Data Jurisdiction

Checklist: Data Jurisdiction in Five Ticks

Data Jurisdiction > Checklist: Data Jurisdiction in Five Ticks

Perform risk assessment of your data

Depending on the types of data you store, your risk – and the solution – may differ. Understanding which of your data is high or low risk allows you to make more informed decisions.

  • High risk data includes personal data; staff records, customer information, email addresses and contact details
  • Financial records may be considered high risk either from a business point of view or by the relevant industry regulator
  • Business records, archives etc can be high, medium or low risk depending on the content and IP risks and needs to be assessed with appropriate legal advice
  • Low risk data may include website code and non-confidential information

Identify where your data is currently hosted

This isn't always as easy as it sounds. If storing with a large offshore provider with many data centres, unless you specified a specific location when setting up the service, there is no guarantee your data will be in the closest location.

  • Australia / Australian provider
  • Australia / Offshore provider
  • USA
  • Singapore / Hong Kong / China / Japan (AWS, Rackspace and others currently use data centres in these countries to service Australiasia)
  • Europe (also identify which country(s) in Europe, as this can be an additional factor. For example; Germany has some of the most onerous data privacy laws in the world)

Identify all jurisdictions that apply

These jurisdictions include, but are not necessarily limited to:

  • The country in which your business is headquartered
  • The country in which your hosting/cloud provider is headquartered
  • The country in which the data centre resides

Ensure compliance with industry regulators

For example:

  • The finance industry is required to comply with ACMA
  • The Australian Government requires additional layers of compliance for all Government agencies and
  • Certain regulators have different requirements for how data is managed. For example: APRA insists on being able to physically inspect the data centres of its members – difficult (if not impossible) when it's in Singapore

Investigate any increased tax risk

Your business may be in Australia, but – for example - if you host transactional data in the US you may still be required to comply with US tax law. While mere storage of data is not typically considered the 'conduct of business' within the US for tax purposes, if you are storing data on behalf of others or allowing third parties access to the data, it may be defined as such. It is therefore advisable to seek professional tax advice before hosting data offshore.