Cybersecurity and Data Sovereignty
Data Sovereignty with cybersecurity is a hot question that many organisations consider to be one of their early considerations when selecting a service provider for storing their data. The intention is that important data needs to not be held in foreign datacentres, so that foreign governments cannot withhold the data or demand access to it. The Chinese government is one of these – they state that they can access any and all information for any purpose, but surprisingly the US is also another government that can claim access to the data. Under their USA PATRIOT act, the US government has the authority to access any data that is physically stored within their country, regardless of its origins or any of our local laws. So, in theory, the US government can access the data when they decide to, and cause a breach of a company’s responsibilities of the Australian Privacy Principles – which could lead them open to prosecution. However, the likelihood of that is small, as the Patriot act is meant to be an anti-terrorist measure (but the US Government has hidden under the banner of the Patriot act before, when performing illegal activities).
Companies in Australia must comply with the responsibilities of the Privacy Act (1988), but there is nothing specific in the Act that requires companies need to store all of their data in Australia, just take “reasonable steps” to secure the data, as outlined in the Australian Privacy Principles. “Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.” APP Chapter 8
Where is your data?
One of the challenges with using cloud services, particularly SaaS, is that you often cannot tell where your data is stored, processed, transmitted or traversed. The service provider may make assurances, or even put it into their contracts, but there is always a possibility that your data is replicated to another datacentre, backed up to a cheaper location, processed by a microservice or plugin that is elsewhere, cached or “temporarily” located somewhere else.
So, my recommendation is that you should treat all data that is not 100% under your control as being possibly stored overseas. With personal information being such a broad term in Australia, you cannot just focus on keeping personal information in the country and allowing “other data” to be elsewhere – it might technically all be personal information. My recommendation is to encrypt and secure all information, anonymise or tokenise data where possible, and not retain information for longer than it is required.