Data sovereignty: Are you covered?

With recent events in mind, the need to know what is going on with business and employee data is more important than ever. Are you across the board?

Cloud computing and the opportunities that come with it have quickly swept through the business world, and most organisations wouldn’t be blamed if they weren’t quite sure where the path leads.

Although the concept of offshore data storage is anything but new, its recent proliferation has meant that an understanding of the laws and regulations involved may be further behind than anyone wants to admit.

“There is a significant misunderstanding of Australia’s digital citizens as to how cloud computing works,” Chris Chapman, chairman and CEO of the Australian Communications and Media Authority said yesterday, at the launch of Data Sovereignty and the Cloud, a whitepaper by UNSW, Aon, NEXTDC and Baker & McKenzie, which demonstrates the importance of understanding the laws that surround cloud data and the risks involved.

NEXTDC found 88% of organisations experience at least one data breach each year, with between 36% and 62% stating the breaches involved a mistake by outsourcers, cloud providers, and other third parties.

What is the importance for HR? John Bersin, HR analyst, identified last year that HR systems were being overhauled with cloud software for anything from talent management to payrolls. These systems remain cheap and effective for small and large businesses alike.

“[Data security] is no longer just an IT responsibility in an organisation. It is something you need to involve all parts of the organisation in,” Eric Lowenstein, client manager at Aon Risk Services said at yesterday’s launch.

Of greatest importance is the understanding that the jurisdiction the data is stored in defines what laws apply to it. If data is stored in the US, US law applies to it, for instance. As such, understanding of privacy laws where data is stored is paramount to effectively reducing risk of data breaches.

What first must be considered is what information should be stored where and that data breaches are never impossible, despite security measures. “Anything that can be engineered can be broken,” Stephen Wilson, principal of Lockstep Consulting & Lockstep Technologies, said.

The risks of working with cloud providers must be assessed case-by-case. “Working with a local provider and housing data domestically is one of the best ways to reduce risk, but it is only able to reduce risk not completely remove it,” Craig Scroggie, CEO and executive director of NEXTDC, said.

The reality of jurisdictional law is a non-negotiable element of cloud computing. “Anyone who wants to deal in data needs to accept that proposition and deal with it,” Adrian Lawrence, partner at Baker & McKenzie Sydney, stated.

HR managers should take note that the de-personalisation of data stored on the cloud may be the best course of action to ensure the privacy of their staff. However, undertaking de-personalisation is not as simple as removing last names – other pieces of information can be accumulated to “re-personalise” data, such as medical conditions cross-referenced with postcode and job description.

Other factors to consider when analysing where data should be stored outlined in the whitepaper include understanding the other elements of a jurisdiction. “Some parts of the world are simply more vulnerable to natural disasters, wars, so-called ‘acts of God’, or government intrusions,” the whitepaper states. “Chief among the multitude of concerns about cloud computing is the fear that a business could have its data transferred to or into the control of an undesirable jurisdiction, without its knowledge or approval, and become subject to unacceptable exposures and legal obligations.”

Understanding and taking action in regards to the risks associated with cloud computing is an important factor in today’s business world, and Lawrence is hopeful of the future. “Understanding is increasing. Laws are increasingly there for people to understand and make appropriate decisions,” he said.

HR Take-Aways:

NEXTDC unveiled the ‘Ten commandments of Data Sovereignty’ at the event. Is your organisation abiding?

  • Be aware that information stored in the cloud can be subject to more than one nation’s laws.
  • Remember that the onus is on the business to ensure their provider complies with local laws (these laws being both where the provider is and where the data is stored).
  • Cloud computing invites international considerations. Data stored in the US, for instance, may be subject to government search or seizure without a specific warrant.
  • Check if insurance cover from your provider also includes your data.
  • Data must be profiled and classified in order for a policy to automate its position within a hybrid cloud.
  • Investigate and formulate criteria that determine what information should be housed in Australia.
  • Investigate whether ‘personal information’ stored in the cloud should remain as such, or should be de-identified.
  • Investigate international treaties. Be aware that the US has entered mutual assistance treaties with over 50 countries, meaning information may be readily shared amongst signatories.
  • Investigate the legal complexities surrounding foreign vendors who may be subject to the law of their nation state.
  • Understand the revisions to Australia’s Privacy Act revision coming into effect in 2014.