Data has become one of the most valuable assets to businesses, economies, and societies around the world. It enables us to analyse patterns to predict future events, understand consumer behaviour to better sell products, or in the case of cybercriminals, steal personally identifiable information (PII). The potential uses for PII are endless, which explains why the world’s five most valuable brands (Apple, Google, Microsoft, Amazon, and Facebook) have data at their core.
As organisations move to the cloud, there is a need to address concerns around where data is physically being stored—data sovereignty, that is. It is defined as the maintaining of authority and control of data within jurisdictional boundaries, and as we race into the fourth industrial revolution, it is a key issue faced by organisations in both public and private sectors.
Data sovereignty and the argument for onshore storage
Today’s global and digital market means state borders don’t always exist, meaning regional legislation is often adopted as an industry standard framework. For example, the General Data Protection Regulation (GDPR), which was implemented across the European Union in 2018, has largely been adopted across the globe as standard practice.
However, while the GDPR is generally followed in most markets, every region still has its own data sovereignty laws and regulations. In Australia, the Digital Transformation Agency’s (DTA) Hosting Certification Framework governs public sector data, requiring all government data to be stored onshore in data centres with certified strategic or assured accreditation.
Meanwhile, non-government organisations follow the Australian Privacy Act, and while the provisions set out by this act do allow offshore storage in some situations, personal data linked to individuals generally needs to be de-identified and/or aggregated to remain compliant.
But with the Privacy Act currently undergoing reform, added data sovereignty laws are likely to provide citizens with further protection and to ensure Australian data is secure and compliant, across both the public and private sectors. As these worlds start to collide and legislation changes, organisations should look to adopt best practice regarding their storage of data.
When data is stored onshore, Australian citizens and businesses have the right to influence how this data can be interacted with and have input on what the government can do with it.
When that same data is stored offshore, Australian businesses and citizens are powerless to object or protest any changes in data laws and regulations, and unable to stop the local government seizing data or building backdoor access for state interests.
Locally stored data is better protected from unauthorised access by foreign state actors and offshore threat vectors, providing increased security and more responsible use of Australian data.
As a result, many IT businesses and managed service providers have committed to building onshore data centres, either as physical centres or as points-of-presence to store citizens’ data onshore safely and securely, where it is protected by local data protection laws.
Nice to have, or an essential asset?
With all this in mind, it is important to note the internet is immutable storage. As a result, any data shared online through the likes of Facebook, Google or Amazon is already stored in offshore data centres, and there’s no comprehensive data retrieval process available to get it back. For private sector businesses, being able to guarantee that any future data shared by a customer won’t leave Australia will certainly provide a sense of security, but given most Australians have no idea where their data is stored anyway, it’s unlikely to be of significance. There are two areas, however, where data sovereignty becomes essential.
1. The public sector
Public sector organisations hold citizens’ most sensitive information, from medical histories, financial records, and PII. As a result, the way they store data is of crucial importance, hence the DTA’s strict framework.
The DTA announced in June 2021 that it was moving to store all sensitive data onshore in the name of national security and privacy interests. As a result, the public sector has been able to protect sensitive data and enhance its sovereign digital ecosystem, setting a best practice example for Australia’s private sector to follow.
2. Future generations
The other area data sovereignty and onshore data storage will become integral is for future generations of Australians. By setting up effective data sovereignty regulations and strong local data centres now, our future generations can ensure their sensitive data is secured locally and is not at the mercy of foreign governments.
There is no upside to sending data offshore for storage, all this does is expose sensitive information to additional risk. By investing in onshore data centres and further developing data sovereignty, Australia can minimise risk and provide better protection and peace of mind for our nation’s data.