Clarity Comes to Cloud Privacy

In exactly a month’s time, Australia’s privacy regulatory regime will change. New amendments to the Privacy Act come into force on 12 March 2014.

Microsoft Australia welcomes the incoming Privacy Act amendments.

Contrary to some reports, the new amendments to the Privacy Act are not bad for cloud services.

The new amendments just help to clarify that if an enterprise or Federal Government agency collects personal information, they are ultimately responsible for protecting the privacy of that information.

It does mean that Enterprises and governments should do their research.

A good cloud provider will help its clients to meet those requirements by ensuring that that data is appropriately protected and secured.

More importantly, they will then put those guarantees in writing in a contract, not just in their marketing brochures.

What’s new?
For cloud computing, the most relevant of the new Australian Privacy Principles (APPs) are APP 8 and APP 11.

APP 11 basically states that if you hold personal information you need to keep it secure and protect it from misuse, interference or loss; and ensure that people who should not access that information cannot access, modify or disclose that information.

APP 8 comes into play if you disclose information to an overseas recipient. APP 8 sets out a number of compliance mechanisms in relation to offshore disclosure. The primary mechanism for compliance with APP 8 in a cloud services context is by taking reasonable steps to ensure that the offshore recipient complies with the Australian Privacy Principles.

The Office of the Australian Information Commissioner’s latest draft guidance also provides a distinction between use and disclosure with regards to cloud. Under the current draft guidance, if the service provider is just using the data to provide a service then no disclosure occurs and APP8 is not triggered.

If you are working with a cloud provider who provides a service with no intent to use customers data for any secondary purposes – ie. marketing services, advertising or analytics – then the new amendments actually provide some good clarity to enterprises looking to contract cloud services.

Microsoft’s Commitment to Privacy
At Microsoft, we do not mine data for advertising purposes when we provide cloud services. For those services, it is our policy to not use your data for purposes other than providing you services such as Office 365, Azure and CRM Online.

At Microsoft, we already provide customers with strong guarantees that in our view enable them to meet their requirements under the Australian Privacy Act. This will not change with the incoming regulatory regime.

Our cloud services are designed to comply with the European Union’s Data Protection Directive and the associate model clauses.

As such, our services are built with a ‘privacy-by-design’ mentality to meet world’s most stringent data protection requirements.

For more information on Microsoft’s approach to security and privacy in our cloud services visit: Office 365 Trust Center; Windows Azure Trust Center; and Microsoft Dynamics CRM Trust Centre.