Understanding Data Sovereignty Laws for Australian State and Federal Government
Draft read at your own risk
This article is clearly discuss issues around Data Sovereignty in the context of providing Cyber security / Technology solutions for State and Federal Government, where solutions maybe transmit data to overseas Data Centre and Resources locations. The most important thing to remember is that every single government agency will need to be assessed based on their own security policies and legislation.
This is just a synopsis of my experience in design solutions for State and Federal Government agencies.
The following terms and descriptions are common in this discussion;
- Data sovereignty is the concept that information, which has been converted and stored in binary digital form, is subject to the laws of the country in which it is located. Many of the current concerns that surround data sovereignty relate to data that is stored in a foreign country from being subpoenaed by the host country’s authorities or some malicious actors, because prevalent laws do not set prohibiting enough punishments or because monitoring is not strong enough.
- Data residency refers to the physical or geographic location of an organization’s data or information. Like data sovereignty, data residency also refers to the legal or regulatory requirements imposed on data based on the country or region in which it resides.
- Data and metadata
- Resource locations
- PII is Personal Identifiable Information, which can be used to identify an individual’s identity; such as name, Social Security Numbers, and biometric records. Below are examples of PIIs:
- Date of Birth
- Cell Phone Number
- Email Address
- Biometric records
- Social Security Number
- IP address
- Log in accounts.
- Vehicle Identification Number
- Credit Card Information
- Health Records
- Passport Number
- Bank Account NumberPII is Personal Identifiable Information, which can be used to identify an individual’s identity; such as name, Social Security Numbers, and biometric records. PII scope is big and PCI-DSS covers only a part of it. Below are examples of PIIs:
- APP, Australian Privacy Principles
- Australian organisations required to keep personal identifiable information (PII) data inside defined sovereign borders.
Applicable laws that affect Data Sovereignty in Australia;
- APRA CPS 234 – https://www.upguard.com/blog/cps-234-compliance
- US Government – Patriot Act
- Australian Privacy Principles
- Health Record Act
- Security of Critical Infrastructure Act 2018 – https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-coordination/security-of-critical-infrastructure-act-2018
- Distributor’s license under Electricity Supply Act 1995 (NSW) – https://www.ipart.nsw.gov.au/Home/Industries/Energy/Energy-Networks-Safety-Reliability-and-Compliance/Electricity-networks/Licence-conditions-and-regulatory-instruments/Ministerially-imposed-licence-conditions-Endeavour-Energy-to-operate-a-distribution-system-June-2017
- Protective Security Policy Framework (PSPF)
- Information Security Manual (ISM)DSD around the Cloud Computing security considerations
- The definition of Official: Sensitive is a Low to Medium Business Impact. That is Limited damage to an individual, organisation or government generally if compromised. The handling of Official: Sensitive information as defined in the PSPF Table 7 states: https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Documents/infosec08-table7.pdf
- Whole of Victorian Government security standards
- Federal Government Protective Security Policy Framework (PSPF) – http://www.protectivesecurity.gov.au/pspf/Pages/default.aspx,
- Information Security Manual (ISM) – http://www.dsd.gov.au/infosec/ism/index.htm.
- DSD Cloud Computing Security – http://www.dsd.gov.au/infosec/cloudsecurity.htm
- Public Records Act – http://www.legislation.vic.gov.au/Domino/Web_Notes/LDMS/PubLawToday.nsf/a12f6f60fbd56800ca256de500201e54/8b8a04cd2c8c1a84ca257d72001b79fc!OpenDocument
- Health Records Act – http://www.legislation.vic.gov.au/Domino/Web_Notes/LDMS/PubLawToday.nsf/a12f6f60fbd56800ca256de500201e54/831f48e2ff4ec9a8ca2580b80018652d!OpenDocument
- Victorian Protective Data Security Framework and Standar –
Let’s start answering these questions by defining what we mean by data sovereignty. For the purposes of this discussion data sovereignty is defined as converting and storing data in binary digital form inside Australia or external territories. The assumed benefit of data sovereignty is that the data is kept in Australia and not subject to privacy laws of another country if the data were to reside outside of Australia. Here it is important to say that while almost all PII is data not all data is PII. Organisations who are not putting classification on data types but adopting data sovereignty are limited in their ability to work with third party agencies around innovation for their organisation.
From here we can say that data sovereignty is a possible upside for organisations who do not have adequate data classification in place, but does this reduce an organisation’s obligation to risk management policies? Does adopting policy to maintain data sovereignty, as stated above, exempt an organisation from APP guidelines on data control? The short answer is no.
In reality, anytime you send data out of your network, regardless of whether it is an Australian 3rd party or to a global agency with capability around the world, you need to have a solid data classification vs. risk management policy in place around the transfer of said data. This is outlined in the Australian Privacy Principles (APP) by defining the responsibilities organisations have when sending data overseas to a third party agency.
According to the Australian Privacy Principles, principle 8 – cross border disclosure of personal information, subclause 8.1:
Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
a. who is not in Australia or an external Territory; and
b. who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Therefore, organisations must take steps to ensure that the recipient of data sent overseas is not in breach of Australian Privacy Principles. There are a number of exceptions to subclause 8.1. For example, subclause 8.2 provides in part:
Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
a. the entity reasonably believes that:
i. the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
ii. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.
In either case there is one important principle that all organisations, be it the organisation itself or the 3rd party agency they desire to use, should adhere to. As highlighted by Jodie Siganto LLM, CISSP, Director for IT Security Training Australia, organisations must not collect personal information unless it is necessary for one of its functions or activities. Hence why it is important to ask the following questions when considering any 3rd party agency,
“what data are they collecting and why?
“Do they adhere to your data policies?
“Are they collecting data they don’t need?
1. What data is being sent offshore and can I control what you are sending?
2. How is the information sent offshore stored and used?
3. What protection is given to the data you are sending offshore?
4. Do you have any particular standards you follow that give assurance that you are adequately protecting our data?
5. Do I have the ability to report on the data that has been sent offshore and how easily can I access this data?
What regulatory/legal compliance requirements for data sovereignty and/or resourcing to be within Australia?
The most important aspect to win Federal and State Government business is to have IRAP Certification – While this may not be mandatory, agencies will of course favour suppliers with this certification as well as ISO 27001 Information Security Management, ISO 9000 Quality Management, ISO 2000 ITIL, etc.
Also, this isn’t straight forward, every agency is governed by different jurisdiction, legislations and policies. Every RFP needs to be assessed on a case by case basis and as per recent review by Setway Hayes for DHHS, the SIEM data was classified as Sensitive and therefore .
The definition of Official: Sensitive is a Low to Medium Business Impact. That is Limited damage to an individual, organisation or government generally if compromised. The handling of Official: Sensitive information as defined in the PSPF Table 7 states: https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Documents/infosec08-table7.pdf
|Protect information when transferred between physical establishments outside Australia||P Transfer between physical establishments outside Australia is permitted if unauthorised access deterred, eg external mail is sealed.|
- The Information Security Registered Assessors Program (IRAP) enables Australian government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Signals Directorate (ASD). Protecting Australian government data from access, abuse and disclosure remains a prime consideration when procuring and leveraging services. These services provide comprehensive controls over the customer IT control environment, simplify the management of security services, and provide improved security outcomes for the Australian Government.
Here is another example for Critical Infrastructure, like Energy Providers, etc. Energy providers must attain a licenses with Federal and state government to provide energy; The license has strict ‘data sovereignty’ requirements; Again, every RFP and Customer will vary. Snowyhydro hasn’t got approval for this license yet!!!
Here are the sections from the customer provided ‘Electricity Supply Act 1995 (NSW)” (attached) stating requirements for services and data to be within Australia.
- Regulatory Driven Security Testing
Data sovereignty vs data residency.
Data residency is not data sovereignty, yet the two terms are incorrectly used interchangeably. Data sovereignty provides government with the means to prevent unvetted access by foreign contractors, support staff and entities to sensitive government data; data residency does not.
Data residency refers to the physical location of where data is stored, and is an important term for commercial and taxation purposes.
Data sovereignty refers to the jurisdictional control or legal authority that can be asserted over data because it’s physical location is within jurisdictional boundaries. Data sovereignty is an important term for regulatory and data security purposes.