Cloud computing opens up a range of commercial advantages to SMEs, both as consumers and as providers; but it pays to be informed about your rights and obligations under Australian law.
Cloud computing is the notion that you can put or process your data “in the cloud somewhere”. Where it is and how it got there is not your problem. How reliably it’s stored, whether it can be hacked into, and a whole host of other issues shouldn’t be your problem either; in the ideal cloud environment.
But back in the real world, reliability, access, security and recoverability are your problem, and that means that you do care where your data is and how it got there. How do you respond?
Big business is making a lot of noise about cloud computing, recognising that it brings two key advantages: it turns capital into operational expenditure, and it scales up and down according to requirements. Look closely, however, and you’ll find that big businesses aren’t really working in the true cloud paradigm. They are able to negotiate specific terms to dictate where their data is, how it is stored and backed up, how private customer data is managed and so on.
Big business is driving the critical mass to ensure that true cloud services can be sustainable, but the innovation is happening at the small end of town and that comes at the expense of having a real say in your service level agreement.
If you are running a small business, your ability to negotiate is most likely limited to shopping around for a standard Service Level Agreement – take it or leave it. If that describes your situation, take a look at Cloud Computing-benefits, risks and recommendations for information security, published by the European Network and Information Security Agency (ENISA) in 2009. Keeping in mind that the report is for a European audience, it has a useful checklist of questions you should be asking if you want to go down the road of outsourcing into the cloud.
If you want to provide IT services to customers on a cloud platform, you also need to be aware of how the Privacy Act affects you. Small businesses are exempted from some provisions of the Privacy Act but only under some conditions, but the Australian Law Reform Commission, in a report on privacy released in 2008, recommended that the exemption be undone. You will also need to ensure compliance with the recommendations for the adoption of Unified Privacy Principles in the Privacy Act when implemented. Specific attention will need to be given to the Unified Privacy Principles relating to:
- Data Quality
- Data Security
- Access and Correction
- Cross-Border Data Flows
Cloud computing brings a range of commercial advantages, but it pays to be informed about your rights and obligations under Australian law.
Dr Matthew Sorell is research director of the Convergent Communications Research Group at the University of Adelaide. He is lead author of A study of the privacy, security and identity management implications of cloud computing for home users and small to medium enterprises, commissioned by the Department of Broadband, Communications and the Digital Economy, to be released publicly late in 2010.