The free flow and sharing of data and information is a significant part of the globalisation trend. In Australia, as in many other countries, privacy legislation exists to protect the rights of individuals and sets standards for the trans-border transfer of personal data. Knowing where your cloud provider stores your personal data and how it is managed is critical is complying with Australian privacy legislation.
Arguably, the benchmark for data protection comes from the European Union. The European Union’s (EU) Data Protection Directive regulates the processing and free movement of personal data within the EU. Importantly, European data protection rules apply not only when responsible parties operate, store or process personal data within EU, but whenever the responsible party uses equipment located inside the EU to process personal data.
More stringent protections can be included in detailed data processing agreements and by using the standard contractual clauses published by the European Commission, which are known as the EU Model Clauses.
The EU Model Clauses ensure compliance with the EU’s Data Protection Directive relating to cross-border transfers of personal data. While not required under Australian privacy regimes, a cloud vendor’s willingness to uphold the EU model clauses can be seen as additional reassurance of their commitment to upholding the privacy of personal information.
We expect to see an increase in the number of cloud vendors seeking this type of accreditation as the privacy of cloud computing continues to be scrutinised. Rather than using accreditation or certification as simply a minimum threshold, GWI recommends use to understand if the level of protection matches the requirements of your information and business needs.
Remember, not all data requires the same treatment, and seeking the highest levels of protection for low-value information will undermine the cost benefits of moving to cloud-based service provision.