Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.

8 9/&$%:-34+%/&$ March 2014

64'- ; /1 ;<







!"#$% '() #$ *+, !"#$%&$ "( !"#$%&'(&) !"#$%&' !"#$%&'()*%"#$
!"#$% '()*


(lease consulL ,++=>??4@$A4B4C/&A./B?./B=5%4&.-? for Lhe laLesL verslon of Lhls paper)



Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- < /1 ;<
!"#$"%#&
1hls documenL provldes lnformaLlon Lo asslsL cusLomers who wanL Lo use AWS Lo sLore conLenL conLalnlng personal
lnformaLlon, ln Lhe conLexL of key prlvacy conslderaLlons and Lhe AusLrallan rlvacy AcL 1988 (CLh). lL wlll help cusLomers
undersLand:
1he way AWS servlces operaLe, lncludlng how cusLomers can address securlLy and encrypL Lhelr conLenL
1he geographlc locaLlon where conLenL can be sLored and oLher relevanL conslderaLlons
1he respecLlve roles Lhe cusLomer and AWS each play ln managlng and securlng conLenL sLored on AWS servlces
!"#$%
1hls whlLepaper focuses on Lyplcal quesLlons asked by AWS cusLomers when conslderlng Lhe lmpllcaLlons of Lhe
AusLrallan rlvacy AcL on Lhelr use of AWS servlces Lo sLore conLenL conLalnlng personal lnformaLlon. 1here wlll also be
oLher relevanL conslderaLlons for each cusLomer Lo address, for example a cusLomer may need Lo comply wlLh lndusLry
speclflc requlremenLs and Lhe laws of oLher [urlsdlcLlons where LhaL cusLomer conducLs buslness. 1hls paper ls noL legal
advlce, and should noL be relled on as legal advlce. As each cusLomer's requlremenLs wlll dlffer, AWS sLrongly
encourages lLs cusLomers Lo obLaln approprlaLe advlce on Lhelr lmplemenLaLlon of prlvacy and daLa proLecLlon
requlremenLs, and more generally, appllcable laws relevanL Lo Lhelr buslness.
!!"#$%&' )$*#&*#+ !!"#$%&'()$!"# '&+&,(") )! -'$,(./
SLorage of conLenL presenLs all organlsaLlons wlLh a number of common pracLlcal maLLers Lo conslder, lncludlng:
Wlll Lhe conLenL be secure?
Where wlll conLenL be sLored?
Who wlll have access Lo conLenL?
WhaL laws and regulaLlons apply Lo Lhe conLenL and whaL ls needed Lo comply wlLh Lhese?

1hese conslderaLlons are noL new and are noL cloud-speclflc. 1hey are relevanL Lo lnLernally hosLed and operaLed
sysLems as well as LradlLlonal Lhlrd parLy hosLed servlces. Lach may lnvolve sLorage of conLenL on Lhlrd parLy equlpmenL
or on Lhlrd parLy premlses, wlLh LhaL conLenL managed, accessed or used by Lhlrd parLy personnel. When uslng AWS
servlces, cusLomers malnLaln compleLe conLrol over Lhelr conLenL and are responslble for managlng key conLenL securlLy
requlremenLs, lncludlng:
WhaL conLenL Lhey choose Lo sLore on AWS
Whlch AWS servlces are used wlLh Lhe conLenL
ln whaL counLry LhaL conLenL ls sLored
1he formaL and sLrucLure of LhaL conLenL and wheLher lL ls masked, anonymlsed or encrypLed
Who has access Lo LhaL conLenL and how Lhose access rlghLs are granLed, managed and revoked

8ecause AWS cusLomers reLaln conLrol over Lhelr conLenL, Lhey also reLaln responslblllLles relaLlng Lo LhaL conLenL as
parL of Lhe AWS shared responslblllLy" model. 1hls shared responslblllLy model ls fundamenLal Lo undersLandlng Lhe
respecLlve roles of Lhe cusLomer and AWS ln Lhe conLexL of prlvacy requlremenLs LhaL may apply Lo conLenL LhaL
cusLomers choose Lo sLore on AWS.
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- D /1 ;<
!"# %&'()* ()%+,-%./.0.12 '++(,'3& 1, 4'-'5.-5 !"#$% '(!$)*+,!
!"## !"#$%&'( !"#$%#$ '% (%!)*%+
Movlng l1 lnfrasLrucLure Lo AWS creaLes a shared responslblllLy model beLween Lhe cusLomer and AWS for Lhe operaLlon
and managemenL of securlLy. AWS operaLes, manages and conLrols Lhe componenLs from Lhe hosL operaLlng sysLem
and vlrLuallzaLlon layer down Lo Lhe physlcal securlLy of Lhe faclllLles ln whlch Lhe AWS servlces operaLe. 1he cusLomer ls
responslble for managemenL of Lhe guesL operaLlng sysLem (lncludlng updaLes and securlLy paLches Lo Lhe guesL
operaLlng sysLem) and assoclaLed appllcaLlon sofLware, as well as Lhe conflguraLlon of Lhe AWS provlded securlLy group
flrewall and oLher securlLy-relaLed feaLures. 1hls ls shown below ln llgure 1: Shared 8esponslblllLy Model:


llgure 1 - Shared 8esponslblllLy Model

),4+ :/-$ +,- $,43-: 3-$=/&$%E%5%+8 B/:-5 B-4& 1/3 +,- $-.23%+8 /1 .2$+/B-3 ./&+-&+F

When evaluaLlng Lhe securlLy of a cloud soluLlon, lL ls lmporLanL for cusLomers Lo undersLand and dlsLlngulsh beLween:
SecurlLy measures LhaL Lhe cloud servlce provlder (AWS) lmplemenLs and operaLes - securlLy +, Lhe cloud"
SecurlLy measures LhaL Lhe cusLomer lmplemenLs and operaLes, relaLed Lo Lhe securlLy of cusLomer conLenL and
appllcaLlons LhaL make use of AWS servlces - securlLy -. Lhe cloud"

Whlle AWS manages securlLy +, Lhe cloud, securlLy -. Lhe cloud ls Lhe responslblllLy of Lhe cusLomer, as cusLomers reLaln
conLrol of whaL securlLy Lhey choose Lo lmplemenL Lo proLecL Lhelr own conLenL, plaLform, appllcaLlons, sysLems and
neLworks - no dlfferenLly Lhan Lhey would for appllcaLlons ln an on-slLe daLacenLre.
!"#$%&#'()" +%,
!"#$%&'( !!"! !"#
!"#$%
!"#$%&#'()" +%,
!"#$%&'( !!"!
!"# %&'()


Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- G /1 ;<
#&:-3$+4&:%&' $-.23%+8 /0 +,- .5/2:
AWS ls responslble for managlng Lhe securlLy of Lhe underlylng cloud envlronmenL. 1he AWS cloud lnfrasLrucLure has
been archlLecLed Lo be one of Lhe mosL flexlble and secure cloud compuLlng envlronmenLs avallable, deslgned Lo provlde
opLlmum avallablllLy whlle provldlng compleLe cusLomer segregaLlon. lL provldes an exLremely scalable, hlghly rellable
plaLform LhaL enables cusLomers Lo deploy appllcaLlons and conLenL qulckly and securely aL masslve global scale lf
necessary. AWS servlces are conLenL agnosLlc, ln LhaL Lhey offer Lhe same hlgh level of securlLy Lo all cusLomers,
regardless of Lhe Lype of conLenL belng sLored, or Lhe geographlcal reglon ln whlch Lhey sLore Lhelr conLenL. AWS's
world-class, hlghly secure daLa cenLers uLlllze sLaLe-of-Lhe arL elecLronlc survelllance and mulLl-facLor access conLrol
sysLems. uaLa cenLers are sLaffed 24x7 by Lralned securlLy guards, and access ls auLhorlzed sLrlcLly on a leasL prlvlleged
basls. lor a compleLe llsL of all Lhe securlLy measures bullL lnLo Lhe core AWS cloud lnfrasLrucLure, plaLforms, and
servlces, please read our Cvervlew of SecurlLy rocesses
1
whlLepaper
We are vlgllanL abouL our cusLomers' securlLy and have lmplemenLed sophlsLlcaLed Lechnlcal and physlcal measures
agalnsL unauLhorlzed access. CusLomers can valldaLe Lhe securlLy conLrols ln place wlLhln Lhe AWS envlronmenL Lhrough
AWS cerLlflcaLlons and reporLs, lncludlng Lhe AWS Servlce CrganlzaLlon ConLrol (SCC) 1 and 2 reporLs, lSC 27001
cerLlflcaLlon and Cl-uSS compllance reporLs. 1hese reporLs and cerLlflcaLlons are produced by lndependenL Lhlrd parLy
audlLors and aLLesL Lo Lhe deslgn and operaLlng effecLlveness of AWS securlLy conLrols. 1he appllcable AWS compllance
cerLlflcaLlons and reporLs can be requesLed aL hLLps://aws.amazon.com/compllance/conLacL. More lnformaLlon on AWS
compllance cerLlflcaLlons, reporLs, and allgnmenL wlLh besL pracLlces and sLandards can be found aL AWS' compllance
slLe.
Amazon Web Servlce lnc., as a conLrolled u.S. subsldlary of Amazon.com, lnc., parLlclpaLes ln Lhe Safe Parbor program
developed by Lhe u.S. ueparLmenL of Commerce, Lhe Luropean unlon and SwlLzerland, respecLlvely. Amazon.com and
lLs conLrolled u.S. subsldlarles have cerLlfled LhaL Lhey adhere Lo Lhe Safe Parbor rlvacy rlnclples agreed upon by Lhe
u.S., Lhe Lu and SwlLzerland, respecLlvely. 1he Safe Parbor cerLlflcaLlon for Amazon.com and lLs conLrolled u.S.
subsldlarles can be vlewed on Lhe u.S. ueparLmenL of Commerce's Safe Parbor Web slLe. 1he Safe Parbor rlnclples
requlre Amazon and lLs conLrolled u.S. subsldlarles Lo Lake reasonable precauLlons Lo proLecL personal daLa. 1hls
cerLlflcaLlon ls anoLher lllusLraLlon of our dedlcaLlon Lo securlLy and prlvacy.
#&:-3$+4&:%&' $-.23%+8 12 +,- .5/2:
CusLomers reLaln conLrol of Lhelr conLenL when uslng AWS servlces. CusLomers, raLher Lhan AWS, deLermlne whaL
conLenL Lhey sLore on AWS, conLrol how Lhey conflgure Lhelr envlronmenLs and secure Lhelr conLenL, whaL securlLy
feaLures and Lools Lhey use and how Lhey use Lhem. lor Lhese reasons cusLomers also reLaln responslblllLy for Lhe
securlLy of anyLhlng Lhelr organlsaLlon puLs on AWS, or LhaL Lhey connecL Lo Lhelr AWS lnfrasLrucLure, such as Lhe guesL
operaLlng sysLem, appllcaLlons on Lhelr compuLe lnsLances, and conLenL sLored and processed ln AWS sLorage, plaLform
and daLabase servlces.
1o asslsL cusLomers ln deslgnlng, lmplemenLlng and operaLlng Lhelr own secure AWS envlronmenL, AWS provldes a wlde
array of securlLy feaLures cusLomers can use. CusLomers can also use Lhelr own securlLy Lools and conLrols. CusLomers
can conflgure Lhelr AWS servlces Lo leverage a range of such securlLy feaLures, Lools and conLrols Lo proLecL Lhelr
conLenL, lncludlng sophlsLlcaLed ldenLlLy and access managemenL Lools, securlLy capablllLles, encrypLlon and neLwork
securlLy. Lxamples of sLeps cusLomers can Lake Lo help secure Lhelr conLenL lnclude lmplemenLlng:

1
hLLp://medla.amazonwebservlces.com/pdf/AWS_SecurlLy_WhlLepaper.pdf
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- H /1 ;<
SLrong password pollcles, asslgnlng approprlaLe permlsslons Lo users and Laklng robusL sLeps Lo proLecL Lhelr
access keys
ApproprlaLe flrewalls and neLwork segmenLaLlon, encrypLlng conLenL, and properly archlLecLlng sysLems Lo
decrease Lhe rlsk of daLa loss and unauLhorlzed access
All of Lhese facLors are wlLhln cusLomers' conLrol, raLher Lhan AWS. AWS does noL know whaL conLenL cusLomers are
placlng on AWS and does noL change cusLomer conflguraLlon seLLlngs, Lhey are deLermlned and conLrolled by Lhe
cusLomer. Cnly Lhe cusLomer can deLermlne whaL level of securlLy ls approprlaLe for Lhe daLa Lhey sLore and process
uslng AWS.
1o asslsL cusLomers ln lnLegraLlng AWS securlLy conLrols lnLo Lhelr exlsLlng conLrol frameworks and help cusLomers
deslgn and execuLe securlLy assessmenLs of Lhelr organlsaLlon's use of AWS servlces, AWS publlshes a number of
whlLepapers relaLlng Lo securlLy, governance, rlsk and compllance, and a number of checkllsLs and besL pracLlces.
CusLomers are also free Lo deslgn and execuLe securlLy assessmenLs accordlng Lo Lhelr own preferences, and can requesL
permlsslon Lo conducL scans of Lhelr cloud lnfrasLrucLure as long as Lhose scans are llmlLed Lo Lhe cusLomer's compuLe
lnsLances and do noL vlolaLe Lhe AWS AccepLable use ollcy.
!"# !"#$%&!! !"#$# &'(( !"#$%#$ !" $%&'"()
AWS daLa cenLres are bullL ln clusLers ln varlous global reglons. CusLomers have access Lo nlne AWS 8eglons around Lhe
globe
2
, lncludlng an Asla aclflc (Sydney) reglon. CusLomers can choose Lo use one reglon, all reglons or any
comblnaLlon of reglons. llgure 2 shows AWS reglon locaLlons:

I%'23- < ! ()* J5/E45 K-'%/&$

2
AWS CovCloud (uS) ls an lsolaLed AWS 8eglon deslgned Lo allow uS governmenL agencles and cusLomers Lo move senslLlve
workloads lnLo Lhe cloud by addresslng Lhelr speclflc regulaLory and compllance requlremenLs.
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- L /1 ;<
AWS cusLomers choose Lhe AWS 8eglon or reglons ln whlch Lhelr conLenL and servers wlll be locaLed. 1hls allows
cusLomers wlLh geographlc speclflc requlremenLs Lo esLabllsh envlronmenLs ln a locaLlon of Lhelr cholce. AWS
cusLomers ln AusLralla can choose Lo deploy Lhelr AWS servlces excluslvely ln Lhe Asla aclflc (Sydney) reglon and sLore
Lhelr conLenL onshore ln AusLralla. lf Lhe cusLomer makes Lhls cholce, Lhelr conLenL wlll be locaLed ln AusLralla unless
Lhe cusLomer chooses Lo move Lhe daLa.
CusLomers can repllcaLe and back up conLenL ln more Lhan one reglon, buL AWS does noL move or repllcaLe cusLomer
conLenL ouLslde of Lhe cusLomer's chosen reglon or reglons.
M/@ .4& .2$+/B-3$ $-5-.+ +,-%3 3-'%/&N$OF
When uslng Lhe AWS managemenL console, or ln placlng a requesL Lhrough an AWS AppllcaLlon rogrammlng lnLerface
(Al), Lhe cusLomer ldenLlfles Lhe parLlcular reglon or reglons where lL wlshes Lo use AWS servlces. llgure 3: SelecLlng
AWS Clobal 8eglons provldes an example of when uploadlng conLenL Lo an AWS sLorage servlce or provlslonlng compuLe
resources uslng Lhe AWS managemenL console.

I%'23- D ! *-5-.+%&' ()* J5/E45 K-'%/&$ %& +,- ()* P4&4'-B-&+ 9/&$/5-
CusLomers can also prescrlbe Lhe AWS 8eglon Lo be used for Lhelr compuLe resources by Laklng advanLage of Lhe
Amazon vlrLual rlvaLe Cloud (vC) capablllLy. Amazon vC leLs Lhe cusLomer provlslon a prlvaLe, lsolaLed secLlon of Lhe
AWS Cloud where Lhe cusLomer can launch AWS resources ln a vlrLual neLwork LhaL Lhe cusLomer deflnes. WlLh Amazon
vC, cusLomers can deflne a vlrLual neLwork Lopology LhaL closely resembles a LradlLlonal neLwork LhaL mlghL operaLe ln
Lhelr own daLa cenLre.
8y uslng Amazon vC, compuLe and oLher resources launched lnLo Lhe vC wlll only reslde ln Lhe reglon ln whlch LhaL
vC was creaLed. lor example, by creaLlng a vC ln Lhe Sydney reglon and provldlng a llnk (elLher a vn
3
or ulrecL

3
hLLp://docs.aws.amazon.com/AmazonvC/laLesL/userCulde/vC_vn.hLml
2$-3Q
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- R /1 ;<
ConnecL
4
) back Lo Lhe cusLomer's daLacenLre, all compuLe resources launched lnLo LhaL vC would only reslde ln Lhe Asla
aclflc (Sydney) reglon.
!"# %&' &%%()) !"#$%&'( !%*$'*$!
92$+/B-3 ./&+3/5 /7-3 ./&+-&+
CusLomers uslng AWS malnLaln and do noL release effecLlve conLrol over Lhelr conLenL. CusLomers conLrol Lhelr conLenL
from Lhe Llme of creaLlon. 1hey can:
ueLermlne where lL wlll be locaLed, for example Lhe Lype of sLorage and geographlc locaLlon of LhaL sLorage
ConLrol Lhe formaL of LhaL conLenL, for example plaln LexL, masked, anonymlsed or encrypLed, uslng elLher AWS
provlded encrypLlon or a Lhlrd-parLy encrypLlon mechanlsm of Lhe cusLomers own cholce
Manage oLher access conLrols, such as ldenLlLy, access managemenL and securlLy credenLlals
1hls allows AWS cusLomers Lo conLrol Lhe enLlre llfe-cycle of Lhelr conLenL on AWS, and manage Lhelr conLenL ln
accordance wlLh Lhelr own speclflc needs, lncludlng conLenL classlflcaLlon, access conLrol, reLenLlon and dlsposal.
()* 4..-$$ +/ .2$+/B-3 ./&+-&+
AWS only uses each cusLomer's conLenL Lo provlde Lhe AWS servlces selecLed by each cusLomer Lo LhaL cusLomer and
does noL use cusLomer conLenL for any secondary purposes. AWS LreaLs all cusLomer conLenL Lhe same and has no
lnslghL as Lo whaL Lype of conLenL Lhe cusLomer chooses Lo sLore ln AWS. AWS slmply makes avallable Lhe compuLe,
sLorage, daLabase and neLworklng servlces selecLed by cusLomer - AWS does noL requlre access Lo cusLomer conLenL Lo
provlde lLs servlces.
J/7-3&B-&+ 3%',+$ /1 4..-$$

Cuerles are ofLen ralsed abouL Lhe rlghLs of domesLlc and forelgn governmenL agencles Lo access conLenL held ln cloud
servlces. CusLomers are ofLen confused abouL lssues of daLa soverelgnLy, lncludlng wheLher and ln whaL clrcumsLances
governmenLs may have access Lo Lhelr conLenL. 1he local laws LhaL apply ln Lhe [urlsdlcLlon where Lhe conLenL ls locaLed
are an lmporLanL conslderaLlon for some cusLomers. Powever, cusLomers also need Lo conslder wheLher laws ln oLher
[urlsdlcLlons may apply Lo Lhem. CusLomers should seek advlce Lo undersLand Lhe appllcaLlon of relevanL laws Lo Lhelr
buslness and operaLlons.
When concerns or quesLlons are ralsed abouL Lhe rlghLs of domesLlc or forelgn governmenLs Lo seek access Lo conLenL
sLored ln Lhe cloud, lL ls lmporLanL Lo undersLand LhaL relevanL governmenL bodles may have rlghLs Lo lssue requesLs for
such conLenL under laws LhaL already apply Lo Lhe cusLomer. lor example, a company dolng buslness ln CounLry x could
be sub[ecL Lo a legal requesL for lnformaLlon even lf Lhe conLenL ls sLored ln CounLry ?. 1yplcally, a governmenL agency
seeklng access Lo Lhe daLa of an enLlLy wlll address any requesL for lnformaLlon dlrecLly Lo LhaL enLlLy raLher Lhan Lo Lhe
cloud provlder.
AusLralla, llke mosL counLrles, has leglslaLlon LhaL enables AusLrallan law enforcemenL and governmenL securlLy bodles
Lo seek access Lo lnformaLlon, for example Lhe !"#$%&'(&) +,-"%($. /)$,''(0,)-, 1%0&)(#&$(2) !-$ (1979)
3
. 1here ls also

4
hLLp://aws.amazon.com/dlrecLconnecL/
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- S /1 ;<
Lhe ablllLy for forelgn law enforcemenL bodles Lo apply for access Lo lnformaLlon ln AusLralla Lhrough leglslaLlon LhaL
glves effecL Lo muLual asslsLance LreaLles beLween many counLrles and AusLralla.
6
Powever, lL ls lmporLanL Lo remember
LhaL Lhese laws all conLaln crlLerla LhaL musL be saLlsfled before auLhorlslng access by Lhe relevanL governmenL body.
lor example, Lhe governmenL agency seeklng access wlll need Lo show lL has a valld reason for requlrlng a parLy Lo
provlde access Lo conLenL. MosL lmporLanLly, access powers largely relaLe Lo law enforcemenL and counLer-Lerrorlsm.
Many counLrles have daLa access laws whlch purporL Lo apply exLraLerrlLorlally. An example of a uS law wlLh exLra-
LerrlLorlal reach LhaL ls ofLen menLloned ln Lhe conLexL of cloud servlces ls Lhe u.S. aLrloL AcL. 1he aLrloL AcL ls slmllar
Lo laws ln oLher developed naLlons LhaL enable governmenLs Lo obLaln lnformaLlon wlLh respecL Lo lnvesLlgaLlons
relaLlng Lo lnLernaLlonal Lerrorlsm and oLher forelgn lnLelllgence lssues. Any requesL for documenLs under Lhe aLrloL
AcL requlres a courL order demonsLraLlng LhaL Lhe requesL complles wlLh Lhe law, lncludlng, for example, LhaL Lhe
requesL ls relaLed Lo leglLlmaLe lnvesLlgaLlons. 1he aLrloL AcL generally applles Lo all companles wlLh an operaLlon ln Lhe
u.S., lrrespecLlve of where Lhey are lncorporaLed and/or operaLlng globally and lrrespecLlve of wheLher Lhe lnformaLlon
ls sLored ln Lhe cloud or ln physlcal records. 1hls means LhaL AusLrallan companles dolng buslness ln Lhe unlLed SLaLes
are Lhemselves sub[ecL Lo aLrloL AcL requesLs for documenLs.
()* =/5%.8 /& '34&+%&' '/7-3&B-&+ 4..-$$

AWS ls vlgllanL abouL cusLomers' securlLy and does noL dlsclose or move daLa ln response Lo a requesL from Lhe
AusLrallan, u.S. or oLher governmenL unless legally requlred Lo do so ln order Lo comply wlLh a legally valld and blndlng
order, such as a subpoena or a courL order, or as ls oLherwlse requlred by appllcable law. non-u.S. governmenLal or
regulaLory bodles Lyplcally musL use recognlzed lnLernaLlonal processes, such as MuLual Legal AsslsLance 1reaLles wlLh
Lhe u.S. governmenL, Lo obLaln valld and blndlng orders. AddlLlonally, our pracLlce ls Lo noLlfy cusLomers where
pracLlcable before dlscloslng Lhelr conLenL so Lhey can seek proLecLlon from dlsclosure, unless we are legally prevenLed
from dolng so.



3
hLLp://www.comlaw.gov.au/ueLalls/C2012C00260
6
3"$"&' !##(#$&)-, () 4%(5()&' 3&$$,%# !-$ 6789 (CLh).
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- T /1 ;<
!"#$%&' %)* +%,% !"-,.&,#-) #) /01,"%2#%
!"# %&'()*+ ,*-
1hls parL of Lhe paper dlscusses aspecLs of Lhe AusLrallan :%(;&-. !-$ 6788 (CLh) applylng from 12 March 2014 when a
number of changes Look effecL.
lrom 12 March 2014, Lhe maln requlremenLs ln Lhe rlvacy AcL for handllng personal lnformaLlon are seL ouL ln Lhe
AusLrallan rlvacy rlnclples (As). 1he As lmpose requlremenLs for collecLlng, managlng, deallng wlLh, uslng,
dlscloslng and oLherwlse handllng personal lnformaLlon. 1he As can be found aL:
hLLp://www.oalc.gov.au/prlvacy/prlvacy-resources/prlvacy-guldes/app-qulck-reference-Lool.
unllke oLher prlvacy reglmes, Lhe As do noL dlsLlngulsh beLween a daLa conLroller" who has conLrol over personal
lnformaLlon and Lhe purposes for whlch lL can be used, and a daLa processor" LhaL processes lnformaLlon aL Lhe
dlrecLlon of and on behalf of a daLa conLroller." 1he As do however apply ln dlfferenL ways Lo dlfferenL Lypes of
enLlLles. lor example, Lhe way Lhe A requlremenLs apply Lo each organlsaLlon depends on Lhe role Lhey play ln
relaLlon Lo Lhe relevanL personal lnformaLlon. CbllgaLlons vary dependlng on wheLher Lhey collecL", use", Lransfer"
or dlsclose", personal lnformaLlon. ln Lhe conLexL of Lhe cusLomer conLenL sLored on Lhe AWS servlces, Lhe cusLomer:
CollecLs lnformaLlon from Lhelr end users, and deLermlnes Lhe purpose for whlch Lhey requlre and wlll use Lhe
lnformaLlon
Pas Lhe capaclLy Lo conLrol who can access, updaLe and use Lhe lnformaLlon collecLed, and manages Lhe
relaLlonshlp wlLh Lhe lndlvldual abouL whom Lhe lnformaLlon relaLes, lncludlng by communlcaLlng wlLh Lhe
lndlvldual as requlred Lo comply wlLh any relevanL dlsclosure and consenL requlremenLs

We summarlse below some A requlremenLs parLlcularly lmporLanL for a cusLomer Lo conslder lf uslng AWS Lo sLore
personal lnformaLlon. We also dlscuss aspecL of Lhe AWS Servlces relevanL Lo Lhese As.
(66 *2BB438 /1 (66 3-U2%3-B-&+ 9/&$%:-34+%/&$
A 1.2 An enLlLy musL Lake such sLeps as
are reasonable ln Lhe
clrcumsLances Lo lmplemenL
pracLlces, procedures and sysLems
relaLlng Lo Lhe enLlLy's funcLlons or
acLlvlLles Lo ensure compllance
wlLh Lhe As and Lo enable Lhe
enLlLy Lo deal wlLh lnqulrles or
complalnLs abouL compllance wlLh
Lhe As.
1he As apply dlfferenLly Lo each parLy, reflecLlng Lhe level of conLrol
and access each parLy has over Lhe personal lnformaLlon.
92$+/B-3> 1he As wlll lmpose more exLenslve obllgaLlons on Lhe
cusLomer Lhan AWS. 1hls ls because Lhe cusLomer has conLrol of Lhelr
conLenL and ls able Lo communlcaLe dlrecLly wlLh lndlvlduals abouL
LreaLmenL of Lhelr personal lnformaLlon.
()*> 1o Lhe exLenL Lhe As may apply Lo AWS Lhey would apply ln a
more llmlLed way. As explalned above, AWS has no lnslghL as Lo whaL
Lype of conLenL Lhe cusLomer chooses Lo sLore ln AWS and Lhe
cusLomer reLalns compleLe conLrol of how Lhe conLenL ls sLored, used
and proLecLed from dlsclosure.

Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- ;V /1 ;<
A 1.3 -
1.6
An enLlLy musL malnLaln a prlvacy
pollcy addresslng parLlcular
maLLers abouL how Lhe enLlLy
manages personal lnformaLlon and
comply wlLh requlremenLs for
maklng LhaL pollcy avallable.
92$+/B-3> CusLomers are responslble for malnLalnlng Lhelr own
prlvacy pollcy LhaL complles wlLh Lhe As.
()*> ln Lhe conLexL of cusLomer conLenL, AWS does noL know whaL
conLenL ls uploaded by Lhe cusLomer and does noL conLrol LhaL
conLenL. lor Lhls reason our prlvacy pollcy cannoL address how each
cusLomer chooses Lo use personal lnformaLlon lncluded ln Lhelr
cusLomer conLenL.
A 3 Where an enLlLy collecLs personal
lnformaLlon abouL an lndlvldual,
Lhe enLlLy musL Lake such sLeps as
are reasonable ln Lhe
clrcumsLances Lo Lell or oLherwlse
ensure Lhe lndlvldual ls aware of
cerLaln maLLers.
92$+/B-3> 1he cusLomer ls responslble for meeLlng any A
requlremenL Lo noLlfy lndlvlduals whose personal lnformaLlon Lhe
cusLomer ls sLorlng on AWS abouL all relevanL maLLers requlred under
A3, lncludlng, lf appllcable, abouL Lhe cusLomer's use of AWS Lo
sLore LhaL personal lnformaLlon.
()*: AWS does noL know when a cusLomer chooses Lo upload Lo
AWS conLenL LhaL may conLaln personal lnformaLlon. AWS also does
noL collecL personal lnformaLlon from lndlvlduals whose personal
lnformaLlon Lhe cusLomer ls sLorlng ln AWS. AWS ls unable ln Lhese
clrcumsLances Lo provlde any noLlflcaLlons Lo Lhe relevanL lndlvlduals.
A 8

8ules abouL dlscloslng personal
lnformaLlon Lo an overseas
reclplenL and excepLlons Lo Lhose
rules.
92$+/B-3> Where a cusLomer has a geographlcal or reglonal
consLralnL, Lhe cusLomer can choose Lhe AWS reglon or reglons where
Lhelr conLenL wlll be sLored, lncludlng by malnLalnlng Lhelr conLenL ln
AusLralla, lf requlred.
()*> AWS does noL move cusLomer's conLenL from one reglon Lo
anoLher. lf a cusLomer chooses Lo sLore conLenL ln more Lhan one
reglon, or copy conLenL beLween reglons, LhaL ls solely Lhe cusLomer's
cholce.
J-&-345> lL ls lmporLanL Lo hlghllghL LhaL an enLlLy ls only requlred Lo
comply wlLh A 8 lf Lhere ls a "dlsclosure" by LhaL enLlLy Lo an
overseas reclplenL. 1he Cfflce of Lhe lnformaLlon Commlssloner
(CAlC) has sald dlsclosure generally occurs when an enLlLy releases
personal lnformaLlon from lLs effecLlve conLrol.
1he AWS servlce ls sLrucLured so LhaL a cusLomer malnLalns effecLlve
conLrol of cusLomer conLenL regardless of whaL AWS 8eglon Lhey use
for Lhelr conLenL. CAlC guldance lndlcaLes LhaL lnformaLlon provlded
Lo a cloud servlce provlder sub[ecL Lo adequaLe securlLy and sLrlcL user
conLrol may be a "use" by Lhe cusLomer and noL a "dlsclosure".
Accordlngly, uslng AWS servlces Lo sLore personal lnformaLlon ouLslde
AusLralla aL Lhe cholce of Lhe cusLomer may be a "use" noL a
"dlsclosure" of cusLomer conLenL. CusLomers should seek legal advlce
regardlng Lhls lf Lhey feel lL may be relevanL Lo Lhe way Lhey propose
Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- ;; /1 ;<
Lo use Lhe AWS Servlces.
AWS ls always monlLorlng relevanL lnformaLlon securlLy, prlvacy and
compllance requlremenLs. We wlll carefully conslder any relevanL
updaLes and developmenLs Lo Lhe A Culdellnes on Lhls lssue.
7

A 10 -
12
8ules abouL proLecLlng Lhe
lnLegrlLy of personal lnformaLlon
lncludlng lLs quallLy, securlLy and
allowlng access and correcLlons.
92$+/B-3$> CusLomers are responslble for Lhelr conLenL (lncludlng Lhe
conLenL of end-users of Lhe cusLomers) and for securlLy %& Lhe cloud.
When a cusLomer chooses Lo sLore conLenL uslng AWS, Lhe cusLomer
has conLrol over Lhe quallLy of, access Lo and correcLlon of any
personal lnformaLlon LhaL Lhe cusLomer conLenL may lnclude. 1hls
means LhaL Lhe cusLomer musL Lake all requlred sLeps Lo
communlcaLe wlLh lndlvlduals abouL Lhelr personal lnformaLlon,
deLermlne when Lhe lnformaLlon ls no longer needed and desLroy or
de-ldenLlfy Lhe lnformaLlon when no longer needed.
()*: AWS ls responslble for securlLy /1 Lhe cloud. AWS SCC 1 1ype 2
reporL lncludes conLrols LhaL provlde reasonable assurance LhaL daLa
lnLegrlLy ls malnLalned Lhrough all phases lncludlng Lransmlsslon,
sLorage and processlng.

63%74.8 W3-4.,-$
Clven LhaL cusLomers malnLaln managemenL and conLrol of Lhelr daLa when uslng AWS, cusLomers reLaln Lhe
responslblllLy Lo monlLor Lhelr own envlronmenL for prlvacy breaches and Lo noLlfy affecLed lndlvlduals as requlred
under appllcable law.
A cusLomer's AWS access keys can be used as an example Lo help explaln why Lhe cusLomer raLher Lhan AWS ls besL
placed Lo manage Lhls responslblllLy. CusLomers conLrol access keys, and deLermlne who ls auLhorlsed Lo access Lhelr
AWS accounL. AWS does noL have vlslblllLy of access keys, or who ls and who ls noL auLhorlsed Lo log lnLo an accounL.
1herefore, Lhe cusLomer ls responslble for monlLorlng use, mlsuse, dlsLrlbuLlon or loss of access keys.
lL ls currenLly noL a mandaLory requlremenL of Lhe rlvacy AcL Lo noLlfy lndlvlduals of unauLhorlzed access Lo or
dlsclosure of Lhelr personal lnformaLlon. noLlflcaLlon may be approprlaLe havlng regard Lo Lhe Cfflce of Lhe AusLrallan
lnformaLlon Commlssloner's (CAlC) recommendaLlons ln <&$& =%,&-> )2$(?(-&$(2)@ & 0"(A, $2 >&)A'()0 B,%#2)&'
()?2%5&$(2) #,-"%($. =%,&->,# (2012).
S
lL ls for Lhe cusLomer Lo deLermlne when lL ls approprlaLe for Lhem Lo noLlfy
lndlvlduals and Lhe noLlflcaLlon process Lhey wlll follow.


7
lor Lhe laLesL CAlC Culdellnes go Lo: hLLp://www.oalc.gov.au/prlvacy/prlvacy-news

Amazon Web Servlces ! #$%&' ()* %& +,- ./&+-0+ /1 (2$+345%4& 63%74.8 9/&$%:-34+%/&$ March 2014
64'- ;< /1 ;<
X+,-3 ./&$%:-34+%/&$
1hls whlLepaper does noL dlscuss oLher AusLrallan prlvacy laws, aslde from Lhe rlvacy AcL, LhaL may also be relevanL Lo
cusLomers, lncludlng sLaLe based laws and lndusLry speclflc requlremenLs. 1he relevanL prlvacy and daLa proLecLlon laws
and regulaLlons appllcable Lo lndlvldual cusLomers wlll depend on several facLors lncludlng where a cusLomer conducLs
buslness, Lhe lndusLry ln whlch lL operaLes, Lhe Lype of conLenL Lhey wlsh Lo sLore, where or from whom Lhe conLenL
orlglnaLes, and where Lhe conLenL wlll be sLored.
CusLomers concerned abouL Lhelr AusLrallan prlvacy regulaLory obllgaLlons should flrsL ensure Lhey ldenLlfy and
undersLand Lhe requlremenLs applylng Lo Lhem, and seek approprlaLe advlce.
95/$%&' K-B43Y$

lor AWS, securlLy ls always our Lop prlorlLy. We dellver servlces Lo hundreds of Lhousands of buslnesses lncludlng
enLerprlses, educaLlonal lnsLlLuLlons, and governmenL agencles ln over 190 counLrles. Cur cusLomers lnclude flnanclal
servlces provlders and healLhcare provlders and we are LrusLed wlLh some of Lhelr mosL senslLlve lnformaLlon.

AWS servlces are deslgned Lo glve cusLomers flexlblllLy over how Lhey conflgure and deploy Lhelr soluLlons as well as
conLrol over Lhelr conLenL, lncludlng where lL ls sLored, how lL ls sLored and who has access Lo lL. AWS cusLomers can
bulld Lhelr own secure appllcaLlons and sLore conLenL securely on AWS.

(::%+%/&45 K-$/23.-$

1o help cusLomers furLher undersLand how Lhey can address Lhelr prlvacy and daLa proLecLlon requlremenLs, cusLomers
are encouraged Lo read Lhe rlsk, compllance and securlLy whlLepapers, besL pracLlces, checkllsLs and guldance publlshed
on Lhe AWS webslLe. 1hls maLerlal can be found aL hLLp://aws.amazon.com/compllance and
hLLp://aws.amazon.com/securlLy.

AWS also offers Lralnlng Lo help cusLomers learn how Lo deslgn, develop, and operaLe avallable, efflclenL, and secure
appllcaLlons on Lhe AWS cloud and galn proflclency wlLh AWS servlces and soluLlons. We offer free lnsLrucLlonal
vldeos, self-paced labs, and lnsLrucLor-led classes. lurLher lnformaLlon on AWS Lralnlng ls avallable aL
hLLp://aws.amazon.com/Lralnlng/.

AWS cerLlflcaLlons cerLlfy Lhe Lechnlcal skllls and knowledge assoclaLed wlLh besL pracLlces for bulldlng secure and
rellable cloud-based appllcaLlons uslng AWS Lechnology. lurLher lnformaLlon on AWS cerLlflcaLlons ls avallable aL
hLLp://aws.amazon.com/cerLlflcaLlon/.

lf you requlre furLher lnformaLlon, please conLacL AWS aL: hLLps://aws.amazon.com/conLacL-us/ or conLacL your local
AWS accounL represenLaLlve.