Data Sovereignty

Data sovereignty refers to the idea that data is governed by the laws and regulations of the country where it physically resides. For Australian businesses, this means understanding where their data is stored and what legal frameworks apply.

Data sovereignty in Australia:

• Australian Privacy Principles (APPs) govern personal information handling
• APP 8 specifically addresses cross-border disclosure of personal information
• The Privacy Act requires reasonable steps to ensure overseas recipients comply with APPs
• Government data often requires storage within Australian borders
• Some industries have specific data residency requirements

Cloud regions and data sovereignty:

• AWS: ap-southeast-2 (Sydney) region for Australian data residency
• Azure: Australia East (Sydney) and Australia Southeast (Melbourne)
• Google Cloud: australia-southeast1 (Sydney) and australia-southeast2 (Melbourne)

Considerations for Australian businesses:

• Where primary data is stored (region/country)
• Where backups are replicated
• Where data is processed (may differ from storage location)
• Whether support staff in other countries can access data
• Contractual guarantees from providers about data location
• Industry-specific requirements (financial services, healthcare, government)

Data sovereignty vs. data residency vs. data localisation:

• Data sovereignty: Data subject to laws where it is stored
• Data residency: Choosing to store data in a specific geography
• Data localisation: Legal requirement to store data within national borders

Managing data sovereignty:

• Choose cloud regions within Australia for sensitive data
• Review provider terms regarding data location and access
• Implement data classification to apply appropriate residency controls
• Ensure backups and disaster recovery respect sovereignty requirements
• Document data flows including where processing occurs