In an ever-evolving global and IT based market, active participants must understand privacy law considerations for Australian businesses which seek to store data, including personal information about individuals, in a cloud operated by an external cloud computing provider.
Caroline James, Lawyer, had an article on privacy issues involved in cloud computing that was published in the LexisNexis Privacy Law Bulletin in July 2017.
The key takeaway points relate to:
Is there disclosure?
Storing personal information in an externally operated cloud computing service is generally considered to be disclosure for the purposes of Australian Privacy Principles 6 and 8. Entities should obtain consent from the individuals concerned before seeking to store data in this way.
Security of information
When negotiating an engagement agreement with a cloud computing provider, businesses should ensure that storage methods are adequately secure and that personal information is destroyed or de-identified after use.
New mandatory notification law
The new mandatory notification provisions under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Privacy Amendment Act) may apply to both businesses and cloud computing providers, but ideally the original business should be the party that determines whether a reasonable person would conclude that serious harm will likely result from an eligible data breach, and whether a notification should be made.
To read the full article, please click on the PDF below.