Privacy and Data Protection Policy

The Australian Privacy Act 1988 (Cth) applies to CloudRecover services from 12 March 2014 when a number of changes took effect.
From 12 March 2014, the main requirements in the Privacy Act for handling personal information are set out in the Australian Privacy Principles (APPs). The APPs, impose requirements for collecting, managing, dealing with, using, disclosing and otherwise handling personal information. The APPs can be found at:

https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick-reference-tool

Unlike other privacy regimes, the APPs do not distinguish between a “data controller” who has control over personal information and the purposes for which it can be used, and a “data processor” that processes information at the direction of and on behalf of a “data controller.” The APPs do however apply in different ways to different types of entities. For example, the way the APP requirements apply to each organisation depends on the role they play in relation to the relevant personal information. Obligations vary depending on whether they “collect”, “use”, “transfer” or “disclose”, personal information. CloudRecover appreciates that its services are used in many different contexts for different business purposes,

The APPs do however apply in different ways to different types of entities. For example, the way the APP requirements apply to each organisation depends on the role they play in relation to the relevant personal information. Obligations vary depending on whether they “collect”, “use”, “transfer” or “disclose”, personal information. CloudRecover appreciates that its services are used in many different contexts for different business purposes and that there may be multiple parties involved in the data lifecycle of personal information included in customer content stored or processed using CloudRecover Services. For simplicity, the guidance included in the table below assumes that, in the context of the customer content stored on the CloudRecover services, the customer:

  • Collects personal information from its end users, and determines the purpose for which the customer
    requires and will use the information
  •  Has the capacity to control who can access, update and use the personal information collected, and
  • Manages the relationship with the individual about whom the personal information relates, including by communicating with the individual as required to comply with any relevant disclosure and consent requirements.

Customers may in fact work with or rely on third parties to discharge these responsibilities, but the customer, rather than CloudRecover, would manage its relationships with those third parties. We summarise in the table below some APP requirements particularly important for a customer to consider if using CloudRecover to store personal information. We also discuss aspect of the CloudRecover Services relevant to these APPs.

Privacy Breaches
Given that customers maintain management and control of their data when using CloudRecover, customers retain
the responsibility to monitor their own environment for privacy breaches and to notify affected individuals as required under applicable law. A customer’s CloudRecover access password can be used as an example to help explain why the customer rather than CloudRecover is best placed to manage this responsibility.
Customers control access passwords, and determine who is authorised to access their CloudRecover account.
Therefore, the customer is responsible for monitoring use, misuse, distribution or loss of access keys.
It is currently not a mandatory requirement of the Privacy Act to notify individuals of unauthorised access to or disclosure of their personal information. Notification may be appropriate having regard to the Office of the Australian Information Commissioner’s (OAIC) recommendations in data breach notification: a guide to handling personal information security breaches (2014).14 It is for the customer to determine when it is appropriate for them to notify individuals and the notification process they will follow.
https://www.oaic.gov.au/resources/agencies-and-organisations/guides/data-breach-notification-guide-august-2014.pdf

Other considerations
CloudRecover’s policy does not discuss other Australian privacy laws, aside from the Privacy Act, that may also be relevant to customers, including state based laws and industry specific requirements. The relevant privacy and data protection laws and regulations applicable to individual customers will depend on several factors including where a customer conducts business, the industry in which it operates, the type of content they wish to store, where or from whom the content originates, and where the content will be stored. Customers concerned about their Australian privacy regulatory obligations should first ensure they identify and understand the requirements applying to them, and seek appropriate advice.

Closing Remarks
For CloudRecover, security is always our top priority. We deliver services to more than a thousand customers, including enterprises, educational institutions, and government agencies in multiple countries. Our customers include financial services providers and healthcare providers and we are trusted with some of their most sensitive information. CloudRecover services are designed to give customers flexibility over how they configure and deploy their solutions as well as control over their content, including how it is stored and who has access to it. CloudRecover customers can build their own secure applications and store content securely on CloudRecover.