Organisations are continuing to make an ever increasing use of big data services provided by cloud providers located in Australia and overseas.
It has previously been estimated by Gartner that the global market for cloud computing services is $131 billion.
It is now more important than ever that organisations which currently or intend to outsource big data services to cloud providers ensure that they have taken the necessary steps to comply with their privacy obligations.
The Australian Privacy Principles (APPs) apply to specified private sector organisations and Commonwealth government agencies with the maximum civil penalties for breaches of the APPs ranging from $340,000 up to $1.7 million.
This article examines the application of the APPs to organisations when outsourcing big data services to cloud providers and describes the accountability framework that applies to privacy breaches when organisations outsource big data services to overseas cloud providers.
TechComm Legal has developed a Big Data Cloud Services Privacy Checklist to assist organisations to take appropriate steps to comply with the privacy obligations imposed upon them by the APPs when outsourcing big data services to cloud providers.
Introduction
Organisations are continuing to make ever increasing use of big data services provided by cloud providers located in Australia and overseas. It has previously been estimated by Gartner that the global market for cloud computing services is $131 billion. According to the Australian Business Insider 60% of CIOs indicate that cloud computing is their top priority. In addition, a survey by GigaSpaces found that 80% of IT executives were considering moving their big data to the cloud.
It is now more important than ever that organisations which currently or intend to outsource big data services to cloud providers ensure that they have taken the necessary steps to comply with applicable privacy obligations. The Australia Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) have maximum civil penalties for serious and repeated breaches by organisations ranging from $340,000 (in the case of an entity which is not a body corporate) up to $1.7 million (in the case of a body corporate).
This article considers the following aspects of outsourcing big data services to cloud providers. First, this article describes cloud computing and its cost and efficiency benefits. Secondly, this article examines the application of the APPs to the outsourcing of big data services to cloud providers. Thirdly, this article describes the new accountability framework that applies to breaches of the APPs when organisations outsource big data services to overseas cloud providers.
Cloud computing
Cloud computing has been generally described as the delivery of computing services over the internet which enable users to remotely store, process and share digital information and data. The two main cloud models used for big data outsourcing are the private and public cloud models. The private cloud model involves the exclusive use by one organisation of cloud computing services which are managed by the organisation itself or a third party cloud provider. In contrast the public cloud model involves the use of third party cloud computing services by a large group of organisations or the public generally.
Organisations can achieve numerous cost and efficiency benefits through the use of cloud computing services. Cloud computing enables organisations to dynamically scale up and down their computing services depending on the nature of the processing task required to be undertaken. Cloud computing services are device and platform independent and capable of being accessing using a wide range of devices and operating systems. Cloud computing provides organisations with mobility by allowing users to access services from almost any location using smartphones, tablets, laptops and desktops. Cloud computing also allows organisations to only pay for the services which they need without having to pay ongoing licence fees or equipment purchase costs.
Applying the Australian Privacy Principles to Big Data
Big Data
Gartner has described “big data” as “high-volume, high-velocity and/or high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision making, and process optimization." These are known as the “three Vs”. Two further “Vs” have also been widely recognised in respect of big data, namely, the veracity or reliability of the data and the volatility or sensitivity of the data. Big data may exist in either a structured or unstructured form. Examples of big data include transaction records and data recorded by machines (e.g. sensors, monitors, etc).
Entities subject to the Australian Privacy Principles
The APPs apply to specified private sector organisations and Commonwealth government bodies (APP entities). Private sector organisations subject to the APPs include individuals, companies, associations, partnerships, trusts and other bodies which have an annual turnover of more than $3 million. In addition, other private sector organisations subject to the APPs, regardless of their annual turnover, include:
health service providers;
service providers which collect or disclose personal information for a benefit, service or advantage; and
contracted service providers for Commonwealth contracts (whether or not a party to the contract).
Commonwealth government bodies subject to the APPs include all Commonwealth government departments and agencies together with bodies established or appointed for a public purpose by or under a law of the Commonwealth.
Personal information
The Privacy Act defines “personal information” to mean “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information is true or not; and (b) whether the information or opinion is recorded in a material form or not.” An APP entity needs to ensure that it complies with the APPs where it outsources big data services to a cloud provider and the big data falls within this definition of “personal information”.
Big data will constitute “personal information” where it contains the names of individuals or where an individual is reasonably identifiable from the big data. Whether an individual is “reasonably identifiable” from big data will depend upon the following:
the nature and extent of the information;
the circumstances of the receipt of the information by the APP entity;
whether it is possible for the APP entity to identify an individual using available resources (including other information available); and
the cost, difficulty, practicality and likelihood of the APP entity doing so.
Where technically possible for an APP entity to identify an individual from big data but not practically possible then an individual will not be regarded as “reasonably identifiable” and the big data will not constitute “personal information”.
De-identification
The Privacy Act provides that “personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.” Big data may be de‑identified by removing or obscuring personal information or government related identifiers so that an individual is no longer identifiable or “reasonably identifiable”. Big data which has been de‑identified will not constitute “personal information”.
There are a range of de-identification techniques which may be used to de-identify big data. First, removing or altering identifying features (e.g. person’s name, email address, street address, date of birth, etc). Secondly, removing or altering quasi-identifiers (e.g. gender, identifying dates, occupation, salary, etc). Thirdly, removing or altering statistically narrow, quasi-identifiable data values or associating such data with broader categorisations (e.g. changing “age = 37” to “age = 35–44”). Fourthly, combining data categories that contain only a small number of data values (e.g. combining categories for 30–34 year olds and 34–39 year olds).
Relevant Australian Privacy Principles
In the context of outsourcing big data services to cloud providers relevant APPs to which particular consideration should be given are APP 1 – open and transparent management of personal information, APP 5 – notification of the collection of personal information, APP 6 – use and disclosure of personal information, APP 8 – cross-border disclosure of personal information, APP 10 – quality of personal information, APP 11 – security of personal information, APP 12 – access to personal information and APP 13 ‑ correction of personal information.
APP 1 - Open and transparent management of personal information
Under APP 1 an APP entity must have a clearly expressed and up-to-date privacy policy about its management of personal information which relevantly includes details of:
the kinds of personal information which it holds;
how it collects and holds personal information;
the purposes for which it collects, holds, uses and discloses personal information;
whether it is likely to disclose personal information to overseas cloud providers or other overseas recipients; and
if it is likely to disclose personal information to overseas recipients – the countries in which such overseas recipients are likely to be located where practicable to specify such countries.
The Privacy Act provides that “an APP entity holds personal information if it has possession or control of a record that contains personal information”. An APP entity will hold personal information where it has the right or power to deal with the information even if it does not physically possess the information or the medium on which the information is stored. For example, an APP entity will hold personal information stored on servers managed by a cloud provider where the APP entity has the right to access and amend the information.
APP 5 - Notification of collection of personal information
Under APP 5 an APP entity is required at or before (or, if not practicable, as soon as practicable after) collecting personal information to take reasonable steps to notify the individual concerned, or otherwise ensure that he or she is made aware, of the following:
the fact that it collects or has collected the information and the circumstances of collection except where the information was collected from the individual or he or she is otherwise aware of the collection;
the purposes for which it collects the information;
any cloud provider or other body or person to which it usually discloses information of that kind;
whether it is likely to disclose the information to overseas cloud providers or other overseas recipients; and
if it is likely to disclose the information to overseas recipients – the countries in which such overseas recipients are likely to be located where practicable to specify such countries.
APP 6 - Use and disclosure of personal information
An APP entity may use and disclose personal information for the purpose of big data analytics where it has collected the information for this primary purpose. However, where an APP entity has not collected personal information about an individual for this primary purpose then it may only use and disclose his or her information for the secondary purpose of big data analytics where:
he or she has consented to the use or disclosure for this secondary purpose;
if the information is sensitive information – he or she would reasonably expect the use or disclosure of his or her information for this secondary purpose which is directly related to the primary purpose of collection; or
if the information is not sensitive information – he or she would reasonably expect the use or disclosure of his or her information for this secondary purpose which is related to the primary purpose of collection.
The definition of “sensitive information” in the Privacy Act includes specified racial, ethnic, political, religious, membership, sexual, health, criminal, genetic and bio-metric information.
A secondary purpose will be “directly related” to the primary purpose for the collection of personal information where it is closely associated with the primary purpose (even if it is not strictly necessary to achieve the primary purpose). A secondary purpose will be “related” to the primary purpose for the collection of personal information where it is connected to or associated with the primary purpose. A secondary purpose will not be “related” (or “directly related”) to the primary purpose for the collection of personal information where there is only a tenuous link. Whether or not a secondary purpose of big data analytics will be directly or indirectly related to the primary purpose for which an APP entity has collected personal information will depend upon the particular circumstance surrounding the collection of the information.
APP 8 - Cross-border disclosure of personal information
Before disclosing any personal information about an individual for the purpose of outsourcing big data services to an overseas cloud provider an APP entity must take reasonable steps to ensure that the cloud provider does not breach the APPs unless an exception applies. Exceptions to this requirement for an APP entity to take such steps relevantly apply where:
the individual concerned has consented to the disclosure of his or her personal information to the overseas cloud provider without this requirement applying; or
the APP entity reasonably believes that the overseas cloud provider is subject to a law or binding scheme which is substantially similar to the APPs and enforceable by the individual concerned.
An APP entity sharing personal information with a cloud provider may be a “use” rather than a “disclosure” of the information depending on degree of control retained by the APP entity. An APP entity that maintains control over personal information provided to a cloud provider is treated as “using” the information (e.g. information provided for the limited purpose of the cloud provider storing and managing the information). In contrast, an APP entity that gives up control over personal information provided to a cloud provider is treated as “disclosing” the information to the cloud provider.
APP 10 - Quality of personal information
An APP entity must take reasonable steps to ensure that personal information it discloses to a cloud provider or other body or person is accurate, up-to-date, complete and relevant having regard to the purpose of the disclosure. Whether personal information disclosed to a cloud provider by an APP entity is sufficiently accurate, up-to-date, complete and relevant will depend upon the purpose for which the information is disclosed to the cloud provider.
APP 11 - Security of personal information
An APP entity must take reasonable steps to protect personal information which it holds from:
misuse, interference and loss; and
unauthorised access, modification or disclosure.
If an APP entity holds any personal information which it no longer needs for any purpose then it must take reasonable steps to destroy or de-identify the information. As previously mentioned, an APP entity will hold personal information stored on servers managed by a cloud provider where the APP entity has the right to access and amend the information. Where an APP entity has the right to access and amend personal information stored by a cloud provider on its behalf then it must take reasonable steps to ensure that the information is appropriately protected and destroyed or de‑identified when no longer needed.
APP 12 - Access to personal information
An APP entity must give an individual access to his or her personal information which it holds unless an exception applies. Again, as previously mentioned, an APP entity will hold personal information stored on servers managed by a cloud provider where the APP entity has the right to access and amend the information. Where an APP entity has the right to access and amend personal information about an individual which is stored by a cloud provider on its behalf then the APP entity must, upon request by the individual, give him or her access to the information.
APP 13 - Correction of personal information
An APP entity must take reasonable steps to correct personal information about an individual which it holds if:
requested by the individual; or
satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If an APP entity refuses to correct any personal information about an individual then, if requested by the individual, the APP entity must take reasonable steps to associate a statement with the information that it is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Accountability for big data privacy breaches by overseas cloud providers
Pursuant to section 16C of the Privacy Act an AAP entity which discloses personal information about an individual to an overseas cloud provider will be responsible for an act or practice done or engaged in by the cloud provider which would breach the APPs if they were applicable to the cloud provider unless an exception applies. Exceptions to an APP entity being responsible for such an act or practice by an overseas cloud provider relevantly apply where:
the individual has consented to the APP entity disclosing his or her personal information to the overseas cloud provider without taking reasonable steps to ensure that the cloud provider does not breach the APPs;
the overseas cloud provider is subject to a law or binding scheme that is substantially similar to the APPs and enforceable by the individual concerned; or
the APPs apply to the overseas cloud provider on the basis that it has an Australian link.
An overseas cloud provider will have an “Australian link” where relevantly:
the cloud provider was formed, created or incorporated in Australia; or
the cloud provider carries on business in Australia and collected or held the personal information in Australia.
Conclusion
Given the requirements of the APPs it is now more important than ever that organisations which currently or intend to outsource big data services to cloud providers take the necessary steps to comply with their privacy obligations to avoid maximum civil penalties ranging from $340,000 up to $1.7 million. Organisations may significantly reduce or even eliminate privacy risks arising from outsourcing big data services to cloud providers though de‑identification as big data which has been properly de-identified will not constitute “personal information”.
It is important that organisations which outsource big data services to cloud providers are fully aware that under the APPs they will still be considered to “hold” big data which constitutes “personal information” where they have the right to access and amend the big data. It is also important that such organisations are fully aware that under the APPs they will be held responsible for an act or practice by an overseas cloud provider which would breach the APPs if they were applicable to the cloud provider unless an exception applies.
When outsourcing big data services to a cloud provider an organisation should enter into an enforceable outsourcing contract with the cloud provider which includes all of the provisions necessary to comply with the APPs and protect the organisation against liability arising from any privacy breach by the cloud provider in respect of the big data services. An organisation outsourcing big data services to a cloud provider should also undertake a thorough risk assessment to ensure that all privacy risks are appropriately addressed.
If you require any further information in relation to this Client Alert, or any assistance to comply with the Australian Privacy Principles, please do not hesitate to contact us.
Please note that the information contained in this Client Alert is provided for information purposes only and is not intended to be relied upon as legal advice for any particular purpose. You should seek your own independent legal advice for your specific circumstances.