Data location matters

August 30, 2007

Dale Olds in The physical location of data matters writes, “…it matters to me in real, tangible ways who runs the servers and where my data is stored ‑‑ and who is liable when there is a failure.”

From an international perspective, while this is of course true, there are bigger issues than just operational issues and liability.

For many non-Americans top of mind when they think about the physical location of their data is the USA Patriot Act. This law presents two particularly thorny issues regarding their data stored in the US.

First, the bar is set very low. US law enforcement agencies can access the data if they consider it relevant to their investigations. This is far easier to meet than the normal test of probable cause.

Second, if data is accessed in this manner, the data holder (the US-based vendor) is not allowed to tell the overseas data owner that their data has been accessed, even if the vendor is contractually bound to do so.

Both of these angles and more are well covered in a report from the Information & Privacy Commissioner of British Columbia, Canada (pdf, 1.29 MB). It was published in October 2004 but still remains relevant.

There is another angle for data location that is top of mind for organisations that outsource IT or back-office functions internationally. That’s privacy and protection of personal information from unauthorised access, especially from insiders of the vendor’s company.

NZ’s Privacy Commissioner recently gave a presentation that includes concerns for personal data held overseas.

It’s no wonder that most organisations prefer to keep their data onshore. Data location does indeed matter.

Entry Filed under: Canada, NZ, USA, government, personal_info, privacy, report, strategy. .

3 Comments Add your own

  • 1. Bernard O'Brien  |  September 12, 2007 at 10:11 am

    I agree. With organisations enthusiastically promoting software as a service, how and where and under what conditions your data is stored and what provisions are made about its use or availability in case of service provider bankrupcy or acquisition becomes very important.
    Some may argue that the sheer size of the user base gives a “safety in numbers” assurance that their data will be safe.
    I would think that an ironclad contract specifying and guaranteeing custodial responsibilities and duties, especially if the provider gets into a “troubled” state in a business sense, binding on subsequent owners in multiple jurisdictions would be more important.

    Reply

  • 2. The feds & your Amazon records « Identity and Privacy Blog  |  December 4, 2007 at 9:36 pm

    [...] Data location does indeed matter. [...]

    Reply

  • 3. sandrar  |  September 11, 2009 at 9:36 am

    Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

    Reply

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

These are my personal views. See the About page for more info.

Top Posts

Category Cloud

2FA Aus authentication biometrics Canada data_breach fraud government identity ID_cards igovt Info_Cards interop Lib_Alliance network NZ OpenID personal_info PKI privacy report SAML security strategy trust UK USA video Web_2.0

Feeds

 Subscribe in a reader

Get posts by email

Subscribe to Identity and Privacy Blog by Email

Blogroll

identity

Locations of visitors to this page