Tuesday, March 1, 2016
Australian providers need to be increasingly aware of where their data is storedAustralian Not for Profits need to ensure their international data storage complies with updated Australian Privacy Principles (APPs) and local laws. The consequences for failing to do this is a risk to any government funding.This is most applicable to organisations that make use of cloud storage for their data as most cloud providers host their data overseas.To ensure your organisation is not breaching any APPs, you’ll need to take reasonable steps to ensure your overseas cloud service provider does not breach any of the acts or practices. If they do, the Government will hold your organisation accountable – not the provider.In this article we break down the major Australian & international information sources to give you a good basis to understand and act on recent developments.
Changes to the APP in March 2015 highlighted the particular importance of APP Chapter 8 – cross-border disclosure of personal information.
APP Chapter 8 reads, “Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.”
You need to know where your data is stored
Be sure that you are compliant if data is not stored locally
Understand the consequences if you are not compliant
Start by checking where your data is stored. Many cloud services, particularly international companies will be storing your data offshore. This is common for resources like Google Apps and large cloud hosting services. Once you have investigated how your data is being stored, you can begin to take reasonable steps to ensure that it is safe and not in breach of the APP's
If you are using offshore data storage, you are responsible for ensuring that the provider does not breach any APPs.
“[you must] enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs.”
What information is disclosed to the overseas recipient
An agreement from the overseas recipient that they will comply with the APP's
A clear privacy complaint-handling process
A data breach response plan that notifies your organisation
Failing to take these steps means that you can be held liable for breaches of APP's that your storage provider might make. This is the same as if you had made the breaches yourself.
Summary from Gordon Tan that breaks down the basics succinctly
Online webinar recording detailing the issues faced with hosting overseas
A more in depth look at the issues surrounding data sovereignty
A thorough strategic whitepaper on international storage and privacy
+44 (0) 207 471 0100
+1866 494 6727
+61 2 9045 7500
+64 (9) 486 9010
Copyright © Winscribe