Australian Government agencies have some new regulations to consider when they are contemplating moves to the cloud, particularly clouds hosted outside of Australian borders. These guidelines, known as “The Australian Government policy and risk management guidelines for the processing and storage of Australian Government information in outsourced or offshore ICT arrangements”, are part of the broader Protective Security Policy Framework announced earlier this year and are aimed at protecting data being stored and processed in cloud environments.
The Framework document clearly acknowledges the benefits that Australian Government agencies can gain from moving to cloud environments but points out that privacy, security, integrity and availability of personal information cannot be sacrificed in pursuit of these benefits. In particular, “offshoring” of information (e.g., using US-based cloud services) is highlighted as a situation that creates a number of challenges in this arena, and the Framework is meant to help agencies determine when to use these services on a case-by-case basis.