datacompliance

Data compliance in different countries and regions

 

SaaS and EU Legislation: What you need to know

Finance / Banking:

The Finance and Banking Industry is focused heavily around disclosure and standards.  This industry is heavily regulated, however no specific cloud/hosting certifications exists, which then requires entrants to carefully review the industry requirements in general. As a Guideline APRA, identifies many components around the disclosure standards for providers, as well as recommending security ISO270001 certification around process adherence.  Data Sovereignty is also a concern where customer data is stored overseas focusing on the same disclosure and security standards as local solutions.

Refer to:

Australian Prudential Regulation Authority (APRA)  Operational and Regulatory Requirements
APRA GUIDELINE
Materiality and notification (Risk Notification/Incident Notification)
Risk assessments & security
CERTIFICATION TO ISO/IEC 27001
Data sovereignty challenges/Where is my data  (requirements for disclosure)
Australian Privacy Principles (APP)
APP GUIDELINE

Commentary:

APRA calls out cloud computing risks for banks
Cloud: What is it not good for

Education:

Education services in Australia have moved many services to the cloud already, however with the lack of specific requirements from Government, many regulatory requirements may not have been fully investigated. The Government treats education records similar to health records, so the privacy act applies and the often overlooked data retention and information destruction guidelines. It’s this last component that many cloud providers in particular are not able to commit too in writing.

Refer to:

Direct Connect to Education Network (AARnet)
Privacy Act (1988) + Guidelines Update 2015 V1.2
APP PRIVACY LAW GUIDELINES 
CLOUD CONSUMER FACT SHEET
Data Retention/Information destruction
DATA SECURITY: DESTRUCTION AND RETENTION REQUIREMENTS

Healthcare:

Healthcare regulation is largely driven by the Privacy Act of 1988, and the many updates and guidelines that have followed afterwards.  Some local providers have taken to performing IRAP assessments in order to demonstrate the capability to meet the requirements of the Law, thought international provided, even undertaking their own country assessments, can never be sure the requirements from their providers match Australian requirements.

Refer to:

Privacy Act (1988) + Guidelines Update 2015 V1.2
APP PRIVACY LAW GUIDELINES 
CLOUD CONSUMER FACT SHEET
IRAP Assessment (not required, but prove capability to meet Privacy Guidelines)
INFORMATION SECURITY REGISTERED ASSESSORS PROGRAM
Data Retention/Information destruction
DATA SECURITY: DESTRUCTION AND RETENTION REQUIREMENTS

Commentary:

GENERAL OVERVIEW: SECURITY IN CLOUD FOR HEALTHCARE 

Software Business Services (CRM, collaboration/HR, analytics):

Software Services Business are not covered by any specific regulation to the industries they are in, which then means the more general requirements for Privacy and even security requirements specific to components such as Credit Card (PCI) needs to be following.

Refer to:

Privacy Act
PCI Security (for Credit Card Data)
PCI DATA SECURITY STANDARD  

Commentary:

YOUR GUIDE TO COMPLIANCE IN THE CLOUD
 

Leave a Reply

Your email address will not be published. Required fields are marked *