Where in the world is your data?

By:

Stephen Murphy

Clients and prospective clients continually ask us if the data we collect during the course of doing business is stored or managed offshore. The answer is a resounding ‘no’.

So what’s all the fuss about? The more recent focus relates to Australian Privacy Principles (APPs) that commenced in March 2014 and replaced the old National Privacy Principles and the Information Privacy Principles. However, it also relates to the pressure to meet perceived needs of clients.

Firstly, we’re not lawyers, so you should seek your own advice when looking at your compliance with APPs, however we’ve been involved with sufficient penetration tests, security surveys, site visits, conversations, contracts and agreements to know that this is a big deal.

Legal issues aside, underlying all of this are the moral responsibilities that you have to your clients as custodians of their data.  Think Ashley Madison – okay, that’s a whole other moral topic that I won’t digress on right now.

One of the intentions of the APPs, and a very important one at that, is to secure the rights of individuals or companies to which the data relates to and is owned by, such that it cannot be disclosed to overseas parties not complying with APPs. There are many exceptions to this when reading APP 8, the key meaning is that what stays onshore requires that the onshore custodian must ensure that if they do disclose the data to overseas parties, they must take reasonable steps to ensure that the APPs are being complied with. We know that the powers of the US Government are far reaching, but a case in point is that its rights to data when centered in the USA are very different to when the data is centered in Australia.

Confused? Then just keep it simple and ensure that your data stays onshore.

We’ve compiled 6 helpful suggestions:

  • Understand the APPs and how they apply to you. Read Privacy fact sheet 17 – Australian Privacy Principles. Make sure your staff is informed and aware.
  • Reassess your physical and data security. Have a 3rd party conduct a penetration test. If you need a recommendation, we’d be happy to give you one.
  • Ensure that only those who have a need to data access are given it, and lock down access otherwise.
  • Understand clearly what your vendors and suppliers are doing with your data and your clients’ data. Ensure that their security and compliance with APPs are sound.
  • Get some professional advice from both IT and legal professionals.
  • Oh yes, and ensure your data is kept onshore.

Filed Under: Products