ON THE FUTURE OF CLOUD COMPUTING IN POLICING OPERATIONS AND DATA MANAGEMENT ACROSS AUSTRALIA AND NEW ZEALAND Initial Scoping Paper
Prepared by Kanika Kakkad. The author wishes to express thanks to Alastair Ross, Linzi Wilson‐Wilde, Dean Catoggio and Kathy Laster for their support and contribution to the development of this paper.
Disclaimer This project report is for general information purposes only. The views expressed in this report are not necessarily those of ANZPAA and/or ANZPAA NIFS. ANZPAA and/or ANZPAA NIFS have taken all reasonable measures to ensure that the content contained within this report is correct. ANZPAA and/or ANZPAA NIFS give no warranty nor accept responsibility for the accuracy or the completeness of the material.
Page 1 of 40 Contents
EXECUTIVE SUMMARY 4
FOREWORD 5
SECTION 1 6 Understanding the Cloud 6 1.1 Defining Cloud Computing 6 1.2 The Changing Environment 7 1.3 Cloud Technology within Public Agencies 8 1.4 Budgeting for the Cloud 9 1.5 Application of the Cloud in Law Enforcement 9
SECTION 2 11 Summary of Benefits 11 2.1 Benefit 1: Operations Cost Reduction 11 2.2 Benefit 2: Service Availability 11 2.3 Benefit 3: Scalability 12 2.4 Benefit 4: Increased Security 12
SECTION 3 13 Risk Mitigation 13 3.1 Risk 1: Unauthorised access to sensitive information 13 3.2 Risk 2: Unintended access to data under foreign laws 14 3.3 Risk 3: Reliability and performance requirements 15 3.4 Risk 4: Cost of migration to the cloud 16 3.5 Risk 5: Unrecoverable damage or destruction of data 16
SECTION 4 18 Legal Implications in Australia and New Zealand 18 4.1 Commonwealth and the Australian Capital Territory 18 4.2 Northern Territory 20 4.3 New South Wales 21 4.4 Queensland 21 4.5 South Australia 22 4.6 Tasmania 23 4.7 Victoria 23 4.8 Western Australia 25
Page 2 of 40 4.9 New Zealand 26
SECTION 5 28 Observations 28 5.1 Observation 1 28 5.2 Observation 2 28 5.3 Observation 3 28 5.4 Observation 4 29
APPENDIX A: REFERENCES 30 Articles 30 Books 31 Case Law 31 Legislation and Regulations 31 Reports 32 Websites 33
APPENDIX B: PROPOSED SURVEY QUESTIONNAIRE 35
Page 3 of 40 Executive Summary
Amongst law enforcement agencies in both Australia and New Zealand, there is consensus for the need to at least consider the cloud as a means of bolstering information technology support systems. This report is intended to serve as an initial scoping paper, highlighting the major factors which might contribute to an agency’s decision to migrate to the cloud. It aims to communicate with policy and decision makers across the ten policing jurisdictions so as to better inform future directions in strategy planning. The report commences by examining the basic definition of cloud computing, and the role that it has come to play within the context of a rapid technological evolution in operational policing. Attention is drawn to the use of the cloud by local public sector organisations and international law enforcement agencies, in noting the experience of other entities facing similar issues. The report also makes general observations regarding the application of this technology in policing operations within Australia and New Zealand. The second and third sections explore the principal benefits and risks involved in migration to the cloud, as well as a brief discussion as to how those risks may be managed or otherwise mitigated. The benefits identified include a reduction in operational costs, an increase in service availability, flexibility in scaling resources, and increased security. The risks include unauthorised access to personal information, unintended access to data under foreign legal regimes, potential weaknesses in meeting reliability and performance standards, the initial cost of migrating to the cloud, and the possibility of an irrevocable loss of data. The fourth section deliberates upon the legal implications for policing agencies. Amongst a range of possible legal issues, the report identifies actions in privacy as the principal concern when considering migration to the cloud. Whilst there is a notable lack of precedent illustrating the application of privacy legislation, the report provides a general overview of the major provisions applicable in each of the ten jurisdictions in Australia and New Zealand. The final section of the report highlights the need for further research into the complexities of the issue at hand, in order to thoroughly assess the viability of cloud computing technology as a means to serve the current and future needs of law enforcement agencies. It outlines a series of observations which emerge from the findings of this report: 1. That the Australia New Zealand Policing Advisory Agency should engage in further research to better understand the current positions and perceptions of senior information officers within policing agencies. 2. That policing agencies should engage in a thorough and informed Risk Assessment to gauge the viability of a cloud solution for their individual circumstances. 3. That policing agencies should consider larger shifts in budget structure and in information technology strategy to allow for and support migration to the cloud. 4. That policing agencies should consider drafting contractual terms which may render a cloud option viable under their jurisdiction’s legal framework. Such terms may need to be considered with relation to the relative increase in cloud provider costs.
Page 4 of 40 Foreword
This scoping paper comes at an opportune time as law enforcement bodies grapple with the newest generation of technological advancements and their revolutionary effects on policing operations. The most prominent of these innovations, cloud computing has been heralded as the future of information technology infrastructures, despite being largely untested. Policing agencies, regularly subject to an extraordinary level of public scrutiny, have traditionally found the decision to migrate to the cloud to be highly difficult and politically volatile. Indeed, the prospect of relinquishing physical control of sensitive information, and relying on private providers to adopt appropriate security measures, comes hand in hand with understandable reservations. However, the challenges facing policing agencies today are unprecedented. Whereas once, law enforcement officials were operating within hierarchical communication structures and conventional criminal enterprises, today, they are required to work with the pressures of real‐time investigation methods and with a sizeable increase in information storage demands. Within the scope of these challenges may come the need to renounce old practices for new strategies and management techniques which see to the sustainability of long‐term information technology structures. Indeed, the most efficient means of moving forward into the new technological generation will likely be through consensus between jurisdictions, and reconciliation of differences in data storage and processing, whether for the forensic laboratory or for the courtroom. In their most recent Directions Paper, the Standing Council on Police and Emergency Management (SCPEM) highlighted this very need for agencies to undergo a reassessment of their data management outlook.
SCPEM DIRECTIONS PAPER (DIRECTION 4.4) “POLICING ORGANISATIONS SHOULD IMPROVE THE EFFICIENCY AND EFFECTIVENESS OF THEIR SYSTEMS AND PROCESSES BY: • BETTER UNDERSTANDING COSTS AND BENEFITS AS A BASIS FOR IMPLEMENTING IMPROVEMENTS; • ADOPTING CONSISTENT APPROACHES TO GATHERING, STORING AND SHARING INFORMATION; • TAKING OPPORTUNITIES FOR CROSS‐JURISDICTIONAL CONVERGENCE WHEN IMPLEMENTING CHANGES.”1
In response to the Directions Paper, this report contends that cloud technology may prove to be a viable option for policing agencies. At the very least, it is becoming increasingly clear that agencies need to invest in both resources and time to consider the broad options available through cloud services. This report will aim to serve as a point of reference for the major factors which may inform such a consideration.
1 Australia, Standing Council on Police and Emergency Management, Directions in Australia New Zealand Policing 2012 ‐ 2015 (2012). Page 5 of 40 Section 1
Understanding the Cloud 1.1 Defining Cloud Computing In the commercial sector, cloud computing has emerged as today’s most significant factor in moulding data management strategies. Essentially, the technology stores data and software applications on geographically remote servers, rather than relying on hardware which is in the physical possession of the organization. Multiple servers may form a distributed network in different geographical locations. These remote servers – the cloud – can then be accessed via the internet, through computers, tablets, smartphones, or any other operational device with internet capabilities. Use of the cloud has accelerated greatly due to its popularity amongst consumers. Individuals use cloud technology daily in order to back up music files, share photos, send emails, and for a range of other activities. Popular consumer applications such as YouTube, Facebook and Gmail are all examples of this technology.2 This form of cloud usage is known as the SaaS model; however providers have introduced other options which may be more akin to the needs of organisations. SERVICE MODELS • INFRASTRUCTURE AS A SERVICE (IAAS): THE VENDOR SUPPLIES, CONTROLS, AND MAINTAINS THE PHYSICAL COMPUTER HARDWARE, WHICH MAY BE SHARED AMONGST MULTIPLE CUSTOMERS. THE CUSTOMER RUNS, CONTROLS, AND MAINTAINS OPERATING SYSTEMS AND SOFTWARE APPLICATIONS OF THEIR CHOICE. • PLATFORM AS A SERVICE (PAAS): THE VENDOR SUPPLIES, CONTROLS, AND PROVIDES IAAS SERVICES AS WELL AS OPERATING SYSTEMS AND WEB SERVER APPLICATIONS. THE CUSTOMER DEVELOPS, CONTROLS, AND MAINTAINS SOFTWARE APPLICATIONS. • SOFTWARE AS A SERVICE (SAAS): THE VENDOR PROVIDES SOFTWARE APPLICATIONS WHICH ARE ACCESSIBLE THROUGH A WEB BROWSER, ELIMINATING THE NEED FOR THE CUSTOMER TO INSTALL OR MAINTAIN ADDITIONAL SOFTWARE. THE CUSTOMER HAS VERY LITTLE CONTROL OVER THE PLATFORM. Within organisations, security concerns regarding the physical vulnerability of the internet and of remote storage solutions led to the development of the private cloud, and other deployment models. Whilst the models use the same technology, the use and management of the cloud changes to reflect security constraints. The community cloud model, which sees the sharing of a cloud between a set of organisations, is a particularly attractive model for policing agencies.
DEPLOYMENT MODELS • PUBLIC CLOUD: THE ORGANISATION SHARES A VENDOR’S CLOUD INFRASTRUCTURE WITH MEMBERS OF THE PUBLIC. • PRIVATE CLOUD: THE ORGANISATION HAS EXCLUSIVE USE OF CLOUD INFRASTRUCTURE, MANAGED EITHER BY THE ORGANISATION OR BY A VENDOR. THIS MODEL HAS REDUCED COST EFFICIENCY, BUT ALSO REDUCED SECURITY CONCERNS.
2 Wyllie D, ‘Police Data in the Cloud: Security and Storage Solutions,’ PoliceOne News, 30 September 2012
1.2 The Changing Environment The use of technology in the law enforcement community has grown exponentially. Three Australian states have adopted the Interactive Crime Scene Recording System software, which constructs 5 interactive 360 degree digitised perspectives of the crime scene for use in investigation and at trial. The vast majority of fingerprinting is conducted using LiveScan software which is linked to national 6 databases which shorten week‐long searches to less than an hour. Police and forensics units have begun to use tablets and other wireless technology at the crime 7 scene, to facilitate real time identification of offenders. Agencies are even encouraged to use video links for court hearings in order to reduce security risks involved in transporting prisoners from jail to 8 court.
3 Mell P and Grance T, for United States, National Institute of Standards and Technology, Department of Commerce, The NIST Definition of Cloud Computing (2011). 4 Australia, Defence Signals Directorate, Department of Defence, Cloud Computing Security Conditions (2012). 5 ‘Technological Aids to Prosecution,’ The Australasian Institute of Judicial Administration
1.3 Cloud Technology within Public Agencies By 2011, 74% of private companies across the world were using cloud technology.10 In Australia, only 11% do not have plans to adopt it in the next few years.11 The many advantages of the cloud have been exploited not only by private industry, but have proven increasingly popular in the public sector. In Australia, the federal government has set up GovDex, a cross‐departmental community cloud which has since been used as a model for state government initiatives.12 Other prominent examples include the launch of the Australian Tax Office’s eTax system. Internationally, policing agencies have migrated onto the cloud, or are planning to do so in the next 24 months. However, despite the trend, the law enforcement community in Australia and New Zealand has remained somewhat sceptical of the capacity of this technology. WILLIAM BROER OF THE DUTCH POLICE STATES THAT “POLICE OFFICERS IDENTIFIED A GAP BETWEEN POLICE LEGACY SYSTEMS AND THE GROWING TREND FOR APP STORES AND CLOUD COMPUTING. TO COUNTER THIS, WE WANTED TO TRANSITION TO A CLOUD‐BASED MODEL FOR BETTER INFORMATION SHARING, BOTH INTERNALLY AND EXTERNALLY. [THE TECHNOLOGY] IS AIMED AT A NEW STYLE OF POLICING, MAKING USE OF THE LATEST TOOLS FOR ANALYSING DATA AND APPS FOR SUPPORTING DAILY ROUTINE.”13 Policing agencies have migrated onto cloud computing technologies in order to reshape their management of data and operations. Whilst most agencies are still in development mode, many cases seem to imply strong results. In the United States, the Criminal Justice Information Services (CJIS) division of the Federal Bureau of Investigation (FBI) have released a the CJIS Security Policy 5.1,14 which does not disqualify cloud possibilities for the 18 000 police agencies operating across the nation. In Europe, several policing agencies have employed the t‐Police management solution developed by the global consulting firm Capgemini on Oracle platforms, including their specialised Integrated Policing Platform.15
9 Roman J, ‘Careers in Digital Forensics,’ Gov Info Security, 19 August 2011
1.4 Budgeting for the Cloud Cost reduction is one of the major advantages to cloud computing, and particularly pertinent to law enforcement as agencies work within restrictive public budgets. Cloud providers offer the very attractive pay‐as‐you‐go model, whereby agencies are charged only for what they actually use. This option is not available in private or communal government servers, and has the potential to significantly reduce costs. TO PROVIDE A ROUGH IDEA, A SMALL CLOUD SERVER MAY COST AS LITTLE AS TWO CENTS PER HOUR, WHILE A CLOUD DATA STORAGE SOLUTION MAY COST AS LITTLE AS ONE CENT PER GIGABYTE PER MONTH.20 However, migration to the cloud does require a re‐assessment of the traditional budgeting structure. Generally, cloud providers will offer unbundled pricing options for distinct services, for example, for storage, CPU time, and access time. Experts warn that agencies, therefore, run the risk of unanticipated costs arising through mismanagement of usage.21 Agencies may find that it is more beneficial to engage in a contract which provides for a fixed monthly cost per user.22
1.5 Application of the Cloud in Law Enforcement The use of the cloud in the context of law enforcement can be broken into three general categories: • Administrative Functions. • Analytical and Database Functions. • Mission‐Critical Functions. Administrative functions have been among the first adopted by traditionally conservative law enforcement agencies. These commonly include email communication, storage of unclassified documents, human resources management and customer relations.
16 Capgemini Consulting, Transform Police (t‐Police) Solution (2012); Capgemini Consulting, The Long Arm of the Law (2009). 17 Capgemini and Microsoft Plan to Offer Accelerated Cloud Services in 22 Countries,’ op cit 18 Capgemini Consulting, Transform Police (t‐Police) Solution (2012) 19 Roberts DJ, ‘Cloud Computing in Law Enforcement: Survey Results and Guiding Principles,’ Technology Talk, The Police Chief, 1 March 2013.
23 Freedom of Information Act 1982 (Cth); Australian Information Commissioner Act 2010 (Cth); Privacy Act 1988 (Cth); Evidence Act 1995 (Cth) 24 Wormeli P, op cit, p 13 25 Id 26 Id Page 10 of 40 Section 2
Summary of Benefits Migration to the cloud is often perceived as a decision best left to large companies with equally large budgets, but in fact this assumption could not be further from the truth. It is actually smaller agencies and businesses that stand to reap the largest benefits from cloud computing. Smaller agencies generally are restricted by the need to work within the constraints of limited resources and fragmented intelligence gathering, to nevertheless prevent crime and as respond to their community’s specific needs.
2.1 Benefit 1: Operations Cost Reduction Cloud computing is based on the agency paying only for the resources that it actually uses, and can therefore be a highly efficient means of minimizing cost. In a SaaS service model, where the vendor provides the equipment and the software, the agency only needs to provide computers with browsers. The agency will therefore avoid the cost of: • purchasing and maintaining the server • software licenses for the server and the computers • maintaining the software • keeping staff to ensure the effective running of the server and software. These costs can be re‐allocated to other resources, and facilitate confidence in the effective management of taxpayer money. In addition, savings can be garnered through the defragmentation of various information banks, specifically in removing duplication, providing a single point of reference, and enabling efficient real‐time investigation through mobile access to databases. THE UNITED KINGDOM POLICE SERVICE CLAIMS TO HAVE REDUCED COSTS BY MORE THAN £15 MILLION BY MIGRATING TO A DATA MANAGEMENT SYSTEM WHICH INVOLVED CLOUD USE.27 MEANWHILE, THE COMMONWEALTH BANK OF AUSTRALIA’S CHIEF INFORMATION OFFICER MICHAEL HARTE NOTED SAVINGS OF “TENS OF MILLIONS OF DOLLARS” WITHIN 12 MONTHS OF THE BANK INCORPORATING CLOUD TECHNOLOGY INTO THEIR BUSINESS PRACTICES.28
2.2 Benefit 2: Service Availability Cloud computing data centres are equipped with redundancy and environmental controls that greatly surpass most law enforcement computer centres. Up‐time in these centres is therefore significantly higher.29
27 Capgemini Consulting, Transform Police (t‐Police) Solution (2012) 28 Foo F, ‘State’s Secrets Under a Cloud,’ The Australian, 26 March 2013
2.4 Benefit 4: Increased Security Cloud computing data centres generally have far greater security against physical interference and threats from hackers, as compared to protection available at government data centres.31
30 Foo F, op cit 31 Wormeli P, op cit, p 10 Page 12 of 40 Section 3
Risk Mitigation A survey of senior‐level IT executives across the ten policing jurisdictions in Australia and New Zealand has revealed that there is a general apprehension regarding migration to cloud computing. This theory is supported by anecdotal evidence from a wider range of executives and senior personnel, who have identified similar concerns with the new technologies. In particular, executives expressed uneasiness with regard to the use of the cloud for data storage purposes. Many had not seriously considered applying the technology to mission‐critical applications such as CAD or RMS, and therefore did not see that as their greatest concern. This trend is at odds with the perceived uses of cloud computing as they stand internationally, in particular in the United States, where there seems to be significant discourse as to the advantages and disadvantages of cloud‐based mission‐critical applications.32 The concerns expressed by law enforcement executives are legitimate ones. Cloud technologies are almost universally considered to not yet have reached maturity, and the law governing law enforcement cloud use remains largely untested, both here and in overseas jurisdictions. More generally, the use of the cloud represents a growing interdependence between the public and private sectors; a trend which may evoke both positive and negative consequences. However, this is not to say that the concerns are insurmountable, or that they cannot be managed with appropriate identification and mitigation efforts. Certainly, many reports speak to the “mounting body of evidence that the use of cloud computing … is inevitable in law enforcement information technology.”33
3.1 Risk 1: Unauthorised access to sensitive information Globally, the most immediate concern regarding the use of the cloud in law enforcement is often with regard to the security of sensitive information. Executives clarified that they had very little hesitation in using cloud‐based data management techniques for publicly available information, but that often the type of data which required large storage capacities was generally classified. This is especially true of forensic data from crime scenes, and of state‐based forensic database systems established for criminal history or for identification purposes. A RECENT SURVEY BY THE INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE (IACP) FOUND THAT 44% OF LAW ENFORCEMENT AGENCIES WERE CONCERNED THAT CLOUD SOLUTIONS DID NOT MEET THEIR STANDARDS FOR DATA SECURITY. 70% OF RESPONDENTS NAMED THEIR GREATEST CONCERN TO BE EXTERNAL THREATS ON THE CLOUD INFRASTRUCTURE.34 Storage of privileged data on a remote server does indeed run a greater risk of an unauthorised individual accessing sensitive information, whether intentionally or unintentionally. This may potentially compromise operations or criminal investigations, risk the safety of civilians or police personnel, and aid offenders in the commission of criminal activities. The risk is greater on an internet‐based cloud as compared to localised data centres, due to the simple fact that the internet is so readily accessible by people throughout the world.
32 Wormeli P, op cit, p 15 33 Wormeli P, op cit, p 16 34 International Association of Chiefs of Police, Leveraging the Cloud for Law Enforcement: Survey Results (2013) Page 13 of 40 Private businesses share the security concerns identified by law enforcement agencies, and in response, commercial cloud providers have set up very strong protections against hacking into their data centres. Cloud providers can generally assure greater levels of security than traditional on‐site systems. For example, misconfiguration incidents, which involve security breaches through human error such as forgetting to activate security options or change default passwords, are 12 times more common on‐site.35 AN ABERDEEN GROUP STUDY FOUND THAT “COMPARED TO COMPANIES USING ON PREMISE WEB SECURITY SOLUTIONS, USERS OF CLOUD‐BASED WEB SECURITY SOLUTIONS HAD 58% FEWER MALWARE INCIDENTS OVER THE LAST 12 MONTHS, 93% FEWER AUDIT DEFICIENCIES, 45% LESS SECURITY‐RELATED DOWNTIME, AND 45% FEWER INCIDENTS OF DATA LOSS OR DATA EXPOSURE.”36 Risks of unauthorised access can be further mitigated through the employment of measures such as data encryption while the information in question is both at rest and in motion. These measures must be negotiated and settled through contractual terms with the cloud provider. Such terms will be familiar territory for most law enforcement agencies, who already engage third party contractors to deal with sensitive information. Victoria Police, for example, already contract with Fujitsu and Motorola to ensure that encryption codes protect communications via police radio.37 Additional assurance can be provided through third‐party accreditations of the physical security measures in place at the data centres, for example, the Australian Security Intelligence Organisation T4 Protective Security Section.38 The Australian Defence Signals Directorate also recommends that agencies retain full control of encryption keys, and take steps to ensure that the service provider’s employees undergo stringent security clearances.39
3.2 Risk 2: Unintended access to data under foreign laws Information retained within a private provider may be lawfully seized by a foreign government if that information is stored on overseas servers, or even if the provider is owned by an overseas entity. In such situations, the law of a foreign country may apply to policing agencies within Australia and New Zealand, and data may therefore by handed over to foreign authorities without consent or indeed notice. A clear example is the United States’ Patriot Act, which gives powers of data seizure to the United States government, at their own discretion. This power is unaffected by agreed contractual terms between parties. Microsoft has been the first major cloud provider to admit this vulnerability in a recent White Paper, which explicitly stated that in certain circumstances, Microsoft “may need to disclose data without ... prior consent.”40 Microsoft United Kingdom’s Managing Director, Gordon Frazer further clarified that whilst they would generally comply with contractual terms to hold data within a particular geographic area, those terms could be superseded in circumstances such as a response to a valid legal subpoena.41 In
35 Wormeli P, op cit, p 17 36 Brink D, ‘Web Security in the Cloud: More Secure! Compliant! Less Expensive!’ Aberdeen Group, 1 May 2010
3.3 Risk 3: Reliability and performance requirements Cloud computing also raises concerns regarding the reliability of the internet in ensuring that minimum performance standards are met, particularly with reference to mission‐critical applications. This is particularly pertinent with regard to CAD systems, which may often deal with the life‐or‐death situation of the civilian calling for assistance. CAD systems operate by insisting on an availability of five nines: 99.999%, which indicates that the system can only be down for 5.26 minutes per year.46 They also require consistent sub‐second response times, regardless of how many customers are using the system at the time. In outsourcing to a third‐party cloud provider, agencies should negotiate contractual terms to ensure the continuing availability of crucial applications. Experts suggest that the provider will likely have to offer a fully redundant system with no single point of failure, and sufficient bandwidth, in order to meet this requirement.47 Other applications, which require a lesser standard of availability and response times, may not need the same level of contractual protection. It is contended that international commercial cloud providers and CAD software companies are capable of meeting the requirements to ensure reliability and performance for mission‐critical operations.48 This can be achieved through a series of initiatives, including the use of modern architecture which allows for message exchange by locally interconnected workstations independent of network connectivity, and through performance monitoring software which alerts system managers to any compromise in standards. It is unclear whether commercial providers based in Australia and New Zealand have reached a level of maturity where they are capable of meeting these requirements. Commercial cloud providers are aware of the need to meet performance requirements, and have proven able to meet contractual stipulations better than the capabilities of most law enforcement agencies.49
42 Whittaker Z, ‘Microsoft: We Can Hand Over Office 365 Data Without Your Permission,’ ZD Net, 23 June 2011
3.4 Risk 4: Cost of migration to the cloud Migration to the cloud is likely to require an initial investment of funds to respond to equipment, software, data migration and training needs. However, experts claim that the reality of these costs is relatively minor compared to current perception.51 Cloud providers fundamentally operate on a rental basis for almost all services, including software, and often the initial equipment required will be readily available within an agency’s existing resources.52 This may be limited to personal computers and hardware needed to connect to the Internet. Data migration costs may be minimised significantly if the agency’s current systems provider offers a cloud option. MARK FETHEROLF, THE CHIEF TECHNOLOGY OFFICER OF INTERACT, ESTIMATES THAT IN MIGRATING TO THE CLOUD, “THE LIFE CYCLE COST SAVINGS THAT ARE POSSIBLE FOR A SINGLE AGENCY APPROACH 70%.”53 Costs may again be of concern when considering possible means of mitigating the risk of unauthorised access to sensitive material. There may be considerable costs associated with the repeated encryption and decryption of live information. An agency may wish to consider a hybrid model, where the primary use of cloud services is limited to archived material. There may also be substantial costs in negotiating specific contractual terms in order for the agency to meet legislative and regulatory standards. It is possible that these costs may be greater in the context of Australia and New Zealand, where the competitive market for cloud computing providers is still at its infancy in comparison to other countries. It is recommended that the individual agency undertake a thorough Return on Investment (ROI) evaluation to assess each individual element relating to cloud migration. Experts recommend that agencies consider a 10‐year projection to compare cloud computing costs with traditional on‐site infrastructures.54 Agencies should keep in mind that the costs are often overstated, and that international experience has indicated that there are distinct cost savings which emerge from an ROI analysis.55
3.5 Risk 5: Unrecoverable damage or destruction of data Risks involved with remote storage might include the damage or destruction of data, which may then be difficult or impossible to recover. Whilst such risks are also associated with traditional data management techniques, the potential for such an occurrence on the cloud has been recognised as being quite distinct.56 Experts note that the very business of commercial cloud providers is to protect against loss resulting from natural disasters or attacks on data centres. Providers are generally highly adept at maintaining the continuity of operations and guarding against loss; often proving to be much more effective than traditional on‐site infrastructures.57
50 Wormeli P, op cit, p 19 51 Wormeli P, op cit, p 21 52 Id 53 Id 54 Id 55 Id 56 Wormeli P, op cit, p 22 57 Id Page 16 of 40 The greater concern may be where a provider suddenly goes out of business, thereby rendering the data potentially unavailable. Some experts suggest mitigation of this risk by the use of multiple cloud providers.58 This can be achieved through new software services which automatically split and duplicate data in order to minimise any potential risk of loss.
58 Wormeli P, op cit, p 22 Page 17 of 40 Section 4
Legal Implications in Australia and New Zealand In addition to practical concerns, policing agencies across the jurisdictions see the imposition of legal and regulatory standards as being a significant obstacle to their use of cloud computing. Anecdotal evidence suggests that legal professionals within policing networks also have hesitations due to the lack of judicial precedent specific to the application of laws and data security regulations as they relate to new cloud technologies. The framework of legislative standards, and the resulting liability of law enforcement agencies, is specific to each jurisdiction within Australia and New Zealand. In outsourcing data management to the cloud, policing agencies may be exposed to a range of legal causes of action. These may include negligence and equitable breach of confidence. However, the principal basis for liability is most likely to be an action in privacy arising from any potential unauthorised leakage of information. Privacy is particularly pertinent due to the fact that agencies are under statutory obligations dictating terms for the retention and destruction of personal information.59 There is currently no tort of privacy in Australia.60 However various jurisdictions have enacted legislative schemes to regulate the issue. The central issue seems to be a need to seek clarity behind privacy legislation which remains largely untested in the context of unauthorised disclosures by policing agencies. This report will assess the most relative overarching legal framework to be considered by each jurisdiction, whilst acknowledging the existence of supporting legal requirements pertinent to specific forms of data. For example, forensic DNA databases are governed by a complex web of legislative provisions.61 It will not consider issues of disclosures which are divorced from the use of the cloud, for example by police officers acting beyond their duty. It will also not consider internal security standards adjacent to legislation, as these standards are generally a point of guidance for policing agencies rather than a binding framework enforced by an independent party.
4.1 Commonwealth and the Australian Capital Territory The Commonwealth legislative scheme on privacy centres on the Privacy Act 1988 (Cth). The Act lists 11 Information Privacy Principles (IPPs) to govern public sector agencies including the Australian Federal Police (AFP), and 10 National Privacy Principles (NPPs) to govern private enterprises, including cloud providers. PRIVACY ACT 1988 (CTH), SECTION 14: INFORMATION PRIVACY PRINCIPLES 4 A RECORD‐KEEPER WHO HAS POSSESSION OR CONTROL OF A RECORD THAT CONTAINS PERSONAL INFORMATION SHALL ENSURE: THAT THE RECORD IS PROTECTED, BY SUCH SECURITY SAFEGUARDS AS IT IS REASONABLE IN THE CIRCUMSTANCES TO TAKE, AGAINST LOSS, AGAINST UNAUTHORISED ACCESS, USE, MODIFICATION OR DISCLOSURE, AND AGAINST OTHER MISUSE; AND THAT IF IT IS NECESSARY FOR THE RECORD TO BE GIVEN TO A PERSON IN CONNECTION WITH THE PROVISION OF A SERVICE TO THE RECORD‐KEEPER, EVERYTHING REASONABLY
59 Freedom of Information Act 1982 (Cth); Australian Information Commissioner Act 2010 (Cth); Privacy Act 1988 (Cth); Evidence Act 1995 (Cth) 60 Lenah Game Meats Pty Ltd v Australian Broadcasting Corporation [1999] TASSC 114 61 Crimes Act 1914 (Cth); Crimes (Forensic Procedures) Act 2000 (ACT); Crimes (Forensic Procedures) Act 2000 (NSW); Police Administration Act (NT); Police Powers and Responsibilities Act 2000 (Qld); Criminal Law (Forensic Procedures) Act 2007 (SA); Forensic Procedures Act 2000 (Tas); Crimes Act 1958 (Vic); Criminal Investigation (Identifying People) Act 2002 (WA) Page 18 of 40 WITHIN THE POWER OF THE RECORD‐KEEPER IS DONE TO PREVENT UNAUTHORISED USE OR DISCLOSURE OF INFORMATION CONTAINED IN THE RECORD. The IPPs, which apply to the AFP,62 suggest that in cases of outsourcing data management, the necessary standard expected of the AFP is that they do “everything reasonably within [their] power” to ensure data security. This standard has not yet been the subject of interpretation by the Courts, and therefore, the law remains unclear. It has been suggested that this standard might be met with a two‐step response by the AFP to prevent any leakage of sensitive data. Firstly, there should be adequate engagement to ensure stringent contractual terms are established in the agreement with the cloud provider, which meet or surpass the security standards expected from AFP employees. Secondly, there should be efforts to regularly audit the cloud provider to ensure compliance with those standards. It should be noted that any incorporated cloud provider working for the AFP will themselves be bound by IPP 11, and subject to the NPPs under the Act, but that providers working for State and Territory governments will not.63 PRIVACY ACT 1988 (CTH), SCHEDULE 3: NATIONAL PRIVACY PRINCIPLES 4.1 AN ORGANISATION MUST TAKE REASONABLE STEPS TO PROTECT THE PERSONAL INFORMATION IT HOLDS FROM MISUSE AND LOSS AND FROM UNAUTHORISED ACCESS, MODIFICATION OR DISCLOSURE. 4.2 AN ORGANISATION MUST TAKE REASONABLE STEPS TO DESTROY OR PERMANENTLY DE‐ IDENTIFY PERSONAL INFORMATION IF IT IS NO LONGER NEEDED FOR ANY PURPOSE FOR WHICH THE INFORMATION MAY BE USED OR DISCLOSED UNDER NATIONAL PRIVACY PRINCIPLES. 9.1 AN ORGANISATION IN AUSTRALIA OR AN EXTERNAL TERRITORY MAY TRANSFER PERSONAL INFORMATION ABOUT AN INDIVIDUAL TO SOMEONE (OTHER THAN THE ORGANISATION OR THE INDIVIDUAL) WHO IS IN A FOREIGN COUNTRY ONLY IF: THE ORGANISATION REASONABLY BELIEVES THAT THE RECIPIENT OF THE INFORMATION IS SUBJECT TO A LAW, BINDING SCHEME OR CONTRACT WHICH EFFECTIVELY UPHOLDS PRINCIPLES FOR FAIR HANDLING OF THE INFORMATION THAT ARE SUBSTANTIALLY SIMILAR TO THE NATIONAL PRIVACY PRINCIPLES; OR […] THE ORGANISATION HAS TAKEN REASONABLE STEPS TO ENSURE THE INFORMATION WHICH IT HAS TRANSFERRED WILL NOT BE HELD, USED OR DISCLOSED BY THE RECIPIENT OF THE INFORMATION INCONSISTENTLY WITH THE NATIONAL PRIVACY PRINCIPLES. Importantly in the context of cloud computing, section 6 of the Act states that a NPP cannot be said to have been breached by a private organisation if disclosure of information occurred outside Australian territory, and was required by a foreign law.64 Therefore, if the cloud provider and servers are based outside Australia, they may be obliged under foreign law to disclose information to foreign governments or law enforcement agencies. Any such disclosure will not be deemed to be a breach of the Privacy Act. Enforcement of the Privacy Act takes place through the Office of the Australian Information Commissioner (OAIC). The OAIC has the power to investigate an agency either upon receiving a complaint from an individual, or on the Commissioners’ own initiative. The OAIC also conducts audits and otherwise monitors agencies to prevent breaches of the Privacy Act. The OAIC undertakes to publish “Public Interest Determinations” (PIDs), which allow case‐by‐case exceptions to information disclosures which would otherwise breach the Privacy Act. Such exceptions are allowed at the Commissioner’s discretion under section 72 of the Act.
62 Privacy Act 1988 (Cth) s 16 63 South Australia, State Records of South Australia, Contracting and the Information Privacy Principles (2010) 64 Privacy Act 1988 (Cth) s 6A(4) Page 19 of 40 The AFP currently benefits from immunity under two such applications regarding unrelated matters of information disclosure.65 An application for a second PID may be another option for the AFP as a means to clarify the legal situation before entering into a contract with the cloud provider. The PID application could be made on the grounds of public interest policies regarding the need for updated and effective IT management strategies as directed by the SCPEM Directions Paper,66 the potential to re‐allocate taxpayer money into improving police resources, and the possibility of decreasing crime rates through the exploitation of the benefits listed in Section II of this report. The Privacy Act 1988 (Cth) also applies to the AFP’s community policing function in the Australian Capital Territory (ACT).67 In addition, the ACT is also subject to the Human Rights Act 2004 (ACT) which provides for the civil right against arbitrary breach of privacy.68 The Commonwealth legislation has recently been amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), and those changes will commence as of March 2014. The IPPs will be replaced by a set of 13 new Australian Privacy Principles (APPs) which will apply to both the public and private sectors. A number of APPs will be significantly different from the existing principles. Pertinent to cloud technology, these include APP1 which relates to the open and transparent management of personal information, and APP8 regarding limits to cross‐border disclosure. The Commissioner will also have enhanced powers to oversee compliance with the APPs.
4.2 Northern Territory Northern Territory Police are overseen by the Information Act 2002 (NT) administered by the Office of the Information Commissioner. Similar to legislation from other jurisdictions, the Act establishes 10 IPPs which govern the collection and handling of information by public sector organisations. INFORMATION ACT 2002 (NT), SCHEDULE 2: INFORMATION PRIVACY PRINCIPLES 4.1 A PUBLIC SECTOR ORGANISATION MUST TAKE REASONABLE STEPS TO PROTECT THE PERSONAL INFORMATION IT HOLDS FROM MISUSE AND LOSS AND FROM UNAUTHORISED ACCESS, MODIFICATION OR DISCLOSURE. 9.1 A PUBLIC SECTOR ORGANISATION MUST NOT TRANSFER PERSONAL INFORMATION ABOUT AN INDIVIDUAL TO A PERSON (OTHER THAN THE INDIVIDUAL) OUTSIDE THE TERRITORY UNLESS: [...] THE ORGANISATION REASONABLY BELIEVES THAT THE PERSON RECEIVING THE INFORMATION IS SUBJECT TO A LAW, OR A CONTRACT OR OTHER LEGALLY BINDING ARRANGEMENT, THAT REQUIRES THE PERSON TO COMPLY WITH PRINCIPLES FOR HANDLING THE INFORMATION THAT ARE SUBSTANTIALLY SIMILAR TO THESE IPPS; OR [...] THE ORGANISATION HAS TAKEN REASONABLE STEPS TO ENSURE THAT THE INFORMATION WILL NOT BE HELD, USED OR DISCLOSED BY THE PERSON TO WHOM IT IS TRANSFERRED IN A MANNER THAT IS INCONSISTENT WITH THESE IPPS. Importantly, Section 70 of the Act specifically provides that the Northern Territory Police are exempt from all of the IPPs if it believes on reasonable grounds that non‐compliance is necessary for its community policing function. Compared to similar exemption provisions from other jurisdictions, it would seem that the Northern Territory Act is intended to have a much broader scope and illustrates more determinative language. The advantages of cloud computing to the overall community policing function of the Northern Territory Police will likely be sufficient in exempting them from liability under the Act.
65 Office of the Australian Information Commissioner
4.4 Queensland Queensland Police are subject to the Information Privacy Act 2009 (Qld) which contains 11 IPPs similar to those found in the Commonwealth legislation. The Act is monitored by the Queensland Office of the Information Commissioner. Importantly, Queensland Police are expressly exempt from certain IPPs if they are satisfied on reasonable grounds that noncompliance is necessary for the performance of activities related to the enforcement of laws.71 This exemption includes IPPs dealing specifically with the use and disclosure of information, and reiterates the responsibility placed on the policing agency to take reasonable steps to ensure that any third‐party provider does not disclose information for other purposes. However, Queensland Police is subject to Section 33 of the Act, which determines circumstances in which personal information may be sent out of Australia. The requirement that the same level of protection is upheld as provided for in the Act may render a contract with a cloud provider difficult, in light of the vulnerability of such information to foreign laws. INFORMATION PRIVACY ACT 2009 (QLD), SCHEDULE 3: INFORMATION PRIVACY PRINCIPLES 4 AN AGENCY HAVING CONTROL OF A DOCUMENT CONTAINING PERSONAL INFORMATION MUST ENSURE THAT – [...] IF IT IS NECESSARY FOR THE DOCUMENT TO BE GIVEN TO A PERSON IN CONNECTION WITH THE PROVISION OF A SERVICE TO THE AGENCY, THE AGENCY TAKES ALL REASONABLE STEPS TO PREVENT UNAUTHORISED USE OR DISCLOSURE OF THE PERSONAL INFORMATION BY THE PERSON.
69 Privacy and Personal Information Protection Act 1998 (NSW) s 27 70 Privacy and Personal Information Protection Act 1998 (NSW) s 23 71 Information Privacy Act 2009 (Qld) s 29(1)(a) Page 21 of 40 The Queensland legislation follows most other jurisdictions in mandating a standard of reasonableness. This is further compounded in Section 2 of IPP 4 which determines that Queensland Police must include security safeguards adequate to provide the level of protection that can reasonably be expected of them. It is likely that the standard of reasonableness expected of a policing agency will be higher than other organisations subject to the same IPPs. However, it still seems that the negotiation of appropriate contractual terms would not impede the use of cloud technology under these provisions. As a minimum, it is likely that these terms should stipulate that the provider is subject to the IPPs to the same extent as the agency,72 and provide for regular audits to ensure compliance. The Police Powers and Responsibilities Act 2000 (Qld) is also of importance in reference to privacy issues. The Act details general procedural guidelines in police practice, including obtaining and accessing information. The Act describes covert information‐gathering capabilities and the framework for determining authorised access to information, but is largely silent on the issue of third party providers or accidental unauthorised access. However, it does provide some limited guidance. POLICE POWERS AND RESPONSIBILITIES ACT 2000 (QLD), SECTION 354 1 THE CHIEF EXECUTIVE OFFICER OF A LAW ENFORCEMENT AGENCY – MUST ENSURE THAT EVERY RECORD OR REPORT OBTAINED BY THE USE OF A SURVEILLANCE DEVICE BY A LAW ENFORCEMENT OFFICER OF THE AGENCY UNDER A WARRANT, EMERGENCY AUTHORISATION, CORRESPONDING WARRANT OR CORRESPONDING EMERGENCY AUTHORISATION IS KEPT IN A SECURE PLACE THAT IS NOT ACCESSIBLE TO PEOPLE WHO ARE NOT ENTITLED TO DEAL WITH THE RECORD OR REPORT.
4.5 South Australia South Australia Police work within an administrative rather than legislative structure. At a general level, South Australia Police will be bound by the Information Privacy Principles Instruction, which establishes 10 IPPs reflecting legislative regimes in other jurisdictions. More specifically to data management processes, they will are subject to the Information Security Management Framework. Both documents were established under the direction of the South Australian Department of Premier and Cabinet, and are administered by a Privacy Committee, which in turn may refer them on to the Police Complaints Authority. INFORMATION PRIVACY PRINCIPLES INSTRUCTION, PART 2: INFORMATION PRIVACY PRINCIPLES 4 AN AGENCY SHOULD TAKE SUCH STEPS AS ARE, IN THE CIRCUMSTANCES, REASONABLE TO ENSURE THAT PERSONAL INFORMATION IN ITS POSSESSION OR UNDER ITS CONTROL IS SECURELY STORED AND IS NOT MISUSED. Similar to legislative schemes from other jurisdictions, the South Australian framework relies on a standard of reasonableness in ensuring data security. Recent amendments to the Information Privacy Principles Instruction have opened the framework to allow for information sharing with contracted service providers. In a statement released by the state government, these amendments were said to have been issued in recognition of the common practice of public agencies engaging private contractors.73 Specifically, the amended Section 5(A) of the Instruction ensures that both the agency and the provider are held equally accountable for data protection, and mandates contractual provisions between the parties to that effect. These provisions must allow for regular audits ensuring compliance by a cloud provider.
72 ‘Cloud Computing and the Privacy Principles,’ Office of the Information Commissioner Queensland
4.6 Tasmania Tasmania Police are subject to the provisions in the Personal Information Protection Act 2004 (Tas) which is overseen by the state’s Ombudsman. The Act outlines a series of Personal Information Protection Principles. However, Section 9 of the Act broadly states that a law enforcement agency is exempt from certain principles should it determine that non‐compliance is reasonably necessary in certain cases, including “for the purpose of any of its functions or activities.” Importantly, this exemption indicates that in those circumstances, Tasmania Police are not required to comply with Principle 9, which places limits on the disclosure of information outside Tasmania. Personal Information Protection Act 2004 (Tas), Schedule 1: Personal Information Protection Principles 4 A personal information custodian must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure. Principle 4, relating to data security, does however apply to Tasmania Police. As with other jurisdictions, they must adhere to a standard of reasonableness in protecting personal information. It would seem likely that this standard could be met with regard to adequate negotiations of contractual terms and in the delivery of audits to ensure compliance.
4.7 Victoria Victoria Police are uniquely subject to a two‐tiered model of legislative regulation. At the state government level, they must comply with the Information Privacy Act 2000 (Vic), and at a more
74 Information Security Management Framework 2012 (SA) s 7.2 75 Information Security Management Framework 2012 (SA) s 2.2 Page 23 of 40 direct level, with the Standards set and monitored by the Commissioner for Law Enforcement Data Security (CLEDS). Furthermore, Victoria Police are also expressly subject76 to the Charter of Human Rights and Responsibilities 2004 (Vic), which provides for the civil right against arbitrary breach of privacy.77 INFORMATION PRIVACY ACT 2000 (VIC), SCHEDULE 1: INFORMATION PRIVACY PRINCIPLES 4.1 AN ORGANISATION MUST TAKE REASONABLE STEPS TO PROTECT THE PERSONAL INFORMATION IT HOLDS FROM MISUSE AND LOSS AND FROM UNAUTHORISED ACCESS, MODIFICATION OR DISCLOSURE. 4.2 AN ORGANISATION MUST TAKE REASONABLE STEPS TO DESTROY OR PERMANENTLY DE‐ IDENTIFY PERSONAL INFORMATION IF IT IS NO LONGER NEEDED FOR ANY PURPOSE. As with other jurisdictions, the Information Privacy Act provides the base reference for data protection standards. It closely reflects the Commonwealth Privacy Act, but notably is not currently undergoing a similar process of reform. The Act determines a set of 10 Information Privacy Principles (IPPs). Any potential migration to the cloud would require compliance with IPP 4, which states that Victoria Police must take reasonable steps in protecting sensitive data. The limit of what constitutes “reasonable steps” for a policing agency is not a question that has come before Australian courts, and the law is therefore unclear. Whilst the IPPs apply to all organisations, both public and private, section 17 of the Act expressly provides for public sector agencies outsourcing data to private providers. Under this provision, Victoria Police can contract terms with a private cloud computing provider to render that provider equally liable under the Act for any breach of the IPPs. That is to say that the private provider will be liable to the same extent as Victoria Police, rather than merely as a private entity. It is possible that the courts would look favourably on such a contractual provision as proof of reasonable steps taken by Victoria Police to ensure data protection, particularly if supported by a framework ensuring regular audits. Furthermore, section 13 of the Act states that Victoria Police is not subject to certain identified IPPs.78 Importantly, this includes IPP 9.1 which regulates transborder data flow outside Victoria, and ordinarily requires organisations to ensure third parties also be subject to a regulatory framework similar to the IPPs. This exception effectively means that in relation to data protection, Victoria Police are only required to comply with IPPs 4.1 and 4.2, and unlike other organisations, need not impose any higher standards for information travelling across state or country borders. CLEDS is an independent statutory body established by the Commissioner for Law Enforcement Data Security Act 2005 (Vic) to institute Standards to ensure the security of policing data, and to monitor and audit compliance with those Standards.79 The regime was implemented in consultation with the Chief Commissioner of Police, through the publication of Standards in July 2007. In total, there are 43 CLEDS Standards which require mandatory compliance by Victoria Police, and set out a comprehensive framework of implementation guidelines to complement each direction. These include Standards relating to remote and mobile access, physical security of data centres, and risk and business continuity management. There are specific challenges faced by Victoria Police in ensuring compliance with these Standards. Particular to cloud computing are Standards 36 – 39, which guide relationships between Victoria Police and Approved Third Parties.
76 Charter of Human Rights and Responsibilities 2004 (Vic) s 4(1)(d) 77 Charter of Human Rights and Responsibilities 2004 (Vic) s 13 78 Information Privacy Act 2000 (Vic) s 13 79 Commissioner for Law Enforcement Data Security Act 2005 (Vic) s 11 Page 24 of 40 STANDARDS FOR VICTORIA POLICE LAW ENFORCEMENT DATA SECURITY, CLEDS 36 BEFORE PROVIDING ACCESS TO LAW ENFORCEMENT DATA TO AN APPROVED THIRD PARTY, VICTORIA POLICE MUST ENSURE THAT: THE RECEIVING ORGANISATION HAS BEEN GRANTED AUTHORISATION BY VICTORIA POLICE; THE RECEIVING ORGANISATION HAS A DEMONSTRATED NEED FOR LAW ENFORCEMENT DATA; THE RECEIVING ORGANISATION UNDERTAKES SECURITY MEASURES AT LEAST EQUAL TO THOSE TAKEN BY VICTORIA POLICE TO SECURE THE INFORMATION; AND ALL LAW ENFORCEMENT DATA EXCHANGED MEETS THE REQUIREMENTS FOR RELEASE. 37 AGREEMENTS MUST BE ESTABLISHED PRIOR TO THE EXCHANGE OF LAW ENFORCEMENT DATA BETWEEN VICTORIA POLICE AND APPROVED THIRD PARTIES [WHICH INCLUDE ALL APPLICABLE DETAILS AS FOUND IN PROTOCOL 37.1] 38 FORMAL EXCHANGE POLICIES, PROCEDURES, AND CONTROLS MUST BE IN PLACE TO PROTECT THE EXCHANGE OF LAW ENFORCEMENT DATA, APPLICABLE TO ALL TYPES OF COMMUNICATION FACILITIES [WHICH INCLUDE ALL PROTECTIVE PROCEDURES AND CONTROLS AS FOUND IN PROTOCOL 38.1] 39 VICTORIA POLICE MUST CHECK THE IMPLEMENTATION OF THE AGREEMENTS WITH APPROVED THIRD PARTIES AND MONITOR COMPLIANCE. MECHANISMS MUST BE ESTABLISHED TO ENSURE THAT ALTERATIONS TO VICTORIA POLICE OR APPROVED THIRD PARTIES LAW ENFORCEMENT DATA SYSTEMS AND/OR THEIR INTERFACES DO NOT REDUCE THE SECURITY AFFORDED TO VICTORIA POLICE BY THE AGREEMENT. These Standards, whilst more restrictive than frameworks found in other jurisdictions, take a fairly open approach to new technologies. It is important to note that they do not exclude the possibility for Victoria Police’s future engagement with cloud technology. However, unlike the Information Privacy Act and legislation in other jurisdictions, the Standards seem to be based on a strict liability framework, where the requirement is that of actually ensuring security rather than merely taking reasonable efforts to ensure it. Therefore, the CLEDS Commissioner is likely to place a strict and heavy burden on Victoria Police in case of any contractual misgivings.
4.8 Western Australia Western Australia Police is the only jurisdiction which is not subject to any legislative privacy scheme. In 2007, the Information Privacy Bill was introduced in Parliament. If enacted, it will create a regime of IPPs similar to those which exist in other states, and at the Commonwealth level. The IPPs will govern all public sector agencies, including Western Australia Police, and will be administered by an Information and Privacy Commissioner established under the same legislation. Currently, Western Australia Police operate on their own internal policy statement which applies a consistent approach to all types of information collected, stored and used, irrespective of whether the data is found in conventional or digital environments.80 Any challenges to police compliance with this statement are handled by the Office of the Western Australian Ombudsman.81 WESTERN AUSTRALIA POLICE PRIVACY POLICY THROUGH THE WESTERN AUSTRALIA POLICE, OFFICE OF INFORMATION MANAGEMENT, WE WILL, BY THE PROVISION OF SECURITY SAFEGUARDS, PROTECT YOUR PERSONAL INFORMATION THAT WE COLLECT AND STORE. THE LEVEL OF THESE SAFEGUARDS WILL BE APPROPRIATE TO THE SENSITIVITY OF THE INFORMATION.
80 Western Australia Police Privacy Policy (WA) 81 Ombudsman Western Australia
4.9 New Zealand The New Zealand privacy scheme is generally considered to be somewhat stronger than its Australian counterparts, and yet follows a very similar legislative approach. New Zealand Police are subject to the Privacy Act 1993 (NZ) alongside all other public and private entities which hold personal information. The Act defines a series of 12 IPPs which set out terms for the collection, storage, use and disclosure of such information. These IPPs are monitored by the Crown Privacy Commissioner under Part 3 of the Act. PRIVACY ACT 1993 (NZ), SECTION 6: INFORMATION PRIVACY PRINCIPLES 5 AN AGENCY THAT HOLDS PERSONAL INFORMATION SHALL ENSURE – THAT THE INFORMATION IS PROTECTED, BY SUCH SECURITY SAFEGUARDS AS IT IS REASONABLE IN THE CIRCUMSTANCES TO TAKE, AGAINST LOSS; AND ACCESS, USE, MODIFICATION OR DISCLOSURE, EXCEPT WITH THE AUTHORITY OF THE AGENCY THAT HOLDS THE INFORMATION; AND OTHER MISUSE; AND THAT IF IT IS NECESSARY FOR THE INFORMATION TO BE GIVEN TO A PERSON IN CONNECTION WITH THE PROVISION OF A SERVICE TO THE AGENCY, EVERYTHING REASONABLY WITHIN THE POWER OF THE AGENCY IS DONE TO PREVENT UNAUTHORISED USE OR DISCLOSURE OF THE INFORMATION. Similar to Australian legislation, the standard expected of New Zealand Police seems to be that they do “everything reasonably within their power” to prevent unauthorised access to personal information. As the law is not enforceable in Court, there is no binding precedent determining the exact standard required by the provision with regard to law enforcement agencies. However, general guidelines released by the Privacy Commissioner would seem to suggest that the negotiation of key contractual terms such as physical security standards, encryption standards, and rights of independent audit should be sufficient to be considered reasonable.82 The guidelines retain that the ultimate responsibility will nevertheless remain with New Zealand Police. In 2010, the New Zealand privacy scheme was amended by the introduction of the Privacy (Cross‐ border Information) Amendment Act. As a result, the new Section 114B gives the Commissioner power to prohibit international transfers of personal information, particularly to countries where the privacy safeguards are lesser than that of New Zealand. This may be a likely possibility with regard to the particularly sensitive nature of law enforcement data. However no blanket legislative prohibition on international data transfers currently exists. Moreover, any disclosure of data by the provider to a foreign government will not breach the Act if that disclosure was required under foreign laws.83 84 New Zealand Police may also be subject to a general common law tort of privacy. In its early stages of development, it is somewhat unclear what the elements of this tort will be, and how those elements might apply in the case of a law enforcement agency. The New Zealand Court of Appeal has suggested that there are two elements which must be met: • That facts exist which would reasonably be expected to be private; and
82 Office of the Privacy Commissioner, New Zealand
85 Rogers v Television New Zealand [2007] 1 NZSC 91 Page 27 of 40 Section 5
Observations Whilst cloud computing is far from maturity, it seems that the technology may well be viable for use within policing agencies. Although concerns regarding unauthorised access to the cloud are legitimate, the risks can be largely mitigated by instilling a solid framework of procedural management, and ensuring that contractual agreements with cloud providers provide sufficient assurance on privacy and security matters.
5.1 Observation 1 THAT RESEARCH SHOULD BE CONDUCTED ON THE CURRENT OR PLANNED USE OF CLOUD TECHNOLOGY ACROSS DIFFERENT AGENCIES. Following a series of consultations, it is acknowledged that there is a distinct lack of communication between agencies of different jurisdictions with regard to what is a shared issue of cloud migration. This report observes that the Australia New Zealand Policing Advisory Agency should engage in further research to better understand the current positions and perceptions of senior information officers from various jurisdictions. To this effect, this report proposes a drafted survey questionnaire addressing the major issues. The draft can be found in Appendix B of this report.
5.2 Observation 2 THAT AGENCIES SHOULD UNDERTAKE A FORMAL RISK ASSESSMENT TO ASCERTAIN CLOUD SUITABILITY. In light of the research conducted, this report also acknowledges the lack of comprehensive and transparent information available even to senior decision makers within policing agencies. It observes that all agencies should engage in a thorough and informed formal Risk Assessment to determine the suitability of cloud computing within the bounds of their individual circumstances and the legislative restrictions applicable within their jurisdiction.
5.3 Observation 3 THAT AGENCIES SHOULD CONSIDER CHANGES IN THEIR INFORMATION TECHNOLOGY BUDGETING AND MANAGEMENT STRATEGIES TO SUPPORT CLOUD MIGRATION. This report further observes that policing agencies should consider shifts in structure and in strategy to allow for and support migration to the cloud. This observation comes following a series of independent inquiries86 which have highlighted the lack of larger scale information technology blueprints as an impediment to a sincere assessment of adopting cloud technology.
86 Commissioner for Law Enforcement Data Security, Annual Report 2011 – 2012 (Melbourne, 2012); Victoria, State Services Authority, Inquiry into the Command Management and Functions of the Senior Structure of Victoria Police (2012) Page 28 of 40
5.4 Observation 4 THAT AGENCIES SHOULD CONSIDER DRAFTING CONTRACTUAL TERMS ALIGNING TO DATA SECURITY REGULATIONS IN THEIR JURISDICTION. Finally, this report observes that agencies should investigate the possibility of meeting privacy obligations through the negotiation of contractual terms. This must be tempered with the relative increase in cost to the agency in meeting such requirements. Indeed, policing agencies are accountable for the protection of sensitive information, and will continue to be accountable when the management of that information lies with a private provider. Contractually binding the provider to stringent privacy regulations is likely to provide assurance which reaches beyond the standard of reasonableness required under legislation. The Australian Defence Signals Directorate Guidelines support this possibility, stipulating that an imperative factor in risk management is to ensure that important security considerations are captured in contractual terms with the provider.87 Experts contend that smaller companies are readily able to meet the requirements of policing agencies, while major providers are generally more inflexible, but nevertheless do offer solutions oriented to the public sector.88 It is considered that the increased costs related to more stringent contractual arrangements should be offset by the financial advantages gained in the overall cloud solution, and in the effects of seamless information management on the efficiency of policing operations.89 The findings of this report suggest a number of specific contractual terms which should be considered: • The encryption of data should be adequate to prevent unauthorised access both in transit and at rest. • The ownership and control of data should reside with the policing agency. • The cloud provider, and all data centres which hold policing information, should be based within Australia or New Zealand. • The cloud provider should be required to notify the policing agency of any and all security breaches. • The cloud provider should conduct appropriate security checks on its employees. • The cloud provider should have in place adequate measures to ensure the physical security of its data centres. • The cloud provider should be able to assure certain standards of performance and reliability as to meet the needs of particular applications. • The cloud provider should be liable to the same extent as the policing agency under legislative frameworks. • The policing agency should retain the right to conduct regular audits to ensure compliance with legislative frameworks. Law enforcement agencies should note that various government bodies within Australia and New Zealand, as well as a number of international collaborative policing organisations, have drafted a series of sample contractual terms and conditions.90 These may serve as a strong point of guidance. Agencies should also note the expected release of a paper series entitled ‘Model Policies for Cloud Computing by Law Enforcement Agencies’ which is due to be released in October 2013 by the International Association of Chiefs of Police.91
87 Australia, Defence Signals Directorate, op cit 88 Wormeli P, op cit 89 Falkenrath RA, ‘Police Data in the Cloud,’ Council on Foreign Relations, 30 November 2011
Articles ‘Australia Lags in Online Security Awareness,’ CSO Online, 21 December 2012
Page 30 of 40 Rout M, ‘Victoria Police Fail to Meet Security Standards,’ The Australian, 17 September 2010
Books Doyle C and Bagaric M, Privacy Law in Australia (The Federation Press, Sydney, 2005) Jackson M, Hughes on Data Protection in Australia (Lawbook Co, Sydney, 2001)
Case Law Hosking v Runting [2005] 1 NZLR 1 Lenah Game Meats Pty Ltd v Australian Broadcasting Corporation [1999] TASSC 114 Rogers v Television New Zealand [2007] 1 NZSC 91
Legislation and Regulations Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (ACT) Australian Information Commissioner Act 2010 (Cth) Charter of Human Rights and Responsibilities 2004 (Vic) Commissioner for Law Enforcement Data Security Act 2005 (Vic) Crimes Act 1914 (Cth) Crimes Act 1958 (Vic) Crimes (Forensic Procedures) Act 2000 (ACT) Crimes (Forensic Procedures) Act 2000 (NSW) Criminal Investigation (Identifying People) Act 2002 (WA) Criminal Law (Forensic Procedures) Act 2007 (SA) Page 31 of 40 Evidence Act 1995 (Cth) Forensic Procedures Act 2000 (Tas) Freedom of Information Act 1982 (Cth) Human Rights Act 2004 (ACT) Information Act 2002 (NT) Information Privacy Act 2000 (Vic) Information Privacy Act 2009 (Qld) Information Privacy Bill 2007 (WA) Information Privacy Principles Instruction 1989 (SA) Information Security Management Framework 2012 (SA) Personal Information Protection Act 2004 (Tas) Police Administration Act (NT) Police Powers and Responsibilities Act 2000 (Qld) Privacy Act 1988 (Cth) Privacy Act 1993 (NZ) Privacy and Personal Information Protection Act 1998 (NSW) Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) Privacy (Cross‐border Information) Amendment Act 2010 (NZ) Standards for Victoria Police Law Enforcement Data Security, Commissioner for Law Enforcement Data Security, 2007 (Vic) Victoria Police Information Privacy Statement (Vic) Western Australia Police Privacy Policy (WA)
Reports Australia, Defence Signals Directorate, Department of Defence, Cloud Computing Security Conditions (2012) Australia, Defence Signals Directorate, Department of Defence, Information Security Manual (2012) Australia, Department of Finance and Deregulation, Cloud Computing Strategic Direction Paper: Opportunities and Applicability for Use by the Australian Government (2011) Australia, Information Management Office, Privacy and Cloud Computing for Australian Government Agencies (2013) Australia, Information Technology Industry Innovation Council, Department of Innovation Industry Science and Research, Cloud Computing: Opportunities and Challenges (2011) Australia New Zealand Policing Advisory Agency, Issues in Policing (2011) Australia New Zealand Policing Advisory Agency, Issues in Policing (2012) Australia, Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001) Australia, Standing Council on Police and Emergency Management, Directions in Australia New Zealand Policing 2012 ‐ 2015 (2012) Avanade Research and Insights, Global Survey: Has Cloud Computing Matured? (2011)
Page 32 of 40 Capgemini Consulting, The Long Arm of the Law (2009) Capgemini Consulting, Transform Police (t‐Police) Solution (2012) Choo KR, for Australia, Australian Institute of Criminology, Cloud Computing: Challenges and Future Directions (2010) Commissioner for Law Enforcement Data Security, Annual Report 2011 – 2012 (Melbourne, 2012) Cornick K and Gathercole B, for Victoria, Australian Broadband Applications Laboratory, University of Melbourne, Broadband Communications Options for Public Safety Agencies (2012) Hooper C, for Australia New Zealand Policing Advisory Agency, Cloud Computing and its Implications for Criminal Investigations in Australia and New Zealand (2012) International Association of Chiefs of Police, Guiding Principles on Cloud Computing in Law Enforcement (2013) International Association of Chiefs of Police, Leveraging the Cloud for Law Enforcement: Survey Results (2013) Lightowlers J, for Integrity Legal’s Perth Legal Counsel Conference, Information Privacy and Freedom of Information Legislation in Western Australia (2008) Mell P and Grance T, for United States, National Institute of Standards and Technology, Department of Commerce, The NIST Definition of Cloud Computing (2011) Microsoft, Office 365 Security White Paper (2013) Oracle, Beyond Search in Policing White Paper (2013) South Australia, Model Terms and Conditions: IPPs and Record Management (2010) South Australia, State Records of South Australia, Contracting and the Information Privacy Principles (2010) United States, Criminal Justice Information Services, Federal Bureau of Investigation, Department of Justice, CJIS Security Policy 5.1 (2012) Victoria, Government, Government Response to the Inquiry into the Command Management and Functions of the Senior Structure of Victoria Police (2012) Victoria, Office of the Victorian Privacy Commissioner, Information Sheet: Cloud Computing (2011) Victoria, Office of the Victorian Privacy Commissioner, Outsourcing and Privacy: A Guide to Compliance under the Information Privacy Act (2011) Victoria, State Services Authority, Inquiry into the Command Management and Functions of the Senior Structure of Victoria Police (2012) Victoria, Victorian Government Solicitor’s Office, Head in the Cloud Feet Firmly Planted (2011) Victoria, Victoria Police, The Gazette: Number 06 (2013) Wallis Consulting Group, for Australia, Office of the Privacy Commissioner, Community Attitudes to Privacy (2007) Wormeli P, for United States, IBM Center for the Business of Government, Mitigating Risks in the Application of Cloud Computing in Law Enforcement (2012)
Websites Australian Capital Territory Policing
Page 33 of 40 ‘AWS Security and Compliance Center,’ Amazon Web Services
Page 34 of 40 Appendix B: Proposed Survey Questionnaire
This project aims to assess the viability of using cloud computing technology in order to serve police data storage and management needs. In particular, it will look at the practical concerns and legal risks which may arise in order to better inform policy and decision makers across Australia and New Zealand police jurisdictions. The scope of the project includes police use of the cloud for both data storage as well as operating systems and applications for investigative and processing purposes. The project will canvas three distinct aspects of the mandate: risks involved in the use of cloud computing; legal issues which arise as a result of opting to take those risks; mitigation of those risks and legal issues The results of this survey will be submitted for the information of the ANZPAA Board. 1. Please state which agency you represent, and your position within that agency. 2. Is your agency using any form of cloud computing technology? • Yes • No • We are considering / planning to use it in the next 2 years
If answered YES to Question 2 3. Please state which year your agency first migrated to the cloud.
4. How would you best describe your current cloud deployment model? • Public cloud • Private cloud • Community cloud • Hybrid cloud • Unsure of which deployment model has been chosen 5. Please state the name(s) of your cloud provider(s).
6. Is your cloud provider meeting your requirements regarding server reliability and performance standards? • Yes • No • Unsure
7. Please provide more detail on how your cloud provider is meeting these requirements.
8. Which cloud applications are you ALREADY using? • Backup and disaster recovery • Data storage and archives • Cloud email • Crime analysis and mapping tools • Document collaboration • Crime reporting
Page 35 of 40 • National databases • Warrants and corrections • CAD (Computer‐Aided Dispatch) • RMS (Records Management Systems) • Other (please specify): ______
9. Which cloud applications do you EXPECT to use in the next 2 years, which you are NOT CURRENTLY using? • Backup and disaster recovery • Data storage and archives • Cloud email • Crime analysis and mapping tools • Document collaboration • Crime reporting • National databases • Warrants and corrections • CAD (Computer‐Aided Dispatch) • RMS (Records Management Systems) • Other (please specify): ______
10. We are interested in what influenced your decision to seek a cloud solution. Please rank the following ADVANTAGES, with ‘1’ being the most important and ‘7’ being the least important. • Cost savings over conventional systems • Greater security available with cloud solutions • Better service (ie higher up‐time) available with cloud solutions • Ability to comply with regulatory standards • Scalability of resources available with cloud solutions (ie possibility of accessing limitless computer capacity, especially in times of emergency) • Need to remove obstacles to the implementation of newly available technologies • Need to improve quality of existing IT support systems
11. Which other ADVANTAGES, if any, factored in your decision to seek a cloud solution? If answered NO to Question 2 12. We are interested in what influenced your decision to not seek a cloud solution until now. Please rank the following CONCERNS, with ‘1’ being the most important and ‘7’ being the least important. • Shortage of skills in the agency to manage IT implementations • Dissatisfaction with vendor offerings or pricing • Unauthorised access to sensitive information • Reliability and performance relating to remote access servers • Cost of migration to the cloud • Difficulties in complying with regulatory standards • Potential damage or irrecoverable destruction of data
13. Which other CONCERNS, if any, factored in your decision to NOT seek a cloud solution? If planning to use the cloud in the next 2 years
Page 36 of 40 14. How would you best describe your current cloud deployment model? • Public cloud • Private cloud • Community cloud • Hybrid cloud • Unsure of which deployment model has been chosen
15. Which cloud applications do you EXPECT to use in the next 2 years, which you are NOT CURRENTLY using? • Backup and disaster recovery • Data storage and archives • Cloud email • Crime analysis and mapping tools • Document collaboration • Crime reporting • National databases • Warrants and corrections • CAD (Computer‐Aided Dispatch) • RMS (Records Management Systems) • Other (please specify): ______
16. We are interested in what may influence your decision to seek a cloud solution in the next two years. Please rank the following ADVANTAGES, with ‘1’ being the most important and ‘7’ being the least important. • Cost savings over conventional systems • Greater security available with cloud solutions • Better service (ie higher up‐time) available with cloud solutions • Ability to comply with regulatory standards • Scalability of resources available with cloud solutions (ie possibility of accessing limitless computer capacity, especially in times of emergency) • Need to remove obstacles to the implementation of newly available technologies • Need to improve quality of existing IT support systems
17. Which other ADVANTAGES, if any, may factor in your decision to seek a cloud solution in the next two years?
18. We are interested in what may influence your decision to not seek a cloud solution in the next two years. Please rank the following CONCERNS, with ‘1’ being the most important and ‘7’ being the least important. • Shortage of skills in the agency to manage IT implementations • Dissatisfaction with vendor offerings or pricing • Unauthorised access to sensitive information • Reliability and performance relating to remote access servers • Cost of migration to the cloud • Difficulties in complying with regulatory standards • Potential damage or irrecoverable destruction of data
Page 37 of 40 19. Which other CONCERNS, if any, factored in your decision to NOT seek a cloud solution?
Final section to be answered by ALL respondents 20. What would you classify as the 3 biggest areas of IT‐related demand in your agency?
21. How have these demands increased or decreased over the past 10 years?
22. In your agency, which applications do you believe are BEST SUITED for the cloud? • Backup and disaster recovery • Data storage and archives • Cloud email • Crime analysis and mapping tools • Document collaboration • Crime reporting • National databases • Warrants and corrections • CAD (Computer‐Aided Dispatch) • RMS (Records Management Systems) • Other (please specify): ______
23. What do you consider to be the greatest cloud security risk? • Unauthorised access by a third party • Unauthorised access by the cloud provider’s customers • Unauthorised access by employees of the cloud vendor • Unauthorised access by your agency’s own employees • Other (please specify): ______
24. How important do you consider it is for cloud provider employees to pass background checks? • Very important • Important • Somewhat important • Neutral • Not at all important
25. Who should share cloud infrastructure with your agency? • Share with no one • Share with other law enforcement agencies in your country • Share with other government departments in your state or territory • Share with other government departments in your country • Share with anyone, but only as long as the infrastructure is located in your country • Share with anyone
26. Who should control cloud encryption keys? • Agency only
Page 38 of 40 • Agency and cloud provider • Cloud provider • Unsure
27. How secure would you consider data on the public cloud, if it is triple‐encrypted both at rest and in transit? • Highly secure • Secure • Somewhat secure • Neutral • Not at all secure
28. Does your agency outsource management of other sensitive data or mission‐critical operations to a private company (eg radio communications)? • Yes • No • Unsure
29. Does your current software provider of Legacy Systems, CAD (Computer‐Aided Dispatch) and RMS (Records Management Systems) applications offer a cloud option? • Yes • No • Unsure
30. If not, would you consider moving to a different software provider who would incorporate a cloud option? • Yes • No • Unsure • Not Applicable
31. How does your agency’s current environmental context and specific circumstances shape the decision regarding whether or not to use cloud technology?
32. As per your OWN understanding, would any state laws or other MANDATORY regulations impede the use of the cloud by policing agencies? • Yes • No • Unsure
33. As per your OWN understanding, which specific state laws and mandatory regulations should be considered by policing agencies before migration to the cloud?
34. Within your agency, which internal standards, if any, would apply in migrating to the cloud?
Page 39 of 40 35. Is there anything else which you believe may be influential to the outcome of this project? Please provide details. Thank you for taking the time to answer our survey. If you have any questions regarding this survey please contact [email protected]
Page 40 of 40