Cloud Based Platforms And Australian Privacy Laws
Businesses look to Cloud based hosting and/or storage of data as an important way to improve efficiency and ease with data access, storage and processing. However, the recent changes to the privacy laws in Australia with regards to the collection, holding, use and disclosure of personal information may make some businesses uneasy about hosting their data/personal information in the Cloud particularly if they are misinformed.
For this reason, this article aims to clarify some of the concerns around the use of Cloud services for small businesses which should assist in business management and risk planning.
How does privacy law apply to business?
Australian businesses with an annual turnover of $3 million or more are required to observe the 13 new Australian Privacy Principles (“APPs”) made under the Privacy Act 1988 (Cth). These principles came into operation on the 12 March 2014 and determine the way personal information is collected, held, used and disclosed by businesses. It replaces the National Privacy Principles (NPPs) which previously applied to the private sector. For a list of the APPs please see the Office of Australian Information Commissioner (“OAIC”) website at //www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles
The APP which is of most considerable note is AAP8. AAP8 deals with cross-border disclosure of information. This privacy principle deals with disclosures or transfers of personal information by an agency or business to a different entity situated outside Australia. Before the business or agency makes such disclosures or transfers they must first take reasonable steps that the disclosure complies with and does not breach the APPs.
So, in a situation where a business contracts their data storage or email exchange to a Cloud service provider, such as Google, they must ensure firstly that they have consent from their client to store the data outside Australia and secondly that they have taken “reasonable steps” to ensure that the contracted party outside Australia does not breach the APPs.
Also, APP11.1 requires that businesses take reasonable steps to protect the personal information it holds from misuse, interference and loss from unauthorised access, modification or disclosure.
This can be done with the proper drafting of a service level agreement between the business and the contracted party.
What are the risks in breaching of the APPs?
The good news is that the use of Cloud services such as Google Apps which hosts emails and stores data outside Australia poses minimal risk in breaching the APPs; particularly if the Cloud service provider has strict privacy policies in place. This is simply because there is no processing of data by the Cloud service provider. The Cloud service provider in essence is simply renting the “tin” to the business customer and is not itself involved in the handling, use or processing of the personal information. The business customer remains in control, at all times of the handling, use or processing of the personal information.
Are certain businesses exempt from the APPs?
Yes. The APPs generally only applies to businesses with an annual turnover of more than $3 million (and some small businesses such as those in the health sector). For most small businesses however, they are not required to comply with the APPs. Check the following website to see if your business is exempt //www.oaic.gov.au/privacy/who-is-covered-by-privacy
Strict regulation of the financial services sector?
Yes. While a small business operating in the financial services sector may not be required to comply with the APPs, the Australian Prudential Regulatory Authority (APRA) may still require the business to put appropriate risk management procedures in place to protect sensitive data.
See for example //www.apra.gov.au/CrossIndustry/Documents/Letter-on-outsourcing-and-offshoring-ADI-GI-LI-FINAL.pdf
This by no means suggests that such business cannot use Cloud services as part of their business practices. It just means they will need to consult with APRA to ensure that their decision to use such services meets their approval.
If you would like to discuss this topic further, please get in touch with us at firstname.lastname@example.org