?

Data sovereignty refers to data that is subject to the laws of the country in which the information is located or stored. It is now covered in many countries’ legislation.

One of the key impacts of data sovereignty is in how companies and governments protect and secure their data. It is covered by regulations around data privacy, data storage, data processing, and data transfers across country boundaries.

In Australia, data sovereignty is covered by the Australian Privacy Act (1988), which gave rise to the Australian Privacy Principles (APP). APPs have created rules for handling data sovereignty, and in particular Section 8 of the APP discusses the disclosure of personal data across borders.

Tightening of global data sovereignty laws, such as the introduction of European GDPR, are becoming a key impediment to cloud-based storage of data. As such, businesses will need to fully understand and take into account when storing information that is created in one country but moved to another for processing or analytics.  

Australian Privacy Principles' impact on businesses

Australia’s legislation surrounding data, security, privacy and mandatory breach reporting have undergone changes in the last two years, so it’s important to understand whether you are still up to date.  Changes to the APP in March 2015 highlighted the particular importance of APP Chapter 8 – cross-border disclosure of personal information.

“Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.” ~ APP C8

What this means

• Know the location where your cloud apps are processing or storing data
• Take security measures to protect personal information from loss, alteration or processing from unauthorised sources
• Collect only necessary data
• Be sure that you are compliant if data is not stored locally
• Don’t use cloud apps to process data for purposes other than what they were intended for
• Understand the consequences if you are not compliant; and
• Ensure that you can erase the data when you stop using the cloud services.

Where your data lives is significant

Cloud services have delivered organisations value and choice. But these new laws have moved the goalposts – data sovereignty is now front-and-centre for businesses worldwide.

It used to be only tightly regulated industries, such as financial services and healthcare, who needed to be concerned with deep evaluations of which cloud providers they selected (if any). Now everyone needs to be aware of how it will impact their business or risk facing huge fines for data breaches.

Businesses using cloud providers now need to be clear on exactly where their data is stored. Some providers have chosen to locate data centres overseas due to lower costs, and their customers have undoubtedly benefited from these lowered overheads. But, will these same providers now guarantee that the data residing in their services can be held to the standards the regulations require? And can you be sure that you can meet your future compliance burden?

Many organisations are now starting to ask their cloud providers to create something to store and protect their data locally. Or, they are looking for new providers with these options already in place.

Once again, the physical location of data is vital. Make sure your business is aware.

*This post was originally published on 1 May, 2018 and has been updated and refreshed on 31 March 2021.

What to read next:

Data sovereignty & data security - Implications for CEOs
Has your data centre turned into a zombie?
Migrating your business to the cloud - the 4 step process