Data Sovereignty and Data Centres

April 14 2021, by James Rabey | Category: Government

Australians have made it clear that they expect their governments to keep their personal information onshore. Uptake of both the COVIDSafe and My Health Record apps was lower than hoped due to public concern around the risk of their data being accessed offshore.

The recent massive data breach of over 500 million Facebook user details has left impacted Australians with no chance of legal or financial redress. If a similar breach were to happen with government data managed overseas, would any impacted Government agency stand a better chance?

Data residency is not the same as data sovereignty.

Where data resides physically does not automatically determine who legally controls it. For government agencies, this includes being able to restrict access to sensitive data to only vetted personnel who are subject to Australia’s laws and regulations.

This can be difficult for most public cloud providers which, as multinational corporations, leverage their global teams to manage their Australian customers either through “follow-the-sun” support or technical escalation.

Even with the best intentions, having foreign eyes on Australian data results in an increased risk of that data becoming subject to foreign laws. This could include a multinational cloud provider being compelled by their domestic government to provide access to customer data.

The Federal Government has recognized the importance of agencies being able to manage risks concerning data centre ownership in the recently published Hosting Certification Framework. We support this initiative and see it as a logical extension of the Security of Critical Infrastructure Act 2018, effectively including data centres along with the utilities and ports that make up Australia’s critical infrastructure.

Building a sovereign capability.

Macquarie’s 43MW Sydney Data Centre Campus in Macquarie Park and our recently expanded Canberra Data Centre Campus play a central role in our sovereign cybersecurity capability.

Macquarie Government recognizes that for a data centre to be truly sovereign, where it is managed is just as important as where it is located. That means our data centres are managed and operated 100% within Australia’s physical and judicial borders. Out of hours support is not handed over to another geography in a “Follow-the-Sun” model but remains entirely within Australia, always undertaken by our NV1 cleared staff.

Those staff form a critical component of building a sovereign cybersecurity capability. Macquarie Government’s Security Operations Centre (SOC) is staffed with engineers drawn from our graduate program.

In parallel, we are helping build Australia’s cybersecurity supply through partnerships with other Australian companies. For examples, when building our IC5 Canberra Data Centre, we partnered with Secure Racks Australia.

Our status as an ASX listed public company means our domestic ownership status is transparent. This, combined with our 100% Australian based data centres and employees, makes Macquarie Government one of the most, if not the most, sovereign data centre operator in Australia.