Australian government agencies are developing a Cloud framework for government agencies to follow, but a stance against storing classified data in off-shore locations has garnered ire from the US.
Australian Government Information Management Office guidelines released in February this year state agencies must adhere to IPP 4 – storage and security of personal information regulations, which requires agencies to ensure adequate security protections are in place against the misuse or loss of personal information.
“When the provider is located off-shore, satisfying IPP 4 may be more difficult. By using a cloud service, an agency is relinquishing some degree of control over its data,” the guide says.
It also highlights that off-shore data may be stored in jurisdictions where privacy laws differ from those in Australia, and some countries have provisions which allow its government to access Australian information.
“For instance, the USA Patriot Act 2001 contains provisions allowing the US Government to access information in specified circumstances, (i.e. cases involving suspected terrorism or threats to national security) irrespective of the geographical location and, without necessarily advising the agency,” it states.
However, the US government has labelled the policy as a trade barrier for companies with data centres in the US and in its 2012 National Trade Estimate Report on Foreign Trade Barriers says Australia is misinterpreting the US Patriot Act
The report states some Australian government departments have been sending out “negative messages about cloud computing services to potential Australian customers in both the public and private sectors, implying that hosting data overseas, including in the United States, by definition entails greater risk and unduly exposes consumers to their data being scrutinized by foreign governments.”
However, Rodney Gedda, senior analyst at Telsyte, says Australia is within its right to do this.
“All sovereign governments have the right to place restrictions on how and where public information is managed and stored, ,he says. "Concerns surrounding foreign government access to private information, for whatever purpose, should not be immediately interpreted as economic protectionism as these two concepts can arise for very separate reasons."
Glenn Archer, first assistant secretary policy and planning at AGIMO, says the government has “been quite explicit about where we think it’s safe to play”.
“I guess the [model] that gets the greatest attention is the issue of storing sensitive or personal information in the public Cloud, and at this time our position is we don’t think that’s advisable … [the] technology and the offerings from providers has not advanced sufficiently for that to be a wise thing to do,” Archer says.
On the other hand, where information is not sensitive and already in the public domain, Archer says public Cloud can be appropriate, with AGIMO currently using it for around 700 to 800 datasets on the data.gov.au website.