Data Sovereignty In Australia – Overview and Answers + Security Platform Checklist

-> Download Now -> Free Data and Security Platform Checklist

Data Sovereignty, the requirements are often country-specific or even region-specific. 

Some of the most well-known such regulations include the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act  (CCPA) in California, U.S. 

Australia’s national Data Residency and data localisation rules, collectively known as the Australian Privacy Principles (APPs), are contained largely within two acts of Parliament.

• Australia Privacy Act 1988: This act initially created the APPs and still stands as the cornerstone of Australian rules for the handling of personal data.
• Privacy Amendment Act 2012: This act modified the original Privacy Act, including the introduction of new rules for the processing of personal information by corporate and government entities. 

Other smaller amendments have also been made to the APP since 1988. The Privacy Amendment Act 2017, for example, established the Notifiable Data Breaches (NDB)  scheme. 

This scheme introduced requirements for notifying affected individuals when their personal data was included in a data breach.

Data sovereignty and residency requirements in Australia vary depending on the type of data being stored.

There aren’t any data residency rules that cover personal data as a whole, although any time you send data offshore or allow people offshore to access your data, you need to comply with the above-mentioned APPs.

Health data, for instance, has some of the strictest data sovereignty and residency requirements in Australia. My Health Records and all associated data, including back-ups, must never be processed, held, taken, or handled outside of Australia.

Many states and territories within Australia have additional data requirements limiting the disclosure of health records outside of the state/territory without consent.

Other types of data that are often subject to data residency requirements in Australia include Financial data and any goods, technologies, or software on the Defence and Strategic Goods List (DGSL). 

Australian Data Sovereignty laws and residency requirements often extend beyond just the information in your database. In most cases, the operational and configurational data related to your technology infrastructure is covered by the same regulations as the personal data they relate to.

-> Download Now -> Free Data and Security Platform Checklist

With more and more data being stored and processed in the cloud, providers like Amazon Web Services (AWS) are now playing a crucial role in Data Sovereignty Australia compliance.

This is especially true for data related to Software-as-a-service (SaaS) systems.

AWS has extensive Australian data privacy resources for understanding the roles that both AWS and their customers play in maintaining compliance with the APP and other privacy regulations.

This includes, for example, information on how AWS handles customer notifications in the case of a data breach, in line with Australian NDB.  

AWS doesn’t have direct knowledge of the data in its servers or their privacy requirements. Instead, the company provides infrastructure and access controls designed to help you manage the location and security of your data. 

While AWS has cloud hardware all across the globe, they provide easy ways to limit data storage and processing to specified regions.

Any data subject to APP Data Residency and Data Sovereignty requirements can, for example, be processed entirely in the Asia-Pacific Southeast region, which is located in Sydney.

SaaS system suppliers will often apply for, and receive, Government agency accreditation to validate their entire data storage structure and process where their platforms use AWS infrastructure.