Cost-benefit analysis – what are the risks associated with using offshore IT infrastructure and services?

carbon11640360
Share
20th Jul 2011 | Helen Clarke

Even where data centre customers face increased service charges as a result of electricity price increases, customers should carefully consider data security issues (privacy, access and control) that arise when using offshore IT infrastructure and cloud offerings, before rushing to use such options to save on cost.

Offshore options may in fact involve additional operational costs to Australian businesses – costs of meeting various regulatory and legal compliance requirements in international jurisdictions. If an issue or dispute arises with an offshore provider, a customer also faces additional costs of enforcing its rights offshore. This may ultimately off-set savings anticipated or achieved in moving data and data centre services outside Australia, following the introduction of the Carbon Price regime.

Is moving your data offshore a realistic option?

Data of a particular type (such as personal information), or data relating to particular business activity, may not readily be sent offshore from a regulatory and legal compliance perspective.

For example, the Australian banking and insurance sectors are regulated by the Australian Prudential Regulation Authority (APRA) – and prudential standards applicable to the outsourcing of “material business activities” by companies in these sectors require that they consult with APRA before entering into outsourcing agreements with service providers who conduct their business activities outside Australia.

APRA’s approach to date in relation to offshoring and cloud offerings has been cautious – reflected in the letter it sent in late 2010 to regulated Australian banks and insurance companies, noting APRA’s concern that organisations were failing to acknowledge the outsourcing and/or offshoring elements of cloud offerings in particular, and cautioning in relation to their use.

In its draft Cloud Computing Strategic Direction Paper of January 2011, the Australian Government has indicated it will take a risk-based approach to cloud computing, noting that data security and privacy issues need to be adequately resolved before critical government services could be transitioned to the cloud, and that an awareness of Australian legal and regulatory requirements such as the Privacy Act and the Archives Act was required.

Many Australian businesses must comply with the Privacy Act and the National Privacy Principles (NPPs) made under that Act. NPP 9 requires that an organisation in Australia must not send personal information to another person outside Australia unless it takes steps to ensure the information is properly protected, or the jurisdiction outside Australia will provide equivalent protection, or the individual consents to the transfer. Similar rules apply to State and Territory governments and government agencies under State-based information privacy legislation.

Data sovereignty

It should be remembered that data is subject to the laws of the jurisdiction in which it is stored. Cloud computing services involve the processing and storage of masses of data that is often commercially sensitive and confidential, or personal information. A key question in relation to offshore and cloud offerings is therefore “where is data stored or processed”? However location is not fixed in the cloud – unlike a fixed server in the customer’s premises or at a data centre in Australia, data in the cloud can potentially be located anywhere in the world, and in more than one data centre.

As a result, sending, storing and processing data around the world through certain cloud offerings may not comply with data protection and privacy laws in various jurisdictions.

The impact of foreign laws such as the US PATRIOT Act on offshore providers (which enables the US Government to access data held on US companies’ servers in connection with criminal proceedings, without notice to the original provider or owner of the data), must also be considered.

So, while offshore data centres and cloud offerings may provide a number of tangible benefits to Australian businesses in the way of cost effective data storage and hosting services, there are data security and regulatory compliance risks (and associated costs) that customers need to be aware of.

It may be that the Carbon Price regime will lead to some Australian businesses and organisations classifying their data – as either data that must continue to be hosted onshore, and data that can be hosted offshore.

Related Content

carbon12453209

Carbon pricing & your IT Infrastructure - What to do now?

Thinking  | 20th July 2011
Customers of Australian data centres should review the terms of their service agreements, and consider the extent to which their service providers may be entitled to pass on additional operational costs.
More
carbon10640360

Passing on the cost of the Carbon Pricing Scheme – what does your service agreement allow for?

Thinking  | 20th July 2011
Frequently used cost “pass-through” mechanisms in services agreements are change in tax and change in law provisions - but these may have limited application in service agreements between data centre service providers and their customers for a number
More
Helen Carke.jpg

Carbon Price – reason enough to consider offshore IT infrastructure?

Thinking  | 20th July 2011
IT is an integral part of all business, as well as our every day lives. With running costs anticipated to rise, how will the carbon price affect the industry and what does it mean for your organisation?
More