Managing Data Sovereignty

Managing data sovereignty

We all understand that businesses are better positioned to compete locally and globally when data is well-managed and protected. Unfortunately, most organisations are less clear about the actions required to adequately protect and manage data sovereignty when operating in marketplaces that cross jurisdictional borders.

What is data sovereignty

Data sovereignty is the concept that data is subject to the laws and regulations of the country or region where it originates. It is largely governed by legal frameworks and focuses on the protection of national interests.

Data sovereignty is an important term for regulatory and data security purposes. By ensuring that data collected and processed in Australia is subject to Australian laws, regulations and governance structures, risks related to data breaches and cybersecurity incidents can be reduced and our national interests better protected.

Key features of data sovereignty are data localisation and data residency. Each haslegal implications associated with storing data across different jurisdictions.

• • Data localisation requires certain types of data to be stored, processed and maintained within the borders of a specific country or region. Localisation emphasises local control and therefore restricts cross-border data transfers. This measure is intended to ensure the application of local laws and protect the data from foreign access or control. On a practical level, the need for data localisation impacts multijurisdictional data flows, the selection of data centers, back-up locations and use of global cloud services. 

• • Data residency also mandates where data can be stored. Provided that compliance with specific regulations is met, it does, however, provide businesses with more flexibility in cross-border data operations and transfers and is highly relevant for commercial and taxation purposes (although not restricted to these two areas).

First Nations data sovereignty

First Nations data sovereignty, a subset of data sovereignty, specifically addresses the unique needs and rights of indigenous peoples guided by cultural, ethical and self-determination principles, as opposed to legal frameworks. It encompasses a range of data types, including cultural, health, environmental, and demographic data.

Australia’s approach to First Nations data is evolving. The 2024 Framework for Governance of Indigenous Data[1] acknowledges the rights of Aboriginal and Torres Strait Islander peoples to control the collection, ownership, and use of data about their communities, cultures, and lands. Although written for the Australian Public Service, it outlines practical guidance for managing the sovereignty of data that is applicable beyond the public sector.

Considerations relating to data sovereignty

In our experience at GWI, managing the complexity of data sovereignty involves a level of risk management and requires consideration of the following:

1. The mapping of data holdings to understand where data is stored, processed and accessed and where data sovereignty applies. This is often a missing piece of the puzzle for many organisations. You cannot manage and govern data appropriately if you do not know what you hold.
2. The practical application of Australian legal frameworks and regulations as they apply to the collection, management and use of data. This includes legislation including, but not limited to, the Privacy Act 1988 and the Data Availability and Transparency Act 2022, as well as frameworks such as the Protective Security Policy Framework[2].
3. Identification of the types of data that require specific levels of protection to meet sovereignty requirements, including consideration of data localisation or data residency
4. Approaches to governing data which are cognisant of the Principles of Data Sovereignty[3] (as defined by Maiam nayri Wingara, 2018).
5. Limiting the transfer of data across borders as required by the Australian Privacy Principle (APP8): Cross-border disclosure of personal information.
6. Management of contracts with third party suppliers to ensure compliance with Australian laws and regulations. The Australian Government has released a Hosting Certification Framework[4] which supports the Protective Security Policy Framework and Information Security Manual in ensuring appropriate controls are in place to achieve assurance over the ownership, control, operations and supply chains of Service Providers.
7. Identification of required amendments to policies, procedures and practices to reflect sovereignty requirements.

Managing data sovereignty presents a complex but critical challenge for all organisations.

While data sovereignty ensures that information is governed by the laws of the land in which it resides, Indigenous data sovereignty adds an essential layer of nuance, emphasising the rights of First Nations communities to control their data in alignment with their cultural values and governance systems.

To navigate this complexity, the engagement of Indigenous communities in meaningful partnerships, becomes a primary responsibility for data stewardship. It requires more than just adherence to legal standards, a commitment to ethical data practices that honour the unique knowledge, and traditions of First Nations peoples is also needed.

As data practitioners, we must create a more just and equitable digital landscape that reflects and respects the diversity of all people. It is our collective responsibility.

[1] https://www.niaa.gov.au/sites/default/files/documents/2024-05/framework-governance-indigenous-data.pdf

[2] https://www.protectivesecurity.gov.au/

[3]https://static1.squarespace.com/static/5b3043afb40b9d20411f3512/t/63ed934fe861fa061ebb9202/1676514134724/Communique-Indigenous-Data-Sovereignty-Summit.pdf

[4] https://www.hostingcertification.gov.au/sites/default/files/2021-11/Hosting%20Certification%20Framework%20-%20March%202021.v2.pdf