As a small business or an early stage startup, you may not necessarily be bound by the requirements of the Privacy Act. However, your clients may themselves be subject to its provisions and will want to be assured that you are compliant in order to satisfy their own privacy obligations. So, big or small, at some point or another it is likely you will have to demonstrate that your business complies with Australian privacy laws and has in place appropriate data security measures.
One particular area of concern is cloud computing. For an increasing number of Australian businesses, moving towards cloud based solutions makes sense. Cloud based offerings are particularly attractive to startup businesses as they almost eliminate upfront capital expenditure on IT infrastructure and offer scalability and flexibility. However, before you sign up for cloud based services, you should shop around to find a reputable cloud provider that is right for your business. One important consideration is the location of the cloud provider’s infrastructure. Storing your data outside of Australia is not necessarily an issue under the Privacy Act, unless a third party has the right to access and use the data. However, there still might be important commercial considerations. For example, last year Luxottica Retail Australia (which owns the OPSM brand) lost a lucrative contract with the Australian Defence Force (“ADF”) after the ADF discovered information about its personnel had been stored offshore, in breach of Luxottica’s contract.
By putting data into the cloud, you are putting the security of that data in the hands of your cloud provider. Before you do so, make sure you have undertaken due diligence on your cloud provider and the terms of your service agreement places obligations on the provider to store your data securely and comply with any applicable privacy and data security laws and standards. The risks associated with cloud computing can be mitigated by having appropriate contractual protections in place with your cloud provider.