With many companies now moving their data storage to the cloud, or considering the cost-saving benefit of doing so, it is important to be aware of the risks associated with contracting a company which uses overseas servers. Concerns about ‘data sovereignty’ have increased in recent years, with many Australians feeling uneasy about their personal data being stored overseas – subject to the laws of the country in which it resides.
Does the Privacy Act apply to me or my business?
If your business:
- collects or handles personal information; or
- operates a residential tenancy database; or
- has had an annual turnover of more than $3m in any financial year since 2002; or
- is the related entity of a larger company,
it is likely that the provisions of the Privacy Act 1988 (Cth) (Privacy Act) apply to the collection of personal information by your business.
What are Australian Privacy Principles?
The Australian Privacy Principles (APPs) are found in schedule 1 of the Privacy Act and regulate how personal information must be collected, handled, disclosed and kept secure.
Businesses need to act in accordance with the APPs, which are issued by the Office of the Australian Information Commissioner (OAIC). The APPs and their associated guidelines outline the mandatory requirements, as well as the matters taken into account by the OAIC and Courts when acting to enforce the Privacy Act.
Of particular relevance for those looking to offshore their data storage is APP 8. In combination with section 16C of the Privacy Act, APP 8 governs the cross-border disclosure of personal information.
What are the risks of cloud-based servers?
Section 16C of the Privacy Act provides that if your business discloses personal information to an overseas entity – which subsequently commits a breach of the Privacy Act or the APPs – that offending act will be taken to have been committed by your business. Importantly, this is a strict liability offence, meaning that your intentions and even knowledge of the offence are irrelevant.
In short, APP 8.1 provides that before disclosing personal information to an overseas entity, you are required to take ‘reasonable steps’ to ensure that the overseas entity does not breach the APPs in relation to the information. What will constitute ‘reasonable steps’ is explored in the APPs, though no precise definition or threshold is provided.
What ‘reasonable steps’ need to be taken to ensure compliance?
At a high level, you are required to inventory the relevant data to determine if any information is otherwise legally protected. For example, the confidentiality of health records is legally mandated; as is the sensitivity of tax file numbers.
Beyond this, what is necessary to ensure the security of information provided to an overseas entity scales up in correlation with the sensitivity of information provided. If you are simply recording basic details like names and email addresses, the threshold may be lower than if you were to be hosting more detailed dossiers of customer information and preferences.
At a minimum, it is generally expected that you would enter an enforceable contractual arrangement with the overseas entity that requires them to handle information in accordance with the APPs. A quick review of the standard Terms and Conditions of a candidate cloud-hosting provider will likely reveal that there is no express term providing that they will comply with the APPs.
It would be rare to find an overseas cloud-hosting provider that would expressly agree to specifically comply with Australian law. It remains open for you to decide that if a cloud provider’s standard privacy provisions are good enough for the purposes of overseas (e.g. U.S.) legislation, they are good enough for the APPs – however this is by no means a certainty.
It is arguable that by hosting information with a company that won’t explicitly promise to take particular actions to comply with the APPs, you will not have not done enough to satisfy the ‘reasonable steps’ requirement of the APPs.
Generally speaking, it seems unlikely that the OAIC would pursue a company who hosts information with a leading overseas IT services provider; as the security of the specialist company is presumably well beyond the capability of the Australian business itself. This however, is also by no means guaranteed, which leads us to the options for those businesses set on adopting cloud-based hosting services.
Option 1 – Get consent to host the information offshore
APP 8.27 provides that you may disclose personal information to an overseas recipient without complying with APP 8.1 where:
- you expressly inform the relevant individual that if they consent to the disclosure, this principle will not apply, and
- the individual then consents to the disclosure.
‘Consent’ is a central theme in the Privacy Act. What is required is the express, informed consent of relevant individuals at the time that their personal information is collected, with clear communication as to the intended purpose of collecting such information.
Option 2 – Use Australian-based companies
Continual pressure applied by Australian consumers on cloud-computing providers on this and similar issues has yielded some results in recent years. Services from companies like Amazon, Rackspace, SuccessFactors and Microsoft Azure have recently been made available onshore.
Dealing with companies that host personal information on Australian servers means that concerns regarding data sovereignty and compliance with the APPs are averted.
Contact Michael Bishop or Ben Drysdale on (03) 9614 7707 to discuss any concerns about the collection of personal information by your business or the operation of the Privacy Act generally.
Authors
