Below is a checklist which is intended to assist organisations to take appropriate steps to comply with the privacy obligations imposed upon them by the Australian Privacy Principles (APPs) when outsourcing big data services to cloud providers.

  1. Privacy policy – Does the organisation’s privacy policy about its management of personal information include the details required by APP 1 for outsourcing big data services to a cloud provider?

  2. Collection statement – Does the organisation's collection statement for the collection of the data contain the details required by APP 5?

  3. Permitted purpose – Is the outsourcing of the big data services to the cloud provider for the primary purpose for which the data was collected by the organisation or a secondary purpose permitted by APP 6?

  4. Cross-border disclosure – Has the organisation taken reasonable steps in the circumstances to ensure that any overseas cloud provider does not breach the APPs as required by APP 8?

  5. Responsibility for acts of overseas recipients – Has the organisation obtained the consent of each individual to disclose his or her personal information to any overseas cloud provider or is any such cloud provider subject to a law or binding scheme that is substantially similar to the APPs and enforceable by each individual concerned?

  6. Information Quality – Has the organisation taken reasonable steps to ensure the accuracy, currency, completeness and relevancy of the data before disclosing it to the cloud provider?

  7. Information security – Has the organisation taken reasonable steps to require the cloud provider to appropriately protect the data and destroy or de-identify the data when no longer needed?

  8. Information access  – Is the organisation able to give an individual access to his or her personal information which is stored by the cloud provider on its behalf?

  9. Information correction  –  Is the organisation able to correct or associate a statement with personal information about a specified individual which is stored by the cloud provider on its behalf?
If you require any further information in relation to this checklist, or any assistance to comply with the Australian Privacy Principles, please do not hesitate to contact us.
Please note that the information contained in this checklist is provided for information purposes only and is not intended to be relied upon as legal advice for any particular purpose.  You should seek your own independent legal advice for your specific circumstances.