Australian government foreshadows ‘sovereign data’ classification

The Australian government will examine sovereignty requirements for certain datasets it holds that are of concern to the public, on top of security policies that already apply to such data.

Speaking at the National Press Club today, Stuart Robert, Australia’s minister for government services, said the government will consider whether such datasets should be declared sovereign and only be hosted in Australia in an accredited local datacentre, across Australian networks and only accessed by the government and Australian service providers.

The move is driven at least in part by concerns about the choice of Amazon Web Services (AWS) to store the data collected by CovidSafe, Australia’s contact-tracking app.

Exactly how much data has been collected by the app is moot, as it has reportedly been hobbled by iOS features designed to help protect the privacy and security of iPhone users.

The government recently said CovidSafe will not be modified to take advantage of the framework co-developed by Apple and Google to improve the effectiveness of such apps. It remains to be seen whether the current Covid-19 flare-up in Victoria will change that position.

But as Robert pointed out, “the app has had some of the greatest take-up of sovereign contact-tracing apps all over the world, with over 6.5 million registrations”.

Overseas laws – notably those in the US – that require foreign-owned companies to provide their governments with access to data held on behalf of Australian organisations and individuals have been a stumbling block in running some Australian workloads on public clouds – even if these are confined to onshore datacentres.

Public acceptance of the Australian government’s ongoing digital transformation programme will likely be boosted if the idea of sovereign datasets is enacted and enforced.

These transformation plans, according to Robert, include the ongoing development of a whole-of-government architecture embodying the principle of “buy, build or develop once and use many times”.

The plans will be achieved, in part, through a common set of application programming interfaces, a national approach to digital identity and a recognition that “delivering services that are simple to access and use does not stop at the boundary of one tier of government”.

Aidan Tudehope, managing director at Macquarie Government, welcomed the government’s announcement, noting that the move is more than just about where data is stored.

He said: “Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction or is controlled by a cloud service provider over which another jurisdiction extends. Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US Cloud Act demonstrates.

“The only way to ensure Australian sovereignty is maintained over citizen data collected by government is to ensure it is hosted in an Australian cloud in an accredited Australian datacentre and is accessible only by Australia-based staff with appropriate security clearances from the government.”

Tudehope said this policy will foster Australia’s homegrown cloud and IT industries and reduce the country’s dependency on global providers to support its digital economy, which is vital to its long-term national interest.

In a statement to Computer Weekly, Iain Rouse, country director for AWS worldwide public sector in Australia and New Zealand, said the company is “committed to providing all our customers with the most extensive set of security services and features to help protect and secure their data”.