Data Sovereignty and the Cloud report
This research and policy report examines the technology of the cloud, insurance risk issues around data sovereignty, approaches to assess and minimise this risk, comparisons of legal means of accessing data held by Australian companies under local and US jurisdiction (where many cloud services originated), and options for including these issues in existing organisational data risk analysis and management processes. European perspectives are also considered.
Data Sovereignty and the Cloud: A Board and Executive Officer’s Guide -
Technical, legal and risk governance issues around data hosting and jurisdiction
By David Vaile, Kevin Kalinich, Patrick Fair and Adrian Lawrence
Cyberspace Law and Policy Centre, UNSW Faculty of Law, with support from NEXTDC, Baker & McKenzie and Aon.
Version 1.0, 2 July 2013
Launched at media conference at Baker & McKenzie's Sydney office by Mr Chris Chapman, Chair and CEO of ACMA, with moderation by Steve Wilson of LockStep Consulting of a panel of Craig Scroggie (NEXTDC CEO), Eric Lowestein (cyber-risk expert from insurer Aon), Adrian Lawrence (co-auther and partner from Baker & McKenzie) and David Vaile (co-author from CLPC).
Data Sovereignty and the Cloud: Long version 1.0 (contains the extensive references, links, notes and appendices)
Data Sovereignty and the Cloud: Short version 1.0 (the text only)
Alternate sources for full version :
Vaile, David; Kalinich, Kevin; Fair, Patrick; Lawrence, Adrian, "Data Sovereignty and the Cloud: A Board and Executive Officer's Guide"  UNSWLRS 84, http://www.austlii.org/au/journals/UNSWLRS/2013/84.html
David Vaile, Kevin Kalinich, Patrick Fair, and Adrian Lawrence, "Data Sovereignty and the Cloud A Board and Executive Officer’s Guide" (December 2013). University of New South Wales Faculty of Law Research Series 2013. Working Paper 86. http://law.bepress.com/unswwps-flrps13/86
Vaile, David and Kalinich, Kevin P. and Fair, Patrick V. and Lawrence, Adrian, "Data Sovereignty and the Cloud: A Board and Executive Officer's Guide" (December 16, 2013). UNSW Law Research Paper No. 2013-84. Available at SSRN: http://ssrn.com/abstract=2369660
Addenda (further documents coming to light since v1.0 went to print, for inclusion in the next revision's References section):
- Attorney-General’s Department (AGD), Australian Government Policy and Risk management guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements, Business Law Branch, Attorney-General’s Department, July 2013, v 1.0.
- Australian Communications and Media Authority (ACMA), The cloud: services, computing and digital data - Emerging issues in media and communications, Occasional Paper 3, 12 June 2013.
- Australian Communications Consumers Action Network (ACCAN), Position Statement: What Consumers need from cloud computing, 11 December 2012 [guide for cloud providers on consumer protection principles].
- Australian Computer Society (ACS), Cloud Computing Consumer Protocol -- ACS Cloud Discussion Paper, July 2013.
- Australian Computer Society, ACS Cloud Protocol Consultation -- Report on the outcomes of the ACS public consultation on Cloud Protocol, 11 November 2013.
- Australian Government Information Managment Office (AGIMO), Australian Government Cloud Computing Policy: Maximising the Value of Cloud [for Australian Government Agencies], Department of Finance and Deregulation, 29 May 2013.
- Australian Industry Group (Ai Group), Submission to Australian Computer Society Discussion paper on the Cloud Computing Consumer Protocol 6 September 2013. At: http://www.acs.org.au/__data/assets/pdf_file/0017/22382/23-060913-Cloud-Computing-Protocol-submission-final-AiGroup.pdf
- Australian Prudential Regulation Authority (APRA), Prudential Practice Guide CPG 235 – Managing Data Risk, APRA, September 2013 [apply to authorised deposit-taking institutions or ADIs].
- Australian Prudential Regulation Authority (APRA), Prudential Practice Guide CPG 234 – Management of security risk in information and information technology, APRA, May 2013.
- Department of Communications(DoC), Cloud Computing Regulatory Stock Take, forthcoming, 2014 [after consultation in December].
- Department of Broadband, Communications and the Digital Economy (DBCDE), The National Cloud Computing Strategy, May 2013.
- Data Insurance Licensing, The Next Generation of Data Insurance: High Indemnity and Broad Coverage Against Permanent Loss, Data Insurance Licensing Ltd, Oakville, Ontario, Canada, version 2013.4.4, 2013.
- Joint Parliamentary Committee on Intelligence and Security (JPCIS), Report of the Inquiry into Potential Reforms of National Security Legislation, Parliament of Australia, 24 June 2013.
- Standards Australia, IT-038 Distributed application platforms and services (DAPS) technical committee
- ISO, ISO/IEC JTC 1/SC 38 Distributed application platforms and services (DAPS) technical committee, SC38 N 881 Service Level Agreements Framework and Terminology
NB: a number of major developments in other jurisdictions around IT security and surveillance also occurred shortly after the publication in July 2 2013. The reader is invited to build on material in the report in the context of these developments. Further work may be done by the authors on these matters.