Data sovereignty is an issue which affects businesses and individuals alike. It is particularly relevant to businesses with legal obligations requiring them to maintain the confidentiality of any personal data they own. It is important that you understand when data sovereignty applies to your business and your legal obligations as a result. This article will discuss what data sovereignty is, why it matters and some things you can do as a business owner to protect it.
What Is Data Sovereignty?
Data sovereignty refers to the concept that data may be subject to the laws of more than one country. This can occur when data is stored digitally with a cloud service provider and therefore, may be stored overseas. In other words, data sovereignty comes into play when an organisation stores data both internationally and locally. This situation can occur when a business uses a foreign or local cloud service provider.
How Does Data Sovereignty Relate to My Business?
Data sovereignty is relevant to your business if it uses a foreign or local cloud service provider to store data.
Businesses choose to store data overseas for a variety of reasons. It can:
- make doing business easier;
- cost less; and
- ensure that data is backed up and stored safely and with minimum difficulty.
Consider the following scenarios where data sovereignty would apply and you would need to comply with data protection and privacy obligations.
The data can include all kinds of information, including:
- credit card details;
- health records;
- personal information; and
- financial records.
Why Is Data Sovereignty an Issue?
Data sovereignty matters for your business because it raises questions concerning your:
- compliance with privacy obligations;
- data protection and security;
- notification of data breaches; and
- privacy and data security.
Many Australian businesses have legal obligations under Australian privacy laws and the Australian Privacy Principles (APP). These cover the disclosure of personal data across borders. This means that it applies to situations where you are handing over personal data to businesses overseas.
Australian law also covers data security and confidentiality. The law requires all businesses to implement reasonable security safeguards and take steps to protect information. If the information is sensitive, the obligations are more onerous. This could include information on:
- sexual orientation; or
- political affiliations.
As a result, all businesses need robust and comprehensive information security strategies.
If you store data overseas, you need to know where the data is being stored. You must also have even more vigorous internal procedures to protect and secure that data. It is your responsibility to ensure that the data stored overseas is done so according to the local laws. ‘Local’ could be the location of the cloud service provider and, if different, the storage location.
However, before you store data overseas, you will need to determine if that data is legally protected under other laws.
Your business may also need to formally de-identify data before storing it in the cloud. De-identification is removing people’s identity from the data. If you de-identify the data, Australian privacy laws are no longer an issue. However, if any original identities or identifiers can be ascertained, privacy laws come back into consideration. A business also needs to make sure that their cloud service provider will not replicate their information on any other server in any other country.
Lastly, you should find out if your cloud service provider has insurance to protect your data. If your data is not insured and it is either inadvertently disclosed or criminally compromised, you may have no remedy.
If Australian privacy obligations apply to your business, the new data breach notification rules apply to your business. This means that if a data breach occurs, you will need to report this breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC).
A data breach consists of three elements:
- unauthorised access to personal information;
- unauthorised disclosure of personal information; and
- loss of personal information.
If all three events occur and it is likely (more than 50% chance) to result in serious harm, your business will need to report the data breach. Whether you should report the breach depends on a variety of factors. The courts will usually judge these factors from the perspective of a person in your business’ position. This is where having a data breach response plan may be a hugely valuable document to have in place for your business.
Storing your data within Australia can help to prevent a breach from occurring and will enable you to comply with privacy laws and APP obligations. However, if you store your data overseas and a breach occurs, you may not be able to inform Australian customers.
How Can My Business Protect Data Sovereignty?
There are several steps that your business can take to protect your data sovereignty. They include:
- clarifying where exactly your data will be stored;
- where possible, choosing an Australian based cloud service provider;
- if you have a foreign provider, ensuring that it complies with the most recent policies and regulations of the host country. The APP requires you to take ‘reasonable steps’ to ensure the personal data is stored in line with the APP in the host location;
- backing up your data before moving it offshore;
- implementing a strong data breach response plan that ensures anyone employed by your business understands their responsibilities and who to report any breaches to.
Data security and sovereignty is a serious legal issue, particularly for businesses with privacy law and APP obligations. Your business needs to ensure that it meets these obligations by understanding:
- where you store your data;
- how your data is protected; and
- the laws that govern and protect your data.
You may also need to de-identify your data before storing it with cloud service providers. If you have questions about your business’ data privacy obligations, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.