Adopting cloud computing in your business is a “balancing act” that requires a good grasp of risk mitigation, according to the head of the Australian Computer Society, Anthony Wong.
Speaking at the Cloud Computing Conference stream at CeBIT, Wong laid out the legal implications and issues when moving towards cloud computing.
In speaking about legal compliance issues, he said there is no such thing as the “law of cloud computing".
Instead, there are a number of specific laws in Australia including The Electronics Transactions Act, which is currently being modernised, and is the crucial one organisations need to know about.
“It talks about contract formation, transactions online, and the equivalency of paper and the electronic world,” Wong said.
Other laws to consider include: the Archives Act; Copyright Amendment; Privacy; Cybercrime; and Spam Act.
“Looking at the cloud, the first thing you need to understand, and make some judgement around, is who are you? Are you a financial institution? If so, there is compliance issues that you need to understand before you move to the cloud. Are you a government agency? If you are, there are certain laws, privacy acts and specific government agency compliance guidelines that you have to comply with before you move to the cloud,” he said.
Additionally, organisations need to understand and investigate the special industry standards.
“Finally, all of us have to comply with data retention laws. We have to report to the tax office, we have to report to multiple government agencies about information. And if you are involved in a court case, do you have the ability to provide the data from your cloud computing supplier?," Wong said.
“These are some of the burdens that we have to embrace because we are conducting business online as well as in this new additional economy.”
Recognising “cloud computing creates new complexity", Wong said it is not a new technology.
“It is something that we already have – it is about packaging and using the internet to embrace a number of infrastructure and software applications/services to customers,” he said.
Wong urged businesses not to be frightened about adopting the cloud. “With anything in life it is a matter of risk mitigation,” he said.
“It is a matter of balance – balancing the risks with the opportunities that the new technology offers.”
Speaking about data retention and compliance, one of the big considerations is: How many years do I need to keep my data?
“Keeping your data on the computer in-house and keeping it in the cloud, apart from the security aspects and privacy, the lengths of retention are the same," Wong said. "Just because you move to the cloud doesn’t mean you keep any less or any more of a period. The period is the same. In most instances, we have legislation with the tax areas between five and seven years.”
“It depends on your individual circumstances, whether you are a government agency, a business, SMEs – you have different retention compliance to look at. Currently, there are 450 separate legislations in Australia to do with data retention. So maybe our legislators need to think about simplifying some of that and reducing the number because the compliance is pretty heavy.”
The other big consideration revolves around service levels, he said.
“What are the service levels? Know that when we’re in the cloud, we’re very reliant on the Internet," Wong said. "The internet is not necessarily full-proof. It may go down, so you need to cater to that contingency. As a business or as a government agency, you need to look at your objectives. Understand the risks and mitigate them?”
Other issues to consider include: location/jurisdiction and cross/border issues; along with data protection, rights and usage; and privacy and security implications.
“There is no one-size-fits all in cloud computing as we see in the technology, neither is there in law, but it doesn’t mean you can’t go to the cloud. It’s about risk mitigation.”
Full the full presentation and list of legal implications in the cloud, visit: www.acs.org.au