Get a FREE subscriber login and read more articles

Data security in the cloud

By Claudette Yazbek, Communications Manager and Lawyer at LegalVision

As more of our personal data, particularly financial, is transitioning to the cloud, some investors wonder how safe this will be and who in fact owns the data. Cloud computing has many advantages including that it allows businesses to collect and store personal information such as emails, passwords and financial details in a convenient and cost-effective manner.  Storing data in the cloud is a growing trend (cloud here refers to information stored over the internet instead of a physical hard drive).

However, in light of the heavily publicised data breaches at Sony, LinkedIn and, more recently, the Australian Red Cross, questions remain about the security and privacy of data stored in the cloud. In this article, we survey Australia’s Privacy Law framework to explain who bears the risk of a data breach, the ownership of data in the cloud, as well as best practices for organisations to minimise risk.

The Privacy Act and the Australian Privacy Principles

Schedule 1 of the Privacy Act 1988 (Cth) (the Act) contains 13 privacy principles (APPs). Together, the Act and the APPs regulate how private sector organisations collect, store, use, disclose and access data. Importantly, the APPs only apply to entities with an annual turnover of over $3 million and some small businesses (for example, health service providers and credit reporting businesses) (‘APP entities’).

There are no current obligations under either the Act or the APPs to expressly notify individuals of a data security breach involving personal information. However, this could change if the government passes the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which seeks to introduce a mandatory data notification breach regime.

Who is Liable for a Data Breach?

Cloud storage of personal information involves three key parties:

1.    The users who provide the personal information (Party A);

2.    The organisation that collects the personal information (Party B); and

3.    The cloud service provider that owns the servers on which the information is stored (Party C).

Cost-conscious organisations are increasingly turning to offshore service providers. This means the servers are often located in a jurisdiction other than Australia.

Under APP 11, businesses must take reasonable steps to safeguard the personal information they hold, including ensuring an overseas data storage provider complies with the APPs. Personal information is any information about an individual whose identity is apparent or can be reasonably determined from that information.

As a result, private organisations (Party B) are accountable if an overseas recipient (Party C) mishandles information, subject to two narrow exceptions set out in APP 8:

•    The individual expressly consents; or

•    The business reasonably believes that the overseas recipient is subject to laws substantially similar to the APPs.

Cloud service providers have also emphasised that data security is a shared responsibility – one that a collector of information cannot simply abdicate. An organisation should take appropriate measures to ensure its data is encrypted, use strong passwords as well as a two-step authentication process to access information stored in the cloud.

Who Owns Your Data in the Cloud?

Data ownership remains a vexed question. In simple terms, individuals disclose their personal data for a specific purpose – for example, to access email, purchase goods or manage their finances. Therefore, businesses that enter into a contract with a cloud service provider should impose restrictions on how the provider uses that data. Most cloud providers’ terms of service will expressly outline who owns what data, and as is often the case, it pays to read the fine print.

Best Practices

As businesses take on responsibility for protecting data security, they should look to implement best practices to minimise risk.

Contract Negotiations

Cloud service providers will typically seek to limit their liability. Service agreements often include a term stating that the cloud service provider is not responsible for any “unauthorised access to, alteration of, or the deletion, destruction, loss or failure to any content or data”.

Businesses should, where possible, mitigate their risk by negotiating contracts with cloud providers so as to include a requirement that any overseas recipient must handle personal information in compliance with the APPs. The contract should also include a mechanism for the provider to notify the business – also the APP entity for the purposes of the Act – where there are reasonable grounds to suspect a data breach.

Conduct Due Diligence on Service Providers

Organisations should conduct due diligence before selecting a cloud service provider. Businesses should know what practices are in place to deal with data intrusions and security breaches, including review processes and real-time monitoring.

Up-to-Date Privacy Policy

Organisations should maintain a clear and up-to-date privacy policy outlining how they handle personal information, as well as whether they are likely to disclose personal information to an overseas recipient.

Key Takeaways

One of the significant advantages for businesses that use cloud-computing services is the reduction in infrastructure costs for ‘back-end’ services such as data storage. However, individuals rightly remain wary of third parties accessing their data without consent as well as unauthorised access from a breach of vulnerable infrastructure. The challenge that remains is balancing privacy and security concerns with the flexibility and reliability that data storage affords. 


There are no comments. Be the first to post