Privacy commissioner reminds APRA of data offshoring rules

The Office of the Information Commissioner has urged APRA to heed Australian privacy law as it develops its data protection guide for the finance sector.

In a draft guide released in December, APRA noted that it had become easier for banks and insurers to move their data to outsourcers, whether in Australia or offshore.

Just two years ago, companies kept their cloud usage quiet, largely due to APRA’s November 2010 warning that cloud computing was a form of outsourcing that needed its tick of approval.

But recent deals inked by the Commonwealth Bank, Bank of Queensland and CGU with Salesforce.com – a cloud-based CRM vendor with no Australian data centre – indicate that APRA’s data location requirements are not prohibitive.

The Office of the Information Commissioner (OAIC) referred APRA to Australia’s National Privacy Principle (NPP) 9 and its upcoming replacement APP 8, which define when organisations may transfer Australians’ personal information to an offshore provider.

“NPP 9 generally prohibits an organisation from disclosing personal information to someone in a foreign country who is not subject to a comparable information privacy scheme,” the OAIC wrote in its submission to APRA.

“The scheme may be a law of that country regulating personal information-handling, a treaty or other instrument, or a contract.

"The OAIC recommends that the Draft Practice Guide expressly refer to the obligations regarding the handling of personal information set out in the Privacy Act."

NPP 9 allows data to be offshored only with the individual’s consent, if the transfer is necessary for the organisation to provide a pre-contracted service provision, or if the transfer is “for the benefit of the individual” and likely to gain the consent of the individual.

APP8 (pdf), which comes into effect next March, is more prescriptive about how individuals’ consent is obtained, and makes organisations accountable for any data breaches their third party partners suffer.

Risk-based approach

To date, APRA has assessed financial institutions’ cloud computing plans on a case-by-case basis.

Its official position on cloud computing is outlined in its November 2010 letter and October 2006 prudential practice guide on outsourcing (pdf).

In the case of insurer CGU, only a subset of data is stored in the Salesforce.com cloud, including sales figures and account renewals.

That data is also replicated in CGU’s internal databases and displayed alongside locally hosted data via an integrated user interface.

Commonwealth Bank chief information officer Michael Harte said the regulator had been supportive of it moving applications – including its Commbank.com.au website – to Amazon Web Services.

“All they want is risk-weighted calculus on what you’re doing, [and] consultation on what you’re doing,” Harte told iTnews on the sidelines of an AIIA luncheon last week.

“Everytime we’ve taken something to them they’ve been very, very supportive and they’ve been helpful, telling us how we might even improve it. So yeah, we have a great relationship in that regard and it’s never stop us from being innovative.”

Ovum analyst Steve Hodgkinson suggested that regulators’ earlier warnings were against “rogue” cloud implementations, where non-IT staff rolled out services heedless of IT policy.

He said organisations were developing more considered cloud computing strategies and becoming more accepting of international cloud services as the technology industry matured.