Privacy Law Essentials with Cloud Services
This article aims to give you an awareness of some of cloud computing privacy compliance essentials that tech businesses may need to think about when they’re designing their infrastructure.
The Australian Privacy Principles (APPs) regulate the
- use; and
of ‘personal information’. Personal information is information from which an individual is reasonably identifiable. Whether a person is reasonably identifiable from information will depend on various factors including:
- who has the information;
- how they use it; and
- what resources they have to analyse it.
The combination of ‘collecting’ and ‘disclosing’ personal information (along with some additional factors described in the next section) is usually what triggers the application of privacy law to tech businesses.
The first element is ‘collection’. A tech business will ‘collect’ personal information if it includes it on a record of any kind. This includes a digital record. A common form of collection occurs when clients sign up for your service, website or application. The digital storage of that information is a ‘collection’. Collection may also occur when you receive referrals from other businesses, or when clients contact you by phone or email and you keep a record of that contact.
Application of Australian Privacy Principles
A tech business’s collection of personal information alone will not trigger the application of the APPs. Other conditions must also apply.
Size is a relevant factor. If the annual turnover of the entity collecting the personal information is more than $3 million, then it must comply with the APPs.
For companies smaller than that, the APPs will not apply unless an exception applies. The exception that is most relevant to tech businesses is the exception for disclosure. Even small companies will have to comply with the APPs if they:
- disclose personal information about another individual for a benefit, service or advantage; or
- provide a benefit, service or advantage to collect personal information about an individual from anyone other than that individual,
unless they do so with the consent of the individual or are required or authorised by or under legislation to do so.
This means tech businesses need to work out whether their use of cloud services is a ‘disclosure’ of personal information.
Disclosure and Use
Handling of personal information you have collected will either be a ‘disclosure’ or a ‘use’. The APP Guidelines indicate that the concept ‘effective control’ is what distinguishes a ‘disclosure’ of personal information from a ‘use’.
Any handling of personal information within an entity’s ‘effective control’ will be a use of that information.
A business will disclose personal information if it:
- makes it accessible to others outside the entity; and
- releases the subsequent handling of the information from its ‘effective control’.
The guidelines indicate that engaging a contractor to provide services and giving that contractor access to personal information will normally be a disclosure. Many tech businesses engage contractors to manage information in the cloud. This can include hosting, support and analytics. These practices will be treated as a disclosure unless the tech business retains ‘effective control’ over the information.
In order to work out if you disclose personal information, you need to work out if you retain effective control over it.
Effective control is a slippery term. It is not defined in the Privacy Act. Tech businesses can, however, use contracts to formalise their control over personal information that cloud service providers process for them. There is no fixed rule about what contractual provisions will give you effective control. According to the APP Guidelines (paragraphs B.137-138), the following factors will be significant:
- the contract is binding on the tech business and the contractor;
- the cloud service provider is only allowed to handle the personal information for the limited purpose of providing its service; and
- the contract requires subcontractors to agree to the same obligations as the cloud service provider.
Other factors which may contribute to effective control are:
- whether your business retains the right or power to access, change or retrieve the information (and for what purposes);
- who else can access it and for what purposes; and
- whether you can retrieve or permanently delete the information from the service provider’s database when the term of your contract with them is over.
Conclusion and Takeaway Points
- Even small tech businesses may need to set up privacy compliance procedures such as notifications, consent forms, privacy policies and security measures, if they collect and disclose personal information.
- Whether you disclose information by using cloud service providers for hosting and other services is a grey area.
- It depends on whether you retain effective control over the information.
- The specific contractual terms governing your relationship with that service providers will be important indicators of effective control.