Legal and client obligations
According to the national privacy regulator, the Office of the Australian Information Commissioner, companies must have a reasonable level of security safeguarding data, and they should take reasonable steps to ensure that data isn’t stolen, lost, changed, misused or disclosed to unauthorised parties. While the regulator advises that it is good business practice to let clients or individuals know if there has been a data breach that could cause serious harm, it’s not mandatory.
“There’s a lot of naivety about privacy and data, but people are becoming more wary,” says Mark Williams, managing director of CrunchIT.
“If you are confident, after speaking to your legal adviser, that you are not breaking privacy laws, you may prefer not to tell clients how and where data storage takes place.
“The danger of telling clients about a cloud/remote storage solution is that most people don’t understand it, and so it could create unnecessary hysteria. You may need to educate your clients about the advantages and risks.”
[breakoutbox][breakoutbox_title]Cloud computing checklist[/breakoutbox_title][breakoutbox_excerpt]To decide if your business is suited to using cloud-based services, consider the following questions…[/breakoutbox_excerpt][breakoutbox_content]
To decide if your business is suited to using cloud-based services, consider the following questions:
- How much data will you be transferring?
- Are you transferring any sensitive data or government data?
- In what country will your data be stored?
- What safeguards does the cloud provider have in place to protect your data?
- How does your cloud provider prevent unauthorised access to data?
- What data retrieval processes and agreements are in place?
- What contingency plans do you have to back up and retrieve cloud data?
- What policies are in place to manage a data breach?
[/breakoutbox_content][/breakoutbox]
Legal implications
Cloud computing providers store both the software and your business data on networks and servers at remote locations, often overseas. Data is subject to the laws of the country in which it is stored. Laws and privacy protection vary significantly from country to country, so storing data in the cloud could have some potentially serious legal implications.
As a result, companies tendering for Australian Government work may not be permitted to have their data in the cloud.
For example, data stored in the US or even hosted locally by a US-owned company may be subject to the US Patriot Act. The Act permits American law enforcement agencies to seize data without a court order, if they believe it to be in the interests of national security, the definitions of which can be extremely broad.
“If you are choosing a data storage solution and your stored data may be subject to Australian privacy laws, the onus is on you to ask where the data is stored,” says Williams.
Even if you look to reputable Australian companies for data storage solutions, there’s no guarantee that the data is stored locally.
“Microsoft offers Australian businesses cloud-based solutions, like Office 365. As far as I know, the data is stored in Singapore, but it’s often not easy to find out exactly where your data is and host companies can be reluctant to share this information,” says Williams.
Lost in the cloud
Another concern is that a hosting provider offshore can be shut down and you can lose your data entirely. An instance of this is Megaupload, a Hong Kong-incorporated enterprise that provided many people with legitimate hosting services before it was shut down amid accusations of copyright infringement. Many of the company’s servers are in the US, one of the reasons the US Government feels justified in acting against Megaupload. While a local company could fold too, at least you have a name, number and address to pursue.
It can be very difficult, if not impossible, to retrieve cloud data that is lost or seized by local or international law enforcement agencies. “You should have a small computer at your premises that’s always on, that’s set to do hourly or daily snapshots and backups of the files you have in the cloud,” advises Williams.
Local alternatives
If you want a cloud solution but must comply with Australian privacy laws, there’s no need to host with a global provider. There are local options – although they may not be as cost-effective.
“There are some fantastic Australia-based cloud solutions, including TPG’s TrustedCloud. You have a virtual desktop, no data is stored on premises and there is failover [backup operation] between three local data centres,” says Williams.
He says there are also plenty of collaboration tools in lieu of Google that you can host on premises and still access remotely. Microsoft SharePoint is one such solution that suits large companies. Kerio Workspace is suitable for smaller businesses because it’s simpler and cheaper to set up and maintain.
“These tools can be used to collaborate internally, as well as with clients and suppliers,” says Williams. “There are also bespoke collaboration tools designed for specific industries.”
Unlike the internet, where the information you post is very difficult to eradicate, if you decide to move data to a different cloud service or to an on-premises solution because of privacy concerns, any reputable cloud service provider will state that they have no knowledge or ownership of your data. Once you stop paying, they will wipe your data and sell the storage space to someone else.
