Cloud computing: know the risks

In July 2014, Australia’s Department of Defence terminated the contract of a supplier after it became apparent they were storing client information on overseas servers.

This move signals a strong possibility that any organisation receiving funding from the government could be at risk of a similar fate.

Most US-based cloud providers will be hosting your data overseas. This becomes a problem when you consider that your organisation needs to be compliant with the Australian Privacy Principles (APP). Changes to the APP in March highlighted the particular importance of cross-border disclosure of personal information.

The APP stipulates that if an Australian organisation provides personal information to an overseas recipient, the local organisation must take reasonable steps to ensure the overseas recipient doesn’t misuse the information, breaching the APP.

To ensure your organisation is not breaching any APP, you’ll need to take reasonable steps to ensure your overseas cloud service provider does not breach any of the acts or practices. If they do, the government will hold your organisation accountable – not the provider.

Are you breaching the APP? Here are some compliance considerations:

Where is your data stored?

The first question you need to ask yourself is where your data is stored. You need to do this with each of the cloud applications and tools that your organisation uses. Popular applications like Office 365 and Google Apps do not actually host your data in Australia. This might be a concern if you don’t take ‘reasonable steps’ to ensure they’re not breaching any APP.

If your provider hosts their data centre in Australia, your organisation will be fine. Australian providers are legally obligated to meet the APP and if they do breach, they are held responsible, not your organisation.

What are considered ‘reasonable steps?’
When the Australian Government first released a draft of the APP in 2010, there were concerns from organisations as to what were considered ‘reasonable steps.’ The public and not-for-profit (NFP) sectors wanted better guidelines and clarity around what was required by them and their overseas cloud providers to ensure compliance.

Fortunately, the latest update to the APP includes just that. As a requirement to ensure an overseas cloud service provider does not breach the APP, the government deems that local organisations must enter into enforceable contractual arrangements with overseas counterparts, requiring both parties to adhere to the APP.

Your contractual agreement must include:

  • The types of information to be disclosed to the overseas recipient
  • An agreement from the overseas recipient that they will comply with the APP
  • A clear privacy complaint-handling process
  • A data breach response plan that notifies your organisation.

The challenge

Unfortunately, many overseas cloud service providers will not agree to your amended contract. Their lawyers generally will advise against signing it. Your business to them is very small and won’t justify the risk that they will have to take by meeting the strict requirements in accordance with the APP.

This makes it difficult to confidently use an overseas provider. However, some organisations like Microsoft are taking a proactive stance and have amended their contractual agreements to ensure they comply with the APP.

Consequences of a breach

If you don’t take ‘reasonable steps’ as described, the government will hold your organisation accountable for any breaches made by your overseas cloud service provider.

So where does this leave you?
Data governance is still a grey area. The safest thing to do to ensure that your organisation remains compliant and doesn’t risk losing funding is to use cloud service providers that store their data in Australia. Connecting Up’s IaaS product is an example of an Australian-based solution that hosts your data on local Australian servers. By choosing a local provider, the responsibility and accountability is on them.

What’s next?

Find out where your data is currently being stored. Contact your existing cloud providers and find out which ones are compliant and which aren’t. For those who aren’t compliant, you can look for local alternatives, or request they sign an amended contractual agreement.

Join Followers
Join Followers
Join Followers

For the latest news, delivered straight to inbox please fill in the details below