Victoria’s privacy commissioner has issued a stark warning to government agencies about the use of cloud computing, warning that it may be “impossible” to protect personal information held about Australians when it was located offshore — or even just outside Victoria.
In a statement published this week, the state’s privacy commissioner Helen Versey acknowledged cloud computing was being used “increasingly” by Victorian agencies, in order to reduce capital and operational costs.
“However there are privacy issues – particularly in relation to data security – that need to be addressed if an organisation plans to use cloud computing technology for hosting and accessing its data or applications,” Versey wrote. “Despite the potential cost benefits of cloud computing, the cost in addressing the privacy issues might outweigh capital and operational savings to an organisation.”
In addition, Versey added, implementing cloud technology required a different “mindset” than traditional IT services — “using the cloud may swiftly reveal failures in security and procedural processes that have not been properly thought out”.
The commissioner said Victorian government agencies should only use a cloud computing service provider that agreed to ensure that privacy protection was essential, and that agreed to comply with the Information Privacy Principles in the Information Privacy Act (2000).
“Where the provider is located offshore or even outside of Victoria, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure may be difficult or even impossible,” Versey wrote. “By using a cloud service, the government agency is relinquishing some – if not all – control over their data. This includes being able to control security measures, and can present problems if something goes wrong.”
The commissioner particularly noted problems with public cloud providers — as opposed to alternative models such as private cloud and ‘community’ cloud shared between different departments and agencies.
“Given that many cloud computing service providers are in jurisdictions which do not have similar privacy or data protection laws, if a security breach occurs, an individual in Victoria will be powerless to take action against the cloud service provider and will only be able to complain to the Victorian government organisation, which may similarly be unable to assist due to its lack of control over the data,” wrote Versey.
In addition, the commissioner raised the issue that where a cloud server was located offshore, it might be possible for foreign governments to access the information if that government requires it, without the data owner knowing — for example, in the US, where the country’s PATRIOT Act applies.
The arguments raised by the Victorian Privacy Commissioner are common ones which have been discussed within Australia’s IT industry regularly over the past few years, as cloud computing players like Microsoft, Salesforce.com, Google and Amazon have become increasingly prevalent in the marketplace, and private cloud providers like Telstra, Optus and Fujitsu have built out their local infrastructure in the area.
One response to the issue of offshore cloud privacy and security has come from Salesforce.com director of platform research Peter Coffee, who has consistently argued that large organisations need to look in a more granular fashion at what sort of data they are interested in storing in the cloud — arguing that some data could be harmlessly stored offshore — compared with sensitive data, such as, for example, the email account of a chief financial officer of a large organisation, which might need to be stored onshore.