In response to 9/11, the U.S government created The Patriot Act, providing their agencies access to not only your personal data but all organizations' data that meet the requirements set out by the Act. As expected, this has raised a myriad of data privacy concerns; and rightfully so; but how do you keep your client data confidential and your customer base happy? The first step is to understand the Patriot Act and how it affects your data and privacy. Here are a few things to consider.
What is The Patriot Act?
According to the act, the U.S. Government has access to both any data held within their borders and all data of companies that operate within the U.S. This means escaping the reach of the Patriot Act isn’t easy.
"You have to fence yourself off and make sure that neither you nor your cloud service provider has any operations in the United States, otherwise you’re vulnerable to U.S jurisdiction" explains Alex Lakatos, a partner, and cross-border litigation expert at Mayer Brown. Few large IT customers or cloud providers fit that description in today's global business environment.
Is Your Data Really Where You Think It Is?
Just because your organization is in Australia and your service provider also has a data center in Australia does not mean your data is in that Australian data center. Many organizations have been surprised to find out that their data is actually being stored in data centers outside of their country or jurisdiction.
Conversations about where your data lives should be made a priority. Be sure to include those details in your contract or Service Level Agreement SLA. The U.S isn’t the only country with data surveillance laws. The United Kingdom has recently passed the Investigatory Powers Act, giving security services in the UK permission to use a wide range of tools for surveillance and hacking. Knowing the laws of the country your data resides in is paramount to protecting your organization’s and client’s data.
Working with A Cloud Provider
To protect your data from being accessible via the Patriot Act, your organization must maintain all operations outside of the U.S and use a cloud provider that operates and stores your data outside of the USA.
If you have data concerns, communicate those concerns clearly and frankly to your service provider. Ask about their data sovereignty policies and find out if they fall under the Patriot Act. You may wish to dedicate a specific clause within your SLA that speaks to how the provider must respond to government requests for data.
In the Bahamas, where Cloud Carib is headquartered, access to data is governed by the Data Protection Act, which provides a statutory framework for the collection, use, and disclosure of personal information largely based upon OECD’s Privacy Guidelines. Cloud Carib does not fall under the jurisdiction of the Patriot Act and boasts strict data protection laws.