Where is my data stored?

Posted on Mar 15, 2018 in IT policy, Legal, Security

For law firms, your clients’ information is your responsibility. Therefore, when clients’ information is outsourced to an IT firm, the number one question every law firm should ask the IT firm is: “Where is my data stored?”

If it is in New Zealand, that’s great. Your data security will be governed and protected by our laws, the Privacy Act in particular, and compliant with the Law Society’s ‘Cloud Computing Guidelines for Lawyers’. Any access to your clients’ data will follow due process (except if you are Kim Dotcom, but that is a whole other blog).

If your data is not stored in New Zealand, you need to know where it is being held. Is it in Singapore? The USA? India? Or China? The question becomes ‘what law is my data subject to?’ and then ‘who can access it without due process?’

And then there are the privacy issues. If you do not know where your data is, or if it is in an overseas jurisdiction, then you need to ask the following questions:

  • Is there is a privacy law that applies in the country or countries where your data is stored or processed?
  • Is the privacy law similar to New Zealand’s privacy law?
  • Does the law apply to the cloud provider and to your information?
  • How will the cloud provider will deal with any requests for information that it receives from government agencies, courts etc.?
  • Will the cloud provider notify you if data is lost or stolen, for instance if the provider is hacked?
  • Who can you or your clients complain to if there’s a breach of privacy?

So in your next Partner’s meetings, or when you next speak to your IT provider – ask the question “Where is my data stored?”.