A report of the Senate Environment and Communications Committee released this month may have profound implications for small businesses, councils and non-government organisations that use cloud storage for personal information relating to their clients or customers.
The Committee’s report, titled The adequacy of protections for the privacy of Australians online was prepared in response to recent significant advances in online technology and its use for social media and cloud computing. The committee was particularly interested in the impacts on personal privacy and the protection of data.
The report contains nine recommendations. Key points include:
- Small businesses which hold substantial quantities of personal information, or which transfer personal information offshore, should be subject to the requirements of the Privacy Act 1988.
- All Australian organisations which transfer personal information overseas, including small businesses, must ensure that this information is given the same protection as that provided under Australia’s privacy framework.
- If an organisation overseas collects information from Australia, this information should be protected by the Privacy Act.
- All Australian organisations that transfer personal information offshore are fully accountable for protecting the privacy of that information.
The Privacy Minister Brendan O’Connor has highlighted in an interview with News Ltd that cloud storage was a particular concern.
“While some ‘cloud’ providers are located here in Australia, many more are located overseas,” he said.
“That gives rise to difficult jurisdictional issues, particularly where the laws of two or more countries could potentially apply.”
The Minister has indicated that the recommendations will be implemented.
“This is an important development that will prevent organisations from trying to avoid their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards,” Mr O’Connor said.
This point is especially relevant as many countries do not offer the same degree of protection for personal data stored on servers in their jurisdictions against it being accessed by government agencies, or even shared with businesses.
If implemented, the recommendations will have obvious consequences for organisations large and small across all sectors that have made explicit decisions to save costs by moving client data to cloud storage. Even if they have received promises regarding the location of data storage facilities and their security, these assurances are very difficult to check.
However, these are not the only organisations that may be caught up if the recommendations are implemented. The buzz around cloud computing and storage – not to mention the potential cost savings - has encouraged many small organisations to experiment with online applications for their day-to-day computing, such as Google Docs, which rely on cloud storage. The files generated may include a range of personal data which could be covered by the proposals.
In addition, many organisations that continue to use “traditional” PC-based software also rely on cloud storage applications such as Dropbox for data backup or portability. So even if an organisation’s primary storage of personal data is located in its Australian offices, additional copies may be kept on an overseas server and would therefore be caught by the recommendations. Furthermore, the current exemption from the requirements of the Privacy Act enjoyed by small organisations would be removed, even if they do not store data overseas.
While the Senate committee report offers sound arguments for the proposed changes and nobody would deny the fundamental right of people to expect high standards of privacy to protect their personal data, the government needs to work closely with all organisations including small businesses, NGOs and government agencies as well as cloud storage and software providers to ensure that implementation of these recommendations is not too costly or onerous.