Australian unis in mass Microsoft email migration

Look to the Privacy Act

Universities need to keep in mind two key pieces of legislation when hosting emails containing personal information offshore, according to Malcolm Burrows, practice director of Brisbane-based privacy law firm Dundas Lawyers.

The first is the Australian Privacy Act, which is due to be updated in March 2014. The second is the United States Patriot Act's Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.

“Australian organisations storing information in the cloud are still subject to regulation by the Privacy Act and in particular must comply with National Privacy Principals,” Burrows said. “NPP 9 deals with transborder data flows and requires an organisation to consider the destination country to have similar privacy laws or to obtain consent.

“The first threshold question is whether personal information is being sent offshore which may subsequently be accessed because of the broad powers contained in the Patriot Act.”

The Patriot Act accommodates for nation-wide search warrants for emails, and because of the breadth of the Act’s powers, there is risk of inadvertent disclosure of all content in and attached to emails, Burrows said.

“Law enforcement agents do not have to physically visit the ISP, and prosecutors and judges have no control over determining whether a warrant may be obtained,” Burrows said. 

"Whilst the right to obtain and subsequently use information appears limited, as with the disclosure of any information there is a risk that there may be further inadvertent disclosure."

Burrows said while the Patriot Act was not designed to allow for malicious objectives, the broad powers for foreign intelligence gathering and the granting of warrants meant emails may not be as secure as the senders and receivers think. 

“The use of emails to send and receive information ... is subject to the whims of the United States government,” Burrows said.

“The information sent and received could be subject to a foreign intelligence investigation for the sole reason that such information could be of benefit to the United States. This could lead to further implications, if information accessed by the United States is, for example, used by researchers in patents.” 

Additionally, the new incoming Australian privacy law will require all organisations to notify affected parties if there is a likelihood their data will be held offshore and where it might be held - a new requirement.

James Moore, partner at law firm HWL Ebsworth with a speciality in data privacy, told iTnews at the time of the collection of personal information such as at enrolment, universities will be required under the new Act to make a disclosure.

“When somebody enrols in a university, that university will know that it’s likely that personal information will at some point get into the university’s systems and perhaps be sent in an email, to the extent that the student’s data will be accessed through Office 365,” he said.

“It’s very likely that if the university is signed up to such a service, some information about each student or academic will ultimately be sent to America or Singapore.

"So at the time the university collects the personal information, it would become a requirement under the Act to actually make a disclosure that they use Microsoft products and as a result the information is likely to be held on a server in the US or Singapore.”

Moore said data in offshore systems is subject to the laws of the country it resides in and to Australian privacy law. 

“Where [personal] information is sent offshore, the organisation is responsible for making sure that it is dealt with in accordance with Australian privacy principles, and if it is dealt with inconsistently the organisation in Australia is actually in breach,” Moore said. 

He said many organisations were currently wrestling with how they would deal with the new requirement around location of data ahead of its inclusion in the new privacy laws.