blog In one of the most bureaucratic moves we’ve seen in quite some time, the Federal Government has released a new cloud computing security and privacy directive which require departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information can be stored in offshore facilities. Data which doesn’t include personal information — and thus isn’t subject to privacy regulations — won’t suffer the same conditions. The new policy itself is available online in PDF format, and we’ve also got a media release issued by the Attorney-General himself, Mark Dreyfus, jointly with Kate Lundy in the Senator’s new role as Minister Assisting for the Digital Economy. Dreyfus tells us:
“The policy will aid decision-makers in determining when to allow the use of offshoring or outsourcing on a case-by-case basis,” Mr Dreyfus said. “I have paid special attention to the security of personal information, which people expect will be treated with the highest care by all organisations, but by government in particular,” Mr Dreyfus said.
“Safeguards have been incorporated so that before personal information can be stored in the cloud, the approval of the Minister responsible for the information, and my own approval as Minister for privacy, must be given. This is to ensure that sufficient measures have been taken to mitigate potential risks to the security of that information.
I hope to get the time later on to do some more analysis of this policy; I’m sure the devil is in the details. However, I will note that for now, I’m in two minds about this. Firstly, and I’m sure this is the aim of the policy, this document explicitly opens up cloud computing use for non-personal and non-sensitive data, meaning that Federal Government departments and agencies now have implicit approval to use the cloud, including offshore cloud, for data storage. I have no doubt that this implicit approval is the main reason this new document was drawn up; and I’m sure it will have the effect of encouraging departments and agencies to host data in the cloud. This is a very good thing.
However, it should also be obvious that creating a situation where two ministers need to explicitly agree in certain cases where personal data could be kept offshore creates a massive bottleneck situation, which will probably create a whole host of ancillary issues. After all, it’s easy on paper to divide these different types of data (non-private, private and security-classified) into separate categories, but I think the Government will find in practice that they can be somewhat intermingled. For example, if you’re operating a website from the cloud with a login capability (or even one that sets cookies to intelligently identify those using it), can that data be kept offshore or not? There are thousands of these kinds of use cases which IT staff will need to grapple with; and taking an issue all the way up to your Minister, not to mention then to the Attorney-General, is a high bar indeed.
A policy which stipulates that only one individual in the whole Federal Government can approve the use of IT assets in a certain manner is, by definition, asinine and irrational. Dreyfus doesn’t even have a personal background in technology. It seems ridiculous that he would be the only arbiter of which of the millions of datasets the Federal Government holds can be kept in the cloud, and which can’t. I’ll be interested to hear the thoughts of those who work in the public sector on this situation.