OPINION: With the Federal Government committed to a cloud-first policy, Australians have inalienable rights to know where their data is stored, and who has access to it, writes Rupert Taylor-Price.
In the wake of recent revelations regarding social media giant Facebook allowing the harvesting of over 300,000 Australian user profiles by data analytics organisation Cambridge Analytica, questions have arisen about the safety of people’s data. The incident has left both organisations with financial and reputational ramifications with legal action not yet ruled out.
As people around the world focus on how the data that was harvested affected the US political landscape, president Donald Trump signed legislation that went into effect over the weekend allowing US law-enforcement agencies to access data that is stored by any US-based tech company.
With the Australian Government committed to a cloud-first policy to drive a greater take up of cloud services by Commonwealth agencies, Australians have an inalienable set of rights to know where their data is stored, and who has access to it.
As the clarity of who has access to sensitive data across cloud service providers gets murkier, the new Australian cloud first world must protect data as the Australian Government and its associated legislation has done in the past. Technological advances should only be applied in clear knowledge of appropriate privacy, security, and national primacy of authority in all elements of the cloud system. This means that sensitive data about Australian citizens must be stored on an ASD certified cloud that can guarantee information is not accessible by foreign governments and their allies.
If steps are not taken to ensure Australian data stays onshore and is only accessible by Australian owned and operated organisations, the risk of irrevocably losing the public’s trust in government is almost certain. Data privacy continues to be a topical issue attracting continued interest from the public and the media, particularly with 93 per cent of Australians concerned about organisations sending their personal information overseas.
Ensuring data is secure
In order to make the necessary guarantees to the Australian public that their data is secure, the Australian Government must ensure:
- cloud providers used are solely within the Australian legal jurisdiction
- the confinement of all data storage is restricted to onshore data centres
- security protocols and systems are kept in Australia and within ASD requirements
- Commonwealth primacy in all aspects of operation and access to the cloud system.
Additionally, all individuals administering or accessing the cloud system must be Australian citizens and Australian security cleared.
Once Australian data or management moves offshore it is no longer tightly controlled and is subject to the laws of a foreign country or the practices of a foreign corporation. Allowing foreign companies to access and control Australian’s data will not protect the existing rights of Australians to have their privacy and data adequately protected.
Cloud computing can be a disruptive technology in a privacy and security sense. Cloud storage can move data from its traditional location within departmental computer systems to outsourced storage. Ministers, secretaries, and senior officials must ensure that this external storage is exclusively subject to Australian laws and jurisdiction. The only way to do this is to guarantee that Australian data is physically stored within Australian borders and not overseas.
Aside from the loss of privacy, using foreign companies to store Australian data equates to the loss of Australian jobs and taxes, damaging the Australian economy. Jobs that should belong to Australian workers and taxes that rightfully belong to Australia are irrevocably lost when data is moved offshore. Foreign companies reap the benefits of controlling Australian data.
Data sovereignty and privacy can only be assured using Australian data centres and Australian security cleared employees. The personal, sensitive data of Australians must be managed by Australians who have the appropriate level of access, within Australian borders and in accordance with the laws of Australia.