Govt ponders new sovereignty rules for datasets

The federal government is considering introducing new sovereignty rules for government data that would require certain datasets to be hosted in accredited data centres within Australia.

Government Services Minister Stuart Robert revealed at a National Press Club address on Tuesday that the government had begun “examining the sovereignty requirements” of government datasets.

Issues around sovereignty were thrust into the spotlight earlier this year, when the government opted to use Amazon Web Services to host its COVIDSafe contact tracing app.

While AWS is legally required to host the COVIDSafe data in Australia under the specific legislation enacted, the move sparked concerns that US law enforcement could access the data.

Of particular concern is the United States’ Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), which will allow for “reciprocal” data access with Australia if a bilateral agreement is signed.

Legislation that is considered a pre-requisite for Australia to sign a bilateral agreement under the US CLOUD Act is currently before Parliament.

Although both Prime Minister Scott Morrison and Robert have stressed that Australian laws would prevail over US laws in any event, the concerns have brought the issue of sovereignty to the fore.

“When developing the COVIDSafe app, Australians were loud and clear that they expect government to respect their privacy and have their data stored, secured and protected here in Australia,” Robert said.

He said that there was now a need for government to “acknowledge community expectations and be transparent about how we manage the information that Australians are concerned about sharing with us”.

“Accordingly, I can announce we are examining the sovereignty requirement that should apply to certain datasets held by government, in addition to the existing Protected Security Policy Framework,” Robert said.

As part of this, the government will look at whether “certain datasets of concern” – likely those relating to sensitive personal information – should be “declared sovereign datasets”.

These datasets would only be able to be “hosted in Australia, in accredited data centre, across Australian networks and only accessed by the Australian government and our Australian service providers”

“We need to ensure that Australians can trust that government will appropriately manage the information that they provide to us – whether it is for a tracing app or for the Census,” Robert said.