sdecoret -

Australian government foreshadows ‘sovereign data’ classification

The Australian government will examine if certain government datasets should be declared sovereign and only be hosted in the country

The Australian government will examine sovereignty requirements for certain datasets it holds that are of concern to the public, on top of security policies that already apply to such data.

Speaking at the National Press Club today, Stuart Robert, Australia’s minister for government services, said the government will consider whether such datasets should be declared sovereign and only be hosted in Australia in an accredited local datacentre, across Australian networks and only accessed by the government and Australian service providers.

The move is driven at least in part by concerns about the choice of Amazon Web Services (AWS) to store the data collected by CovidSafe, Australia’s contact-tracking app.

Exactly how much data has been collected by the app is moot, as it has reportedly been hobbled by iOS features designed to help protect the privacy and security of iPhone users.

The government recently said CovidSafe will not be modified to take advantage of the framework co-developed by Apple and Google to improve the effectiveness of such apps. It remains to be seen whether the current Covid-19 flare-up in Victoria will change that position.

But as Robert pointed out, “the app has had some of the greatest take-up of sovereign contact-tracing apps all over the world, with over 6.5 million registrations”.

Overseas laws – notably those in the US – that require foreign-owned companies to provide their governments with access to data held on behalf of Australian organisations and individuals have been a stumbling block in running some Australian workloads on public clouds – even if these are confined to onshore datacentres.

Read more about data protection in Australia

  • Australian organisations can address data protection challenges by creating roles such as a data governance lead, classifying data and improving employee awareness of cyber hygiene.
  • Australia’s data breach notification rules have largely been complied with, but some quarters are calling for more clarity on the reporting threshold and tougher action against errant firms.
  • Australian businesses are starting to explore their obligations and responsibilities under the country’s new Consumer Data Right (CDR) legislation and assess what changes they may need to make to ensure compliance.
  • Australia and New Zealand have seen a four-fold increase in the amount of data moving from on-premise environments to the top public clouds, survey finds.

Public acceptance of the Australian government’s ongoing digital transformation programme will likely be boosted if the idea of sovereign datasets is enacted and enforced.

These transformation plans, according to Robert, include the ongoing development of a whole-of-government architecture embodying the principle of “buy, build or develop once and use many times”.

The plans will be achieved, in part, through a common set of application programming interfaces, a national approach to digital identity and a recognition that “delivering services that are simple to access and use does not stop at the boundary of one tier of government”.

Aidan Tudehope, managing director at Macquarie Government, welcomed the government’s announcement, noting that the move is more than just about where data is stored.

He said: “Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction or is controlled by a cloud service provider over which another jurisdiction extends. Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US Cloud Act demonstrates.

“The only way to ensure Australian sovereignty is maintained over citizen data collected by government is to ensure it is hosted in an Australian cloud in an accredited Australian datacentre and is accessible only by Australia-based staff with appropriate security clearances from the government.”

Tudehope said this policy will foster Australia’s homegrown cloud and IT industries and reduce the country’s dependency on global providers to support its digital economy, which is vital to its long-term national interest.

In a statement to Computer Weekly, Iain Rouse, country director for AWS worldwide public sector in Australia and New Zealand, said the company is “committed to providing all our customers with the most extensive set of security services and features to help protect and secure their data”.

Read more on Data protection regulations and compliance

Data Center
Data Management