Data Residency Requirements for Government Contracts
Federal and state government tenders increasingly require Australian data residency. Here's how to ensure your document sharing stack qualifies.
Australian government tenders increasingly require data to be stored and processed within Australia. If you're bidding for government work, federal, state, or local, understanding the data residency rules is essential.
The baseline requirement
Most Commonwealth government contracts include clauses requiring that personal information and sensitive data be stored within Australia, or in a jurisdiction with substantially similar privacy protections. In practice, "within Australia" is the safe answer, the list of jurisdictions deemed equivalent is short and contentious.
State governments (NSW, Victoria, WA, Queensland, SA) have their own variations, and many local councils have followed suit. The specifics vary but the pattern is consistent: data residency is a hard requirement, not a negotiation point.
The IRAP regime
For sensitive federal government work, there's an additional requirement: ASD's Information Security Registered Assessors Program (IRAP). Cloud services handling PROTECTED-classified information must be IRAP-assessed to the PROTECTED level. Services handling OFFICIAL: Sensitive information have lower but still specific assessment requirements.
The IRAP assessment confirms that the cloud service meets the ASD's Information Security Manual controls. It's not a one-time thing, it needs to be renewed periodically and the service provider has to actively maintain compliance.
What Australian data residency actually means
"Data resides in Australia" needs to be unpacked:
- The primary storage is in Australia
- Backups are in Australia
- Processing (any compute) happens in Australia
- Metadata, logs, and caching don't leak to non-Australian regions
- Support staff with access to the data are in Australia (or in a jurisdiction with equivalent privacy protections)
A surprising number of "Australian" cloud services fail on the last two. Their data is in Sydney, but their support team is in the Philippines or India, and support access means data access.
The practical checklist for tender responses
When responding to a government tender that includes data residency requirements, be ready to demonstrate:
- The cloud region where data is stored (must be AU-based)
- Where backups are held
- Where support staff are located and their access rights
- IRAP assessment status (if applicable)
- Your sub-processor list and their locations
- Your data breach response procedures
Being able to answer all of these in a single document response can be the difference between winning and losing a tender.
ShareAndGo's position
All ShareAndGo infrastructure is hosted in australia-southeast1 (Sydney). Primary storage, backups, processing, and support access are all Australian-based. For detailed compliance documentation, contact [email protected].
Frequently asked questions
Is "stored in an Australian region" enough for a government tender? Often not on its own — tenders increasingly ask where backups, processing, and support access sit too, and a Sydney region with offshore support staff can still fail the residency test. Do I always need IRAP? No — IRAP assessment applies to sensitive classified work (OFFICIAL: Sensitive and above). Many state and local contracts require Australian residency without a formal IRAP assessment. What's the most common reason a service fails the residency check? Support staff or sub-processors located overseas with access to the data — residency is about who can reach the data, not just where the disk is.