New privacy laws mean accountants should review cloud computing

Data storage providers offer cloud computing accounting and data management services that provide a hosted environment where business data can be accessed by all relevant staff in their business, from any location.

Cloud-based accounting systems can increase efficiency by allowing uploads or ‘live feeds’ of bank account and other business data into the accounting stream. Since maintenance and support of the cloud-based service is handled by the service provider, businesses can have greater confidence that the software programs holding their data will be available 24/7, 365 days of the year.

There are a few important legal considerations to bear in mind when evaluating whether using cloud-based service providers is appropriate for your accounting practice.

First and foremost are the terms of service offered by the cloud-based provider. A careful review of the terms of service and pricing tariffs for those services is mandatory. Equally important is whether the service provider offers a service that complies with your client requirements regarding effective security measures, as well as with all legal requirements, including those imposed by privacy laws.

Compliance with new legislation

The new privacy laws (Enhancing Privacy Protection Act 2012) amend the Privacy Act 1988 and, among other changes, introduce Australian Privacy Principles (APPs), which replace the previous National Privacy Principles and Information Privacy Principles. These changes commenced on 12 March 2014.

Like the prior legislation, the new APPs impose requirements for the collection and management of personal information in Australia. In addition to revisions to consents required to collect and transfer personal data, new obligations are imposed when businesses expect to transfer personal data outside Australia.

If your business uses cloud computing services, you should review and confirm that your privacy and data security policies comply with the new legislation, as nearly all cloud computing services will use assets outside Australia to provide all or part of their services.

Your agreements with your clients may require you to either maintain data only in Australia or nominate countries where data may be held. These requirements may be impossible to meet due to the nature of some online services.

Security and data control requirements

Your business should ensure – and your clients will expect – that you will hold all client information in a safe and secure environment. There is real and significant danger of hacking and other malicious and unauthorised access to your data, so careful attention must be paid to the security offered by the cloud service provider.

Businesses are well advised to adopt rapid response procedures in the event of actual or suspected unauthorised access to their customer data. Where third parties such as cloud providers hold data, your agreement with those providers should clearly define steps to be taken to address any privacy breaches.