Data sovereignty and perceptions around security and privacy remain as some of the biggest blockers to Australian organisations looking to reap the benefits of cloud computing technology. In the long run most of these concerns will be resolved as top-tier public cloud providers continue to open up data centres in Australia. Until then many organisations will avoid taking advantage of the benefits.
When I ask why they aren’t willing to place their data in a foreign data centre most decision makers will make vague references to “laws” which dictate that their applications and data must be hosted in the country, sometimes within a particular state or territory and in many cases on their own hardware.
I find legal arguments to avoid foreign cloud-computing solutions interesting (yep, I’m that guy). Frequently I find that the organisation has not properly investigated their legal obligations. They take a shortcut in assessing the appropriate legislation and guidelines and arrive at a default negative assessment.
Part of the problem is finding the legislation and guidelines that apply to your organisation in the first place and I think that both state and federal governments could do more to help sign-post the way relevant acts which would support the decision making process.
An organisation in Victoria would need to consider both state and federal legislation and good places to start looking would be the privacy act, and industry specific records keeping acts. As a practical example, consider an industry where data privacy is of the utmost importance – healthcare.
The Health Records Act 2001 (including amendments made 10 February 2013) includes statements with regards to trans-border data flows under Principle 9.
An organisation may transfer health information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if…
The act then goes onto list quite a large list of exceptions to the rule which I suspect would allow most organisations to store health data both outside Victoria, and indeed the country.
There is a danger to reading chunks of legislation in isolation, and I am not a lawyer. But I’m yet to read any legislation that says “you can’t use cloud computing” and I think that organisations which might benefit from cloud computing technology might be well served by examining their options.
Naturally the goal is not to “cloud-all-the-things”, but consider whether the economic benefits from cloud computing (capital expenditure transformation & operational cost optimisation) free up resources over time to tackle other initiatives.