UNSW publishes detailed
cloud/data sovereignty toolkit



blog The University of New South Wales’s widely respected Cyberspace Law and Policy Centre has published what I would consider to be a very useful whitepaper investigating data sovereignty issues related to cloud computing in the Australian context. I’ve read through the document, which you can download for free here in PDF format, and I think it’s safe to say that this represents solid work. It’s sponsored by datacentre operator NEXTDC, law firm Baker & McKenzie and insurer AON, but I didn’t detect any perceptible bias towards on-shore or offshore cloud computing in the document. Rather, what I detected was what I believe is one of the most useful cloud computing backgrounders I’ve seen produced in Australia to date. I particularly note some of the whitepaper’s conclusions:

“We started noting the discomfort that consideration of the complexities of data sovereignty and cloud data management can sometimes cause, and the tempting call of the ‘too hard’ basket.

We have shown how you can analyse the various technical, legal and business issues in turn, and then develop a range of actions that can both reduce the risk of a cloud data disaster, and at the same time increase the value of your information assets. Hopefully by now, you will have come to the conclusion that it is not all too hard.

Some data may happily be hosted almost anywhere or by anyone, while other data may have features which require consideration of location and jurisdiction. But if you have full visibility of data collection, storage and use processes for other purposes, you may well have most of the information at hand needed to make these decisions and implement them. You need only go into a little more detail than we have covered here to ensure that the specific circumstances of your situation are properly taken into account along with the general principles we describe.”

In short, the paper concludes, very sensibly, that cloud computing as a technology paradigm has moved beyond black and white labels over storing data in the cloud, to more discrete analysis of what data can be stored where and under what conditions. It should be obvious to everyone in Australia’s IT industry by now that the cloud computing class of technologies (Software as a Service, Platform as a Service, Storage as a Service and so on and so on) are useful. But you need to apply them judiciously rather than adopting cloud wholesale in every area of your organisation. This whitepaper by UNSW represents a useful toolkit in approaching that concept.


  1. It’s a good read. However, you have to wonder how groups who can’t implement IT systems using on prem equipment will be able to navigate this…

  2. This is an excellent and authoritative guide … not before time. It puts most of the concerns into context and demystifies them to some degree. The overall impression, however, remains that this is a complex and uncertain landscape to navigate so it is easy to understand why some folks tend towards putting public cloud services in the ‘too hard’ basket.

    The key thing in my view is to start consideration of cloud services adoption with a good understanding of the strengths and weaknesses of your ICT status quo. If your existing ICT arrangements are fully adequate and sustainably affordable then the cloud services game may not be worth the candle due to the complexity of data sovereignty concerns. If, however, you need to consider new ways to boost ICT-enabled innovation and productivity improvement (or your ICT arrangements are just flat out disastrous) then you have a stronger motivation to treat data sovereignty concerns as practical problems to be worked out.

    Many of the issues raised in the report are also equally relevant for most forms of outsourced ICT service provision, and even some mult-national in-house ICT arrangements – so need to be kept in context. The challenges of data sovereignty do not stem from cloud services only … though of course public cloud services expose the issues very clearly.

    A final observation would be that this report is excellent reading for any enterprise executive and CIO because the nub of the issue is information management and governance (which is a core responsibility of any CIO – Chief INFORMATION Officer – is it not?) The idea that information is safe simply because it is managed as a homogeneous blob residing on a particular server or in a particular data center is both a triumph of hope over experience and evidence of complacency.

    One of the effects of considering public cloud services is to reveal – perhaps for the first time – the inadequacies of existing ‘informal’ information management and governance practices. A recurring theme in case studies of cloud services adoption is that the discipline of considering what information should and shouldn’t be stored in a cloud service, under what terms and conditions, and under what authority turns out to be useful exercise in its own right. Data sovereignty concerns turn out, in practice, to be a useful stalking horse for elevating information and data security in a general sense … and for actually taking them seriously.

Comments are closed.