You may or may not have heard about the Exposure Draft put forward last year from the Tax Practitioners Board (TPB). The TPB is now moving forward with its Exposure Draft on ‘Cloud Computing and the Code of Professional Conduct.’
The TPB released the draft to provide practical guidance and assistance to registered tax practitioners in understanding their obligations under the Code of Professional Conduct in relation to the use of cloud computing.
The draft outlines how accounting firms will be liable for how their client's data is treated and stored. This means you need to be aware of where your data is being stored and what ownership rights are applied to it. Some cloud providers actually own your data once you transfer it to their platform, others can use it and sell it to third parties to use for marketing. If your cloud provider is doing this with you and your client's data, you are liable if your client objects or if the data is mishandled.
So what can you do about this to make sure you don't land in hot water?
The TPB has outlined some guidelines to follow and what to ask of your cloud provider:
1. Whether information is being held offshore (that is, information that is stored or processed in equipment not located in Australia) and, if so, the consequences (including relevant additional legislative and regulatory requirements that the information may be subject to)?
Location is a really important factor for Cloud storage. Remember that although it’s called the Cloud, there still needs to be some a physical location with servers storing your data. These are called Server Farms and more often than not, are located in countries that have low operational costs and lax laws around privacy and data sovereignty.
Some providers keep their servers in countries where it’s cheaper to run and maintain them but these countries are often susceptible to natural or man-made disasters. The other issue are the privacy and ownership laws in the country where the servers are kept.
2. What processes does the cloud provider have in place in relation to the backup and archiving of information (such as multiple backup servers)?
Following on from the threat of disaster, you need to ensure that if something bad does happen (fingers crossed it doesn't!) there is a Disaster Recovery Plan in action.
Make sure your provider is utilising a two-step backup, so that if disaster strikes and wipes out one, the other is still functional and your data is safe. Good Cloud Providers will have two separate data centres in different locations that continuously backup your data.
3. Whether ownership of data is retained once migrated to the cloud
It is important to know that you retain ownership and control of your data. This can be an issue with overseas Server Farms, but it can also be an issue with Cloud Hosting and companies in Australia. There can be some very sneaky terms in fine print in contracts, so make sure you go over it with a fine tooth comb.
These issues can all have huge impacts on the security of your data and should be taken very seriously. The good news is it’s pretty easy to find out if you’re at risk by looking through your contract and speaking to your provider.