Published on the 12/08/2014 | Written by Beverley Head
The Privacy Commissioner has released a revised guide outlining how organisations can better comply with Australia’s recently overhauled Privacy Act, even when using offshore cloud services…
Government entities and organisations with revenues above $3 million have had to comply with the provisions of the new Privacy Act since March. However many have been grappling with what constitutes “reasonable steps” with regard to ensuring the privacy and security of personal data, especially when that information is held by an offshore outsourcer or cloud services provider.
In a bid to shed more light on the situation the Office of the Australian Information Commissioner has released revised guidelines and invited comments until 27 August.
The OAIC notes that while the guidelines are not binding – they will be used as the yardstick to determine whether organisations have complied with the regime.
Some of the recommendations will however prove challenging – for example negotiating site visits of secure overseas data facilities.
While there are few explicit mentions of cloud computing, the guidelines note that where data processing is outsourced to an entity which is not subject to the Privacy Act (which would be the case for most overseas clouds or outsourcers); “If an entity takes reasonable steps to ensure the third party meets the entity’s Privacy Act Obligations this in turn is likely to be considered as taking reasonable steps.”
As to the reasonable steps the guidelines suggest; “Having terms in the contract to deal with specific obligations about the handling of personal information and mechanisms to ensure the obligations are being fulfilled, such as regular reporting requirements, and conducting inspections of the third party’s facilities and processes.”
While the guidelines note that time and cost would be taken into account in terms of the “practicability” of any data protection measures, it makes clear that there is only limited wriggle room in this regard.
Enterprises are also expected to know where data is stored – which could be a challenge for companies which use an overseas cloud which may process data in one location, but back up to another.
It also notes that to ensure the data is properly secured, organisations may require regular meetings with the contractor looking after the data, or the imposition of contractor reporting requirements.
Recommending an overarching ‘privacy by design’ approach the guidelines recommend that; “Entities should consider the security of personal information before they purchase, build or update ICT systems.” It also encourages organisations to use privacy impact assessments to understand how a breach or data loss might affect the enterprise and the people whose personal data it is responsible for.
The guidelines can be accessed here.