The Improbability of Privacy Act Compliance, Pt 2

Australia's new Privacy Act will come into effect during a period of tremendous turbulence in the technology sector, owing to a surge in subscriptions to cloud computing services.

Most of the initial resistance by CIOs to the use of cloud services is dissipating as the weight of opinion swings in favour of the model, spurred on by the availability of onshore clouds.

Organisations looking to public cloud computing services that are hosted offshore will need to consider Australia's amended Privacy Act in detail. The new Australian Privacy Principles (APPs) deal with transborder data flow slightly differently to the current legislation.

From March 12, if data is disclosed offshore to a third party provider, your organisation can be held vicariously liable for any breach by that third party. If there is a breach at your cloud computing provider, it is treated as your breach.

In this blog series:

The Office of the Australian Information Commissioner (OAIC) has provided two 'get out of gaol' cards — which I fully expect corporate Australia will make use of.

I'll explore each separately.

The Commensurate Contract Card

The first is if — in the case of a breach — an organisation can prove that they had done the necessary due diligence on their provider. Specifically, that they were disclosing the data to a jurisdiction with the same privacy rigours as Australia, or had contractually bound their third party provider to provide protections that would meet APP standards.

This is not an easy card to play. The cost benefit of cloud services relies on offering compute at scale, which has usually meant it is provided offshore from multiple locations, and relies also on a generic, cookie-cutter service for which there is a template contract.

For some clouds, you might not even know where your data is located. And even if you did know your data was to be located in Singapore, Japan, Hong Kong or in the United States, for example, it is unlikely you can genuinely argue that the protections in these jurisdictions meet the rigours of our Privacy Act.

It is also extremely rare to obtain a contractual promise from a cloud provider to comply with the Australian Privacy Principles. It is rare to find a cloud provider that agrees to comply specifically with Australian law, for that matter.

As my co-author Mark Vincent notes, most cloud providers are likely not to concern themselves with any laws beyond the safe harbour provisions in US law, where their operations tend to be first incorporated. His recently updated 'Cloud Cover' paper reveals that few cloud computing providers offer much of a guarantee around security at all.

"There are mismatches — if you want to rely upon the provider offering an equivalent level of protection for compliance with the APP — they probably won't be there in the standard contracts," Vincent told our workshop on Privacy Act compliance.

"I've had many clients say, 'If this or that cloud provider is good enough for the rest of the world, I'll assume they are good enough for me. I don't even want you to read over the terms and conditions — I'd rather not know. I just want it signed'.

"But there remains an obligation on your part to take reasonable steps to secure information.

"Where you have cloud providers that don't promise to abide with the APPs — or providers that don't promise to take particular steps in relation to security — there is an argument you are not doing enough."

That guidance has to be balanced, he argued, against the practicality of taking steps to contractually bind your provider. If an organisation was large enough to meet the $3m annual revenue threshold to be caught by the Act, but too small to negotiate for anything beyond the standard contract offered by Microsoft Office365 or Google Apps, would it be 'reasonable' for them to have chosen otherwise? If large retail chains don't have the weight to compel a cloud provider to audit or tell you what security tools they are using, who can?

Vincent concludes in our paper (due for release later this week) that it all comes back to the word, 'reasonable'.

He doesn't expect the Office of the Australian Information Commissioner (OAIC) is going to "necessarily go after people who rely on Microsoft to provide security around Office365 or Amazon around its bare metal."

Indeed, as InfoSec specialist Paul Steen from Imperva pointed out to roundtable attendees, "even when a cloud provider's security is less than ideal, most CIOs would compare it to their own security and say — I'll take the cloud."

"I don't think the world's leading IT providers will be criticised for having inadequate security," Vincent agreed. "I don't think the OAIC is going to say that organisations are lax with their security by outsourcing a service to Microsoft, Rackspace or Amazon. Because in reality, these service providers probably offer world leading security, well beyond the capability of individual organisations.

"There will be pressure applied from both regulators and customers to get cloud providers to meet minimum acceptable contractual terms.

"What the Information Commissioner might ask is: are you are taking adequate and reasonable steps on those things that are within your control?"

"You need to consider the nature of the information you're putting into that cloud. You need to look at the existing technical and operational safeguards implemented by the overseas recipient of the data — perhaps there are additional steps, such as encryption, that may be required where the recipient has limited safeguards in place, or where the data is particularly sensitive."

Indeed, one participant in our working group — operating in the sensitive area of healthcare data — noted that a cloud provider's claims to security only tend to apply to a discrete segment of the total computing stack.

"All of the standards Amazon [Web Services] claims to comply with — PCI, ISO 27001, SSA16, that's all at their layer," he said. "Anything above that — your virtual machine, your app stack —that's all up to you to protect and they won't claim responsibility for securing it.

"Don't be misled by standards written in a [IaaS] provider's whitepaper. That's only the protections they offer in your networking layer, and not what happens beyond their bare metal."

The good news for end users is that the continual pressure applied on cloud computing providers is yielding results. Services from Amazon, Rackspace, SuccessFactors and [soon] Microsoft Azure have been made available onshore, and the amended Privacy Act is likely to drive and others to do the same.

Further, several CIOs have managed to convince cloud providers to provide more information on IT security or at least open up their systems and processes for audit. CIOs are advised to look for operators that claim to be ISO 27001 and use that as leverage to seek audit and inspection rights.

There doesn't seem to be an easy rationale for why every CIO is told a different story. Some of the largest banks have been refused entry to cloud data centres, while small government agencies have managed to seal these measures into the deal.

"There is enough competition now between the cloud providers — so demand that security!" Steen said. "Make IT security the differentiator — make it one of your bargaining chips between competing solutions."

I'm more than open to any IT manager game enough to tell me on record what tactics they used to win the right to audit or to insist on specific security measures in their cloud computing contract.

The Consent Card

The other 'get out of gaol' card for transborder data flows under the Privacy Act is to gain the "express, informed consent" of the individual concerned before you move the data.

Consent is one of the central themes of the amended Australian Privacy Act. The amended Act requires the express, informed consent of a user at the point personal information is collected, with clear communication on the intended purpose for collecting the information.

Consent is a massive issue for the CIOs we surveyed for this study. Customer data organisations have amassed over the decades prior to this Act coming into force is unlikely to have been collected with the necessary level of consent. Neither have databases and other systems necessarily been built to store consent information in an auditable fashion.

Consent is especially problematic for those organisations investing in Big Data — a theme which I will explore in greater detail tomorrow.

"The question is, what is express, informed consent going to look like?" Vincent asks. "Is that clause 173 at the back end of your terms and conditions which you can find after seven clicks on the web site?"

The answer is a resounding "no".

Our report recommends that organisations revamp how they deal with consent at the point of collection.

"This one issue underpins much of the offshore processing of personal information — offshore call centres, big data and direct marketing. Whether you have obtained express, informed consent is the key issue," Vincent notes.

We have gone into some detail in the report about what 'express, informed' consent looks like but one thing you can be sure of is that the majority of today's cloud services don't cut it.

"Privacy consent is now in a different class to what was acceptable under a click-wrap contract, which has otherwise become a principle of online commerce," Vincent noted. "The Privacy Act requires more than for your customer to simply say 'I agree' to dozens of pages of click-wrap terms."

I'll explore the issue of consent, the Privacy Act and Big Data in tomorrow's blog post.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.