Dr Peter Stevens considers data and supply chain security.

For several years many of us as individuals have taken advantage of globally provided ‘free’ email accounts (Hotmail, Gmail, etc) and never really given much thought to where our precious emails are physically stored.

However, corporate use of such services is rapidly increasing. Here at GS1 New Zealand a few years ago we had a meltdown with our Microsoft Exchange server. Seriously inconvenient! This crash, coupled to my frustration with the amount of support dollars we were spending on maintaining MS Exchange, drove us to be (we learnt subsequently) one of the first organisations in NZ to go over to Google’s new Corporate Gmail. This change has really worked for us: our support costs have dropped to almost zero, and because the management of the service is so trivial for the first couple of years I, as CEO was the email administrator!

But Gmail, of course, is one of these fashionable ‘cloud’-based services that businesses are increasingly adopting. The appeal is clear: almost infinitely scalable, cheap, no hardware to purchase/depreciate/dispose of and upgrades to the service happen almost automatically. There are drawbacks in trying to customise the service (just give up is often the answer!), but these are minor.

But it is interesting to ponder with cloud-based services that you really have no idea physically where your data is stored. Who knows? Who cares? If we are to believe press reports, in actuality your data may be spread across multiple servers located in different parts of the world.

A cause for concern? To most of us not. Many businesses use overseas-based providers for mission critical data now and have not given it much thought.

However, increasingly governments and corporates are concerned about the link between their data and geography. Perhaps more specifically, their data and jurisdiction. Where (under which country?) do laws around access, privacy, dispute resolution apply? Again the answer might be: who knows?!

Because of these concerns about jurisdictional issues, many governments are tightening up on their requirements around the physical location of servers/data relevant to the discharge of their regulatory obligations. For example, recently the NZ government has contracted Revera and Datacom (they are still in negotiation with IBM) for long term All of Government (AoG) provision of Infrastructure-as-a-Service (IaaS) services. In plain English, this means the centralised provision of computer servers for all government agencies.

It is argued that some sort of ‘shared service’ will drive efficiencies and trend costs down because at the moment most government agencies have their own IT managers, server rooms, backup devices and networks etc, etc. But one of the most interesting components of the contract in some ways is a mandatory requirement for all the IT servers and data to be physically NZ-based. The Department of Internal Affairs (which set up the contract) argues that this gets around any complications with jurisdiction, especially where there is any ‘secret’ data housed (eg, budget secret, defence).

Such moves raise interesting questions and possible tensions for the future of supply chains and related services.

The exchange of data between parties up-and-down the supply chain is essential. This is the reason why GS1’s standards were invented and are so important to the efficient running of most supply chains. As food security, terrorism and other concerns step up government’s interests in transactions, both within and between countries, it will be interesting to see to what extent governments will require business to domicile data over which they have regulatory oversight in a particular country (think: border crossing, verification of traceability requirements for export goods, financial transactions). We will just have to wait and see.