If you are a financial advisor, would you store your clients' confidential financial and tax details in the cloud?  If you are a hospital, what about patients' health information?  If you are a school, would you use cloud based software to create reports about individual students?

Australian organisations are using more, and more sophisticated, cloud services

More and more organisations are using cloud services.  The services themselves are becoming more complex, to include not just data storage services but higher-value offerings such as "platform as a service" and "software as a service".

Cloud services typically offer good value for money and allow you to scale your usage up or down flexibly, so you only pay for what you need.  These benefits flow from the shared nature of "public cloud" services, i.e. the supplier achieves economies of scale by providing the same service to many customers using a common IT environment. Many Australian organisations have started using the cloud for sophisticated functions, e.g. to run email systems or to use customer relationship management (CRM) "software as a service".  Increasingly, Australian organisations are willing to use these services without stipulating that the cloud infrastructure must be located in Australia.

But… would you put your most critical data into the cloud?

The prudent view: don't put your most critical data into the public cloud

Last month an important report took the view that you shouldn't entrust your most critical data to public cloud services.

The Australian Prudential Regulation Authority, which regulates banks, insurers and superannuation providers, published its Information Paper on Outsourcing Involving Shared Computing Services (Including Cloud) in July 2015.  This paper concludes that for critical data such as customer account balances and transaction history information, the heightened security risk associated with shared IT services and the lack of mature risk management and mitigation techniques make it unwise to use critical data in a public cloud environment.

Tips for managing risk when using public cloud services

However the same paper acknowledges that for lower-risk applications, it may be appropriate to use public cloud services.

The paper gives detailed guidance about risk management for organisations considering using shared computing services such as public cloud services.  Key steps you should take include:

  • conducting a due diligence review of the supplier, including checking customer references;
  • preferring Australian-hosted options in the absence of a compelling business reason to do otherwise;
  • sharing computing services only with parties with similar security requirements, risk profiles and risk appetites (e.g. financial sector entities might only share with other financial sector entities);
  • developing exit strategies to execute upon contract expiry;
  • avoiding "fast track" transition to the cloud environment; and
  • conducting risk assessments not only at the start of the relationship but periodically and upon material change.  Risk assessments should cover issues such as security and the ongoing viability of the supplier and the service.  

The paper also contains specific tips on managing security risks in a cloud environment, including:

  • ensuring sensitive data is encrypted both in transit and at rest;
  • considering the measures in place to manage encryption keys securely;
  • ensuring the supplier's disaster recovery environment meets the same security requirements as its primary environment; and
  • requiring strong security controls over system administrator capabilities.  

Legal issues with putting data into the cloud

Apart from managing risks as outlined above, if you decide to use cloud services you also need to consider your legal responsibilities.

You must comply with any obligations you have under legislation or under contractual clauses to which you've agreed.  Check any requirements published by regulators in your industry.

If the data includes "personal information" (essentially meaning information or an opinion about an identified or reasonably identifiable individual) then to comply with privacy law you will generally need to:  

  • check that your published privacy policy contemplates your use of third party IT services to process personal information – for private sector and Commonwealth government organisations, it should indicate whether personal information is likely to be disclosed overseas and (if practical) the countries in which any overseas recipients are likely to be located;
  • similarly check the privacy collection statements your organisation gives when collecting personal information from individuals;
  • consider whether the individuals to whom the data relates would "reasonably expect" your organisation to use or disclose the data as proposed; and
  • consider whether using the data in the cloud is related (or for sensitive information such as health information, directly related) to the primary purpose for which you collected the individual's information.  

Note that the precise privacy requirements for your organisation may depend on the types of personal information you hold and whether you are in the private sector, the Commonwealth public sector or the public sector of a state or territory.

What to include in your agreement with the cloud provider to protect your data

Finally, before you commit to cloud services you will need to negotiate a suitable agreement with the cloud provider to allocate risk fairly in relation to the security and privacy issues.  Unless you are a large customer or you are dealing with a relatively small provider you will probably find that you have limited ability to negotiate the terms of the agreement.  However, our experience is that cloud providers generally will negotiate on the privacy and security clauses.

Some of the key points to try to include in these clauses are:  

  • a requirement for the supplier to uphold any privacy principles that apply to your organisation under Australian law;
  • a requirement for the supplier not to use or disclose your data except to provide the services;
  • your organisation's right to access and change the data and to have it permanently deleted on request;
  • detailed security requirements e.g. encryption requirements, limits on the countries from which the services will be provided and a requirement for the supplier to report any material security incident;
  • a right to audit the supplier's compliance with these requirements; and
  • a requirement that the supplier impose the same obligations on any authorised subcontractor.  

In conclusion

Although some Australian organisations are already putting their most critical data into the public cloud, this may not be prudent from a security perspective.  For less critical data it may be appropriate provided you take a sensible approach to risk management, including properly considering the privacy law issues and negotiating sensible privacy and security clauses with the supplier.