Data hosting / POSITION PAPER / November 2018
Position Paper / format / DATE
Data hosting
Draft Position Paper
/ For more information on this position paper, email
This paper describes key factors thatwill provide a level of confidence in the jurisdictional data hosting arrangements employed by digital service providers (DSPs).
Introduction
- The Digital Service Provider Operational Framework is part of the ATO response in recognising and responding to risks posed by exposing web services and Application Programming Interfaces (APIs).
- The ATO exposes more APIs and web services than any other revenue agency in the world.
- It is the responsibility of the all parties to strengthening the level of security applied across our digital ecosystem.
Key considerations
- Formulating a viable future position is a shared responsibility between the ATO and the DSP industry.
- A layer of legislative and commercial complexity is presented when considering the impacts of the taxpayer data being subject to multi-jurisdictional arrangements.
- Corporations may have trans-national ownership and business structures.
- The ATOs monitoring capability is maturing and enhancements are being progressively implemented. These enhancements will be essential in driving the ATOs surveillance of the digital channel environment and increasing the ATOs cyber resilience.
What we heard
- ATO adopts an offshore country risk profiling approach whereby the offshore country risk is considered.
- There is need to understand how disaster recovery fits into the onshore/offshore data hosting.
Alternatives explored
- ATO adopts an onshore-only model in line with the Personally Controlled Electronic Health Record Act (2012).
- ATO adopts an offshore country risk profiling approach whereby the offshore country risk is considered. This was the preferred option from the Data Hosting Focus Group.
Conclusion
- Consistent with guidelines for APRA-regulated entities the ATO expects DSPs to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to. By default, the ATO expects DSPs to store data onshore.
- Where there is a compelling reason for storing data outside of Australia a DSP must consult with the ATO prior to entering into any offshore data hosting arrangement so that the ATO may satisfy itself that the impact has been adequately addressed.
- As part of the consultation:
- Digital Service Providers must demonstrate that they have considered the jurisdictional risks of storing data in a foreign jurisdiction.
- The ATO can provide advice on jurisdictional constraints.
Additional conditions for offshore data hosting
- Consistent with APRA’s Cross Industry Prudential Practice Guide CPG 235, the ATO expect the following would normally be applied to the assessment and ongoing management of offshore data hosting:
- enterprise frameworks such as security, project management, system development, outsourcing/offshoring management and risk management,
- a detailed risk assessment,
- a detailed understanding of the extent and nature of the business processes and the sensitivity/criticality of the data impacted by the arrangement,
- a business case justifying the additional risk exposures.
- Consistent with APRA’s Prudential Standard Guide SPG 231, the ATO expects that DSPs would address the following specific risks and any other identified risks:
- country risk — the risk that overseas economic, political and/or social events will have an impact upon the ability of an overseas service provider to continue to provide an outsourced service to the DSP,
- compliance (legal) risk — the risk that offshoring arrangements will have an impact upon DSP’s ability to comply with relevant Australian and foreign laws and regulations (including accounting practices),
- contractual risk — the risk that a DSP’s ability to enforce the offshoring agreement may be limited or completely negated,
- access risk — the risk that the ability of a DSP to obtain information and to retain records is partly or completely hindered. This risk also refers to the potential difficulties or inability of the ATO to gain access to information using ATO information gathering powers, and
- counterparty risk — the risk arising from the counterparty’s failure to meet the terms of any agreement with the DSP or to otherwise perform as agreed.
- The ATO expects that an offshoring arrangement would typically include a provision around security and confidentiality of information
- Where you are storing data outside of Australia you must:
- make it clear to your customers that their data is being stored in a foreign jurisdiction,
- apply the Australian Privacy Principles,
- provide guidelines to your customers. where your customers use your services to collect and store sensitive data about other individuals (eg clients of tax practitioners, employees, etc), on where and how their data is being managed.
APPENDIX 1
Considerations
Protective Security Policy Framework (PSPF)
Privacy Act 1988
Information Security Manual
Internal ATO policy and guidance material
CANADA
•All retained records must be clearly labelled and stored in a secure environment in Canada.
•Authorization to maintain records elsewhere may be granted, subject to such terms and conditions as the Minister may specify in writing.
NEW ZEALAND
•The Commissioner may authorise a taxpayer to store records offshore or a third party to hold records offshore for multiple taxpayers, if the storage of those records offshore does not impede the Commissioner’s compliance activities. In particular, the records stored offshore remain accessible by the Commissioner. An applicant may be required to demonstrate that the manner in which the records are to be stored offshore will meet the requirements of the ETA and the ETR. Each application will be considered on a case by case basis having regard to the merits of the case, including the compliance history of the applicant.
UNITED KINGDOM
•Digital Service Providers consuming Her Majesty’s Revenue and Customs APIs must meet a set of Terms and Conditions. This includes:
•“Where you are storing and processing customer data, you must ensure that all customers using your software understand that you will process their personal data and are responsible for protecting it. You must make clear to customers if you intend to store their personal data outside of the EEA and you must comply with the eighth data protection principle of the Data Protection Act 1998.”
UNITED STATES
•The Inland Revenue Service has mandated that all Online Providers of individual income tax returns meet six security, privacy and business standards.
•“This standard applies to Online Providers of individual income tax returns that own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored. These Online Providers shall have written information privacy and safeguard policies consistent with the applicable government and industry guidelines. In addition, these Online Providers shall acquire, maintain, and display a license/accreditation seal from a consumer protection and privacy seal vendor acceptable to the IRS.”
MEDICAL
•The Personally Controlled Electronic Health Record Act (2012) stipulates that records must not:
•hold the records, or take the records, outside Australia; or
•process or handle the information relating to the records outside Australia; or
•cause or permit another person:
•to hold the records, or take the records, outside Australia; or
•to process or handle the information relating to the records outside Australia.
•The Explanatory Memorandum explains:
•Should PCEHR-related health information be stored or processed outside Australia, very few effective enforcement options would be available if that information were to be misused or mishandled. Remedies for affected individuals would likewise be severely curtailed.
•Allowing health information to be stored or processed outside Australia also increases the risk of the information being compulsorily acquired by foreign governments.
Australian Prudential Regulatory Authority (APRA)
APRA has issued guides and standards to follow when implementing outsourcing/offshoring arrangements (CPG 235, SPS 231, SPG 231)
•APRA expects a regulated entity to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to. [CPG 235]
•In APRA’s view, the following would normally be applied to the assessment and ongoing management of outsourced/offshored data management responsibilities: [CPG 235]
•enterprise frameworks such as security, project management, system development, business continuity management, outsourcing/offshoring management, risk management and delegation limits;
•detailed risk assessments of the specific arrangements underlying the services offered. This would normally include assessments of the service provider, the location from which the services are to be provided and the criticality and sensitivity of the data involved;
•a detailed understanding of the extent and nature of the business processes16 and the sensitivity/criticality of the data impacted by the arrangement;
•alignment with the data architecture supporting the broader information technology and business strategies;
•a business case justifying the additional risk exposures;
•A Regulated Superannuation Entity (RSE) licensee must consult with APRA prior to entering into any offshoring agreement involving a material business activity so that APRA may satisfy itself that the impact of the offshoring arrangement has been adequately addressed as part of the RSE licensee’s risk management framework. [SPS 231]
•APRA notes that offshoring arrangements can give rise to a number of particular risks, including country, compliance (legal) contractual, access and counter party risks. The arrangement would typically include provisions covering choice of law, security and confidentiality of information. [SPG 231]
UNCLASSIFIED / PAGE1 OF 6