Australia Data Privacy Laws
Data Privacy Laws & Cloud Adoption in Australia
According to the May 2015 Cloud Computing in Australia Market Report from IBIS World, the Australian cloud industry has incredible growth potential. Demand is expected to continue to be driven by the tremendous benefits it brings enterprises, including lower costs, enhanced speed of information sharing, and the rapid development & delivery of new capabilities. Another report has Australia’s total total industry revenue expected to be $1.24 billion by the year 2020.
But while this growth is impressive, it trails the growth being experienced by other regions around the globe. One factor frequently cited to explain why many Australian organizations have been slow to adopt cloud services is related to jurisdictional control of data that is moved offshore to the U.S. and other foreign countries. The concern is that Australian data stored in datacenters overseas will be subject to International laws that are less stringent than the laws at home that safeguard individual and corporate privacy. Whether or not courts outside of Australia have jurisdiction in cases such as this is a legal issue that has not yet been settled, but in a whitepaper by global law firm Freshfields, Bruckhaus Deringer, it was highlighted that, “Within Australia, government, community and industry concern around data privacy is growing. The current federal government has expressed particular concern about the potential exposure of personal data once it is transferred offshore.”
Data Privacy, Laws & Regulations
Regulations in Australia and New Zealand make it extremely difficult for enterprises to move sensitive information to cloud-providers that store data outside of Australian/New Zealand borders. The Office of the Australian Information Commissioner (OAIC) is chartered with providing oversight on data privacy regulations designed to govern the dissemination of sensitive personal information (PII, Medical Records, etc.). One example of the type of legislation they enforce is the The Australian National Privacy Act of 1988, which regulates how organizations collect, use, keep, secure, and disclose personal information. The National Privacy Principles (NPP) set out in the Act were designed to ensure that organizations holding personal information about people handle it responsibly, especially health service providers.
The NPP cover the process of collection, use, disclosure, access, correction and identification of any personal information. They state, “An organization must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.” They also require enterprises to put very rigorous security Service-level Agreements (SLAs) in place with their cloud service providers that define audit rights, reporting, data location constraints, and access right provisions when cross-border disclosure of personal information are involved (i.e. data leaves Australian/New Zealand borders).
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) was passed in late 2012.
The Privacy Amendment Act introduces many significant changes to the Privacy Act that were effective March 2014. The Privacy Amendment Act includes a set of new privacy principles that regulates the handling of personal information by both Australian government agencies and businesses. These newer principles are called the Australian Privacy Principles (APPs). They replaced the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to businesses.
In the context of Cloud, agencies and businesses that deal with personal information need to be mindful that:
APP8 (cross–border disclosure of personal information) regulates the disclosure/transfer of personal information by an agency or business to a different entity (including a parent company) offshore. Before disclosure of personal information offshore, the Australian agency/business (Australian sender) must take reasonable steps to ensure the overseas recipient will comply with/not breach the APPs. This can be done by appropriate contractual provisions. However, the Australian Sender will (subject to limited exceptions) remain liable for the overseas recipient’s acts and practices in respect of the personal information sent as if the Australian Sender had engaged in such activities in respect of that personal information in Australia and, where relevant, be in breach of the APPs due to the overseas recipient’s acts or omissions.
APP11.1 (Security of personal information) requires that an organisation must “take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure”. The OAIC1 has issued a 32 page guidance as to what these “reasonable steps” might include. Please see our recent Update (click here) which details what the OAIC suggests is required to meet this “reasonable steps” obligation. It is substantially more than what most agencies and businesses are currently doing in respect of security of information.
Under the APP privacy, security and regulatory issues related to the use of cloud services must be managed and addressed in agreements.
The Australian Prudential Regulatory Authority (APRA)
Financial Services organizations, in particular, are subject to very stringent cloud restrictions. The Australian Prudential Regulatory Authority (APRA) oversees the Financial services vertical and has stated that financial services companies that wish to transfer data offshore must first notify APRA and demonstrate to the regulator that the cloud service provider has put appropriate risk management procedures in place to protect sensitive data. Enterprises must also secure guarantees in their contracts with offshore data hosting companies that APRA will have access to hosting facilities in order to conduct site visits at their discretion. In the context of the global Cloud, where the third-party provider is likely to be using a number of data centers in different countries (both primary and disaster recovery sites) and have employees from multiple jurisdictions with access to Australian data, these requirements have been difficult-to-impossible to meet. Cloud service providers have simply been reluctant to sign-up to the strong guarantees around data security that enterprises need in order to satisfy APRA.
A good resource is the Data Sovereignty and the Cloud – A Board and Executive Officer’s Guide. This white paper by David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence outlines the technical, legal and risk governance issues around data hosting and jurisdiction.
Satisfying Australian Data Residency (Data Sovereignty) Requirements via a Cloud Data Protection Platform
The Blue Coat Cloud Data Protection Gateway lets Australian enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications. Authorized data security administrators can select, on a field-by-field basis, whether to allow a data going to the cloud to remain in clear text, to be encrypted, or to be replaced with a token. When using tokens as a surrogate value, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with Australia’s National Privacy Principles.
The data in the cloud is either tokenized or encrypted so it is meaningless when viewed in the cloud, and organizations can be confident that their sensitive data is within their full control at all times.