Data residency in Australian healthcare: Sorting fact from fiction

A persistent myth in healthcare IT is that data must stay onshore to stay safe. Many providers — especially in mental health, disability, and aged care — are told that hosting data overseas is non-compliant or even illegal. This claim has shaped procurement decisions, delayed modernisation projects, and led some organisations to maintain expensive on-premises infrastructure well past its useful life.

The reality is more nuanced, and understanding it matters — because acting on misinformation about data residency can cost your organisation both money and agility.

What Australian Law Actually Requires

The Privacy Act 1988 and the Australian Privacy Principles (APPs) govern how health information is handled. They require that personal information be protected from misuse, interference, and unauthorised access — but they do not mandate that data be stored on Australian soil. The obligation is to ensure adequate protections are in place wherever the data resides.

For cloud services, this means assessing the provider's security controls, certifications, and contractual commitments — not simply their data centre location. Microsoft Azure, for example, holds IRAP assessments across multiple services and operates Australian data centre regions, which satisfies the expectations of most healthcare regulators.

Where Genuine Risk Sits

Real data risk in healthcare tends to come from access control gaps, unencrypted storage, inadequate audit trails, and poor incident response — not from geography. Providers that focus exclusively on residency while leaving other security fundamentals unaddressed are solving the wrong problem.

Sognos helps health and care organisations assess their data governance posture and implement Microsoft cloud environments that meet regulatory expectations. If your organisation is weighing up cloud adoption and has questions about compliance, we can help you separate fact from fiction.