The Digital Transformation Agency established a new Hosting Certification Framework in April 2021 which, reflecting Commonwealth Government concerns as to data sovereignty, will be rolled out over the next year to providers of hosting and related data centre services to Commonwealth agencies.
Government concerns regarding data sovereignty
In July 2020, the then Minister for Government Services, Stuart Robert, in an address at the National Press Club, announced that the Commonwealth Government was undertaking a review of the sovereignty requirements applicable to Government data sets. In particular, he stated that the Government was looking at the question of whether certain, more sensitive, Government data sets should be hosted on data servers located within Australia.
By data sovereignty, the Minister was referring not only to the location of data holdings, but also the entities that have control over that data and what laws that data is subject to. In part, this review was intended to assist in ensuring a higher degree of public support from Australians for the increased digitisation of Government services and also the increased use of Commonwealth Government data through initiatives such as the Data Availability and Transparency Bill, which is currently before the Parliament. Of course, it was also responding to more general concerns of the Government, including increased risks of cyber incidents and national security concerns.
The introduction of the Hosting Certification Framework
Intent of the Framework
The Government’s concerns about data sovereignty are now addressed in its Digital Transformation Strategy, which incorporates a Hosting Certification Framework (Framework).1 That Framework was released by the Digital Transformation Agency (DTA) in March 2021 and was developed following extensive consultation.
The stated intent of the new Framework is to support the secure management of Commonwealth Government systems and data by focussing on security provisions for hosting providers, to both protect privacy and to improve the resilience of data infrastructure.
The services the Framework applies to
The Framework applies to hosting services, being space in data centre facilities (including the supply of infrastructure) and, where applicable, the supply of telecommunications infrastructure, such as to connect different data centres.
The Framework applies to both “direct” and “indirect” providers of hosting and related data centre services to Commonwealth agencies, which means the reach of the Framework is quite broad. The direct providers are those on the DTA administered Data Centre Facilities Supplies Panel (Panel 2). There are currently 15 suppliers on that panel. The indirect providers are suppliers that host data and systems through an agreement with another party, where that other party has the direct contractual arrangement with a Commonwealth agency, for example, a cloud service provider. In the case of indirect providers, the provider of services to agencies (such as a cloud service provider) may be certified for all or only some data facility services that service provider uses.
Levels of Certification
The Framework provides for two levels of certification. These are:
Initial certification will be supported by ongoing requirements, such as ongoing information provision.
In the Framework sovereignty is broadly defined as referring to the ability of the Government to specify and maintain “stringent ownership and control conditions”. It is not intended to exclude all forms of foreign investment and ownership – meaning Australian ownership or control is not a requirement to achieve even the highest certification level of Certified Strategic Hosting Provider.
The certification process will be rolled out in two phases. Under the first phase, all of the providers on the Data Centre Facilities Supplies Panel (Panel 2) will be certified first, with that certification likely to be completed this calendar year. The second phase allows for certification of indirect providers, with that second certification process likely to commence in January 2022.
Use of the Framework by agencies
The Framework is intended to be used in connection with other policies and frameworks applicable to Commonwealth agencies. For example, agencies use the Protective Security Policy Framework to assess the security classification of information. Agencies will be able to use that security classification to enable them to determine which of the two certification levels under the Framework are required for hosting their data.
Data sovereignty concerns likely to increase
The Framework is due to be reviewed over November and December 2021. It is unlikely that the review would recommend abandonment of the Framework and it is more likely to recommend fine tuning, reflecting the experience from undertaking the certification process for the Data Centre Facilities Supplies Panel (Panel 2) providers.
Although data sovereignty is a particular issue that impacts the technology providers to Government it is also of increasing concern to Australian businesses. When businesses acquire data centre and cloud services, they increasingly look for a level of assurance that their data is held here in Australia and is not accessible outside Australia or potentially subject to the laws of other jurisdictions. In this regard, the Framework provides important guidance that may be used not only by the Commonwealth Government but also by the private sector in future.
Author: Angela Flannery
1 The Framework is available here.
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.