Data Privacy Laws & Cloud Adoption in Australia
According to the October 2012 Cloud Computing in Australia Market Report from IBIS World, the Australian cloud industry has incredible growth potential. Demand is expected to be driven by the tremendous benefits it brings enterprises, including lower costs, enhanced speed of information sharing, and the rapid development & delivery of new capabilities. In Australia, 2012 total industry revenue is expected to be $1.24 billion, up 7.8% on the previous year.
But while this growth is impressive, it trails the growth being experienced by other regions around the globe. One factor frequently cited to explain why many Australian organizations have been slow to adopt cloud services is related to jurisdictional control of data that is moved offshore to the U.S. and other foreign countries. The concern is that Australian data stored in datacenters overseas will be subject to International laws that are less stringent than the laws at home that safeguard individual and corporate privacy. Whether or not courts outside of Australia have jurisdiction in cases such as this is a legal issue that has not yet been settled, but in a whitepaper by global law firm Freshfields, Bruckhaus Deringer, it was highlighted that, “Within Australia, government, community and industry concern around data privacy is growing. The current federal government has expressed particular concern about the potential exposure of personal data once it is transferred offshore.”
Data Privacy, Laws & Regulations
Regulations in Australia and New Zealand make it extremely difficult for enterprises to move sensitive information to cloud-provides that store data outside of Australian/New Zealand borders. The Office of the Australian Information Commissioner (OAIC) is chartered with providing oversight on data privacy regulations designed to govern the dissemination of sensitive personal information (PII, Medical Records, etc.). One example of the type of legislation they enforce is the The Australian National Privacy Act of 1988, which regulates how organizations collect, use, keep, secure, and disclose personal information. The National Privacy Principles (NPP) set out in the Act are designed to ensure that organizations holding information about people handle it responsibly. The Privacy Act does not address cloud computing directly, but it does require specific protections for “personal information”.
The NPP cover the process of collection, use, disclosure, access, correction and identification of any personal information. They state, “An organization must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.” They also require enterprises to put very rigorous security Service-level Agreements (SLAs) in place with their cloud service providers that define audit rights, reporting, data location constraints, and access right provisions when Trans-border Data Flowsare involved (i.e. data leaves Australian/New Zealand borders).
Financial Services organizations, in particular, are subject to very stringent cloud restrictions. The Australian Prudential Regulatory Authority (APRA) oversees the Financial services vertical and has stated that financial services companies that wish to transfer data offshore must first notify APRA and demonstrate to the regulator that the cloud service provider has put appropriate risk management procedures in place to protect sensitive data. Enterprises must also secure guarantees in their contracts with offshore data hosting companies that APRA will have access to hosting facilities in order to conduct site visits at their discretion. In the context of the global Cloud, where the third-party provider is likely to be using a number of data centres in different countries (both primary and disaster recovery sites) and have employees from multiple jurisdictions with access to Australian data, these requirements have been difficult-to-impossible to meet. Cloud service providers have simply been reluctant to sign-up to the strong guarantees around data security that enterprises need in order to satisfy APRA.
Satisfying Australian Data Residency Requirements via a Cloud Data Protection Gateway
The PerspecSys’ gateway lets Australian enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications. Authorized data security administrators can select, on a field-by-field basis, whether to allow a data going to the cloud to remain in clear text, to be encrypted, or to be replaced with a token. When using tokens as a surrogate value, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with Australia’s National Privacy Principles.
The data in the cloud is either tokenized or encrypted so it is meaningless when viewed in the cloud, and organizations can be confident that their sensitive data is within their full control at all times.