"
I Still Call Australia Home" Peter Allen sings of an Australian expatriates' longing for being home; is this the growing situation for Australian Trustees' SMSF data.?
There has been a recent increase in off-shoring SMSF back office administration processes, to India[10] and Malaysia service providers[11]; primarily to reduce the Australian labour arbitrage rates, in the face of poor fund returns. In the current market, cost is probably the only element that one can reliably control.
This debate has been quietly raging in Australia's boardrooms since the early days of off-shoring. Many of the government and large corporate organisations constantly ask what protections are in place for Australian data when it is stored in servers outside our jurisdiction. But is this the case for the "cottage" SMSF administrators, or accounting practices within Australia, who typically do not have the same corporate or data security policies in place.The question? are the Australian superannuation, accounting firms or SMSF administration service providers, who are using these off-shoring services, advising the Trustees and their Advisers of the change, and the affect it may have on their data security and personal privacy. In many cases, it appears that neither the Trustee or his Adviser is told or even consulted, regarding the change to off shoring processing. The changes are just happening in the "back office". As a result the Trustee and AFSL licensed Adviser (if the adviser recommended a specific SMSF administration service, the basis for such advice may have changed?) has no opportunity, to assess if they wish to be part of any offshore processing.
This article looks at some of the issues involved in outsourcing services to an off shore, data entry, accounting or Cloud service providers, which is located outside the Australian jurisdiction.
Is data sovereignty so important, that SMSF trustees need to ensure that only domestic providers are used?
A recent Microsoft Cloud Adoption Study among small to medium businesses found a strong desire for local services among clients in Australia. Eighty-two per cent of respondents said it was critical or important to source cloud services from a provider with a local presence. Others, however, have been happy to embrace offshore cloud services for some of their data – usually data that does not include customer, or privacy information.
A growing number of traditionally conservative bodies are addressing data off-shoring within broader guidelines for cloud adoption. The financial-services industry overseer, the Australian Prudential Regulatory Authority is authoring a data-management guide that urges the sector to implement strict data-management regimes that enable tight control over which data ends up in the cloud, wherever it sits.
The argument isn't entirely governance-related, however. Many CEO's of SMSF administrators, sleep better knowing clients data is in the same city or country as they are.
Currently the Privacy Act 1988 (Cth) (‘the Act’) provides the core protections for private data transferred outside Australia through its extra-territorial application and National Privacy Principle number 9 (NPP 9). NPP 9, which was introduced in 2000 outlines the current requirements that must be satisfied before an organisation may transfer data to a ‘foreign country’. The aim is continued protection of data after it leaves Australian shores, and the principle was modelled on arts 25 and 26 of the European Union Data Protection Directive[7] (‘EU Directive’). Transfers to foreign countries must either occur with the consent of the individual whom the data concerns, be necessary for the fulfilment of a contract, occur for the benefit of an individual whose consent cannot be obtained or where the recipient of the information is ‘subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles’.
"The Australian Government Information Management Office (AGIMO) therefore advises that ‘transitioning citizen (personal) information to the public cloud is not expected to be a viable option within the next several years’; and the data centre strategy envisages that Australian data centres will be utilised rather than overseas providers."
Similarly, the Australian Department of Defence issued the following guidance on cloud services in 2011:"DSD strongly encourages agencies to choose either a locally owned or foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian border. A risk assessment should consider whether the agency is willing to trust their reputation, business continuity, and data to a vendor that may transmit, store and process the agency’s data offshore in a foreign country"
The Australian Prudential Regulatory Authority (APRA) noted in a November 2010 guidance letter to trustees of APRA regulated super funds that, although uptake of cloud services is increasing in the financial services industry, ‘regulated institutions do not always recognise the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or off shoring elements in them. APRA therefore requires regulated funds to engage in a detailed risk assessment for ‘any off shoring agreement, either directly or via a service provider, involving a material business activity’. Typical considerations include the location of the services and the service agreements with the provider.The guidance is aimed at ensuring that trustees attain ‘a detailed understanding of the extent and nature of the business processes … the technology architecture and the sensitive information … impacted by the outsourcing arrangement’
Should SMSF trustees, have less concerns than an APRA regulated super fund?
In January of 2011 Macquarie Telecom commissioned a pair of white papers from law firm Freshfields Bruckhaus Deringer discussing the cloud and cross-border risks, using the examples of Singapore and the United States. The whitepapers note that cross-border data flows have the effect of ‘seriously reducing’ the ability of companies ‘to ensure continuing regulatory compliance with Australian law and to manage the associated non-compliance risks.’ They also note the growing government and industry concern over the privacy of data that is offshored. The essential conclusion of the papers is the need for caution when sending data overseas, recommending that particularly close attention be paid to regulatory and compliance perspective. The importance of this increases the more sensitive and/or business critical the data is.
SMSF data and documents often contain SMSF fund and member tax file numbers(TFNs), these need to be protected in a similar manner as credit card numbers, the question if industry PCI standards should apply to the protection of TFN's, is a separate discussion. It is quite common for offshore providers to request Trustees to "email" documents which may contain TFN's across the unprotected Internet, to an offshore email address.
"You tax file number can be the key to protecting your identity and therefore your personal finances against theft and fraudulent behaviour, so guard it with your life."
"Unlike PINs and bank account numbers, people usually have the same tax file number their entire lives"
"If your identity is stolen it can take years to put everything right," the ATO spokeswoman says."[7]
The Tax Practitioners Boards chairman, Dale Boucher, expanded on the Board's concerns in a speech on 3 March 2011."The practice of offshoring raises the potential of conflicts with the requirement in subsection 30-10(6) of the TASA [Tax Agent Services Act], in that, you must not disclose any information relating to your client's affairs to a third party without their permission or unless you have a legal duty to do so...
If any component of your client's tax work is completed overseas, the Board suggests that agents be very clear in explaining this to your client. In particular to avoid any likelihood of your practices being seen as misleading, we suggest that you must not imply or state that all your work is completed in Australia, if that is not the case."[9]
I suggest Trustees, ask their SMSF service provider, the following questions:
The first question: Always ask, your Accountant or SMSF administrator, if they offshore any activities relating to your SMSF.
If they do, seek details of the provider, at a minim they should be able to supply you, or certify that they hold, the last SAS 70[8] audit report for the off shore service provider. If your SMSF is handled via an Australian Accountant they will have already obtained a SAS70 report as part of their due diligence. Financial Advisers should also seek the availability of a SAS70 report as part of their due diligence on any SMSF service provider, recommended under their AFSL licence, if any off shore activities are provided as part of the SMSF administration service.
The second question: Is any of the SMSF data being accessed by any third party service provider outside of Australian jurisdiction.
Important: if an entity (i.e an employee of an offshore provider), views data stored within Australia, via any method, then technically the data has left the jurisdictional control of Australia. We have seen several instances where off-shoring providers are stating (incorrectly) that the data is stored on Australian servers and hence is not out side of Australian Jurisdictional control. See AAP8 where
the ordinary meaning of disclosure is to allow information to be "seen" rather than the implication of ‘transfer’ of a cross-border movement of information.
This means that a disclosure will occur when an overseas recipient accesses information, whether or not the personal information that is accessed is stored in Australia or elsewhere.
The third question: Does the SMSF administrator provide a secure document upload service; the provider shall never request that you send documents, which may contain privacy and identity information, via standard unprotected email, especially to a email address, or server hosted outside of Australian jurisdiction.
The forth question: Does the SMSF service provider clearly state that all SMSF data within the service is owned, and controlled by the SMSF, and that all "trans-border" data flow issues are clearly identified within the service contract. This contract should also clearly identify the SMSF rights to transfer their SMSF data from the service and data retention for 5, 7 and 10 years after creation. A minimum requirement is to allow SMSF trustees to archive their data in the OECD defined SAF-T formats to meet these data retention and any future audit requirements.
As the pioneer of on-line, wholesale SMSF solutions, the above issues require careful service design, and extensive operational deployment experience before reaching the right combination of service features security mechanisms.
Today, VillageMall makes use of Cloud infrastructural, specifically data storage, for the purpose of providing geographic disaster recovery functions (this is very low cost, effective and there are few alternatives within a single geographic location like Australia), we typically store documents which are required to be retained under the seven year data retention rules. But... we 100% encrypt all such data.
All SMSF personal, TFN's and transitional and reporting data is only stored within Australian located data centers, under Villagemalls'
direct ownership and control. All access to data stored within VillageMalls' service is subject to access controls; access is audited, including the IP address point ( hence access country, and city location), which was used to access the data.
We believe the above solution, is a reasonable, commercial approach, which safe guards trustee data, while exploiting the use of the low cost Cloud infrastructure.
We see an increasing level of local support from global Cloud providers to address the Australian sovereignty, and performance issues, especially for the large corporate and government departments. Hence we predict a trend towards an increase in Australian located and controlled Cloud service providers, this will assist in meeting the requirements of SMSF Trustees, their Advisers and Accountants, who do not wish to take on the risks associated with off shoring..
As an aside, we believe that advanced Australian developed technology, combined with high levels of automation, will produce a lower cost, higher integrity, secure solution, then just off shoring labor.
Considering all of the above, I believe there is a place for off shoring, and Cloud infrastructure services, but such usage must be transparent to the Trustees and their Accountant.
The issue: SMSF Trustees, and their Advisers, must be informed, when any off shore third party is used to provide services, and also if their data is being "disclosed" to entities outside of Australian jurisdiction, so they can make an informed decision, regarding the use of such service.
Update: Jan 2014.
On the 12 of March 2014, new APP8 cross-border disclosure of personal information, comes into force, which effectively changed the "transfer" of information to the "disclosure" of information, and requires the data owner be a) informed of overseas access and b) that they give concent to the overseas access. APP8 finally removes the ability of overseas BPO's to say they access data on Australian servers and hence the Privacy principles do not apply, Clause 8.2 b) prevents the current situation where organisations simply use overseas BPO's without getting informed consent from the data owner, something very common within the SMSF administration area.
Charles Moore
CEO VillageMall Pty Ltd
-- Some interesting opinions, sourced from the Internet..
From www.smh.com.au, author tag PF
"No one has mentioned the big elephant in the room - the US Patriot Act, which Microsoft recently got pulled up on, admitting that as a US company, any data held on ANY of their or their subsidiaries' servers worldwide can be subject to seizure under the Patriot Act. More so - they would be obligated under US law to NOT inform the client that their data was compromised, even if that means breaching local privacy legislation.
Any scenario which involves corporate/sensitive data being stored in a jurisdiction which does not offer complimentary privacy/data rights is to be avoided."
“Many businesses have assumed that a local data centre, even if owned by an offshore provider, is enough to avoid data sovereignty issues,” said Peter James, Managing Director at Ninefold.“However, data stored in an Australian data centre owned by a provider headquartered in the US would face the same exposure to the US Patriot Act – and wider US law - as if it were stored in California.”
From http://www.customermanagementiq.com/people-management/articles/offshoring-to-india-no-longer-a-smart-strategy/
"Firms migrated operations to India to save money, focus on their core competencies, and move away from a fixed cost structure. Today, faith in offshoring must be tempered by reason. In the last few years, India’s significant advantages have yielded to some harsh economic realities. New cost dynamics and the reality of doing business halfway around the world with a very different culture have reduced the attraction of offshoring many operations, particularly those in knowledge intensive industries"
References
[1]Australian Law Reform Commission (‘ALRC’),
For Your Information: Australian Privacy Law and Practice, Report No 108 (2008), 1064; see also D Giles and A Chotar, ‘Offshoring Personal Information – The Devil in the Detail’ (2006) 3(6&7)
Privacy Law Bulletin 73, 73.
[2]Senate Finance and Public Administration Committees, Parliament of Australia, Senate,
Exposure Drafts of Australian Privacy Amendment Legislation Report Part 1 – Australian Privacy Principles (2011).
[3]AGIMO, ‘Cloud Computing Strategic Direction Paper’, (Report, AGIMO, April 2011
[4]Letter from APRA to all trustees of APRA regulated super funds, 15 November 2010
[5]Connie Carnabuci and Heather Tropman, ‘The Cloud and US Cross-Border Risks’ (Whitepaper, Macquarie Telecom/Freshfields Bruckhaus Deringer)
[6]David Loukidelis, ‘Privacy and the USA Patriot Act’ (Report, Information & Privacy Commissioner for British Columbia, October 2004
[7]Beware of fraud by the numbers
http://www.news.com.au/money/money-matters/beware-of-fraud-by-the-numbers/story-e6frfmd9-1225958249884
[8] Statement on Auditing Standards (SAS) No. 70, SAS No. 70 with a purpose of reporting on service organization’s internal policies, processes, and controls when hosting or processing information belonging to customers in a uniform reporting format. Typically SAS 70 certification is a standard companies will look for when outsourcing.
"The SAS 70 Type II audit serves as a testament to the high degree of rigor we place around our processes and management of client data. No matter if we are providing our clients services in the United States, India, or Europe, they can continue to rest assured that their financial information is handled according to internationally recognized standards of security and control."
http://sas70.com/sas70_overview.html
[9] Offshoring receiving attention,
https://www.charteredaccountants.com.au/secure/myCommunity/blogs/PaulM/professional-standards-blogs/133/offshoring-receiving-attention
[10]07 November 2012 A India-based BPO administration company, is forecasting growth to 20,000 SMSFs over the next four years.
http://www.thesauce.net.au
[11] Sarbanes-Oxley and the Outsourcing of Accounting: India, Outsourcing Theory, and Global
Accounting Standards.
http://next.eller.arizona.edu/courses/24hourKnowledgefactory/Spring2008/final_papers/PCervantes_PaulCervantes_ENTR489_FinalDraft.pdf
[12] Clayton Utz Insights, Privacy and the new APP 8: Cross-border data flows in a world without borders
http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles
Disclaimer
The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.