14 September 2021

Mastering Data Sovereignty in Australia 2022

By Jeff Arndt, Chief Information Officer

In Australia, data represents an asset of inestimable value. Data sovereignty is concerned with ensuring that Australian data resides in Australia, and the regulations around it form an essential tenet of data privacy and security.

Data sovereignty in Australia is heavily regulated, and CIOs are seeking uncomplicated solutions to the challenge of keeping Australian data in Australia. As organisations focus on scaling and optimising their Hybrid environments, CIOs are met with daily challenges around data sovereignty compliance.

Data sovereignty Australia

Data Residency vs Data Sovereignty

Data residency refers to the geographic location that an organisation stores data, while Australian data sovereignty refers not only to data being stored in Australia, but also that the data remains subject to Australian laws and regulations.

For CIOs, this difference means that additional consideration must be given not just to data location, but also the relevant Australian data security and privacy regulations that govern how data is stored, managed and exchanged.

Australian Data Sovereignty Laws 2022

The Australian Privacy Principles (APP) are outlined across both the Australian Privacy Act 1988 and the Privacy Amendment Act 2012. Other amendments have been made to APP, most notably the Privacy Amendment Act 2017 which established requirements for notifying affected parties of any data breaches.

It is essential for CIOs to have a thorough understanding of these regulations and how they vary between different data types. For example, particularly sensitive data across health, defence, financial and technology data is often subject to very strict residency requirements.

Data volumes are surging, digital supply chains have become globalised and cyber threats are more sophisticated and omnipresent. For these reasons, regulatory compliance, and jurisdiction (which determines where data must be located) is an ever-expanding and evergreen burden on CIOs.

There’s a lot at stake after all. If anything, it’s both a security issue and a destabilising business threat with serious ramifications for non-compliance.

Certainly, data sovereignty is a timely discussion. Australia’s Digital Transformation Agency (DTA) has been very vocal recently, defining measures that will ensure the Commonwealth’s sovereign data is kept secure and onshore.

As part of a new ‘Hosting Strategy’, the Commonwealth has levelled up its mandate around how sensitive Government data is secured. It has taken a bold and decisive move to ensure organisations who provide hosting services to Government can clearly demonstrate they comply with the new requirements, as set out in their new certification model as part of the Hosting Framework.

This isn’t something that’s going away. In fact, ensuring the compounding volumes of data are secured and meet sovereignty laws is an escalating problem – one that will continue to amplify as organisations accelerate their cloud migration and transformation priorities.

Data Sovereignty Strategy

Where to start?

As an IT discipline, data sovereignty – the jurisdictional control or legal authority that can be asserted over the physical location of data within territorial boundaries – is multi-faceted. It raises many questions, crosses multiple boundaries in the digital supply chain and necessitates the support of strategic partnerships to achieve compliance quickly and easily.

Fundamentally, all organisations are mandated to keep Australia's data within Australia and in the hands of its own people, governments and industry. For this to happen, the data needs to be housed in data centres physically located in Australia (data residency), and only be accessible by Australian people and businesses.

The Three-Point Data Sovereignty Management Plan

We’re living and operating in a borderless world – where data, IT environments and digital supply chains are distributed – and there’s constant risk to plan for and mitigate.

Given the risky backdrop, what can CIOs do to mitigate the risk?

1. Build a Data Framework Firstly, I recommend considering; where data is stored, where it’s processed/transacted, who has access to it, and how it’s secured in motion.

A good starting point is to understand from end-to-end ‘data in storage’ and ‘data in flight’ – and to weave all of that intelligence into a data framework that can properly classify ‘data at rest’ versus ‘data in motion’.

Leaders should aim to map out a data framework that investigates and understands:

  • Where data is stored and what laws in other jurisdictions can be applied to it
  • How the data is processed or transacted
  • How the data complies to standards like ISO, SOC, SCEC, PCI DSS, or other industry requirements.

2. Partner Strategically

The challenge of data sovereignty is too great to go it alone when the focus should be on cloud migration and other transformational priorities such as innovation, growth and building infrastructure resilience.

Achieving compliance and easier data management up and down all digital supply chains are specialist skills not always readily available in-house. So, it’s unrealistic to expect your already-burdened dev, test, provision and improvement teams to take on the heavy lifting of this additional load.

The shortest route to meeting data sovereignty compliance starts with engaging specialist partners who truly understand and can demonstrate the integrity of your hybridised infrastructure and interconnected architecture.

3. ‘Certified Strategic’

Look for a data centre partner that’s ‘Certified Strategic’ under the DTA’s hosting certification framework. While this program applies specifically to Government procurement, it categorically highlights the data centres, and their facilities certified under the framework that have passed the highest stress test and level of audit scrutiny. Amongst other things, it guarantees that data housed there complies with the Australian Privacy Principles (APPs) determined by the Office of the Australian Information Commissioner (OAIC).

Colocating in DTA ’Certified Strategic’ data centres introduces immediate security and data sovereignty advantages. It ensures you and your customers’ data is safely held and interconnected only within facilities, platforms and availability zones that meet minimum standards acceptable by the Commonwealth to keep their sovereign data protected.

NEXTDC Powers Data Sovereignty

You can’t board the plane unless you go through the security door. A similar analogy applies to data sovereignty: You can’t safely meet data sovereignty obligations if you’re not actively seeking onshore infrastructure and cloud zones, or you can’t ensure all auditable data location requirements are met.

NEXTDC is where the cloud lives in Australia and it’s where digital organisations and the services ecosystem they engage, interconnect. We partner with you to help streamline data sovereignty, and make it easier to maintain a strong risk and compliance posture.

Reach out if our specialists can help you build the right controls and processes that ensure you have full control over keeping your sovereign information wholly within Australian-based Hybrid/Multi-Cloud infrastructure.