Due to a global Microsoft outage, we are experiencing technical difficulties that may make it hard to reach us.

Is it ok to use software as a service (SaaS)? What do I need to know about data security?

Justin Fung, Avant Law - Partner, Head of Commercial & Corporate | General Manager

Software as a service (SaaS) arrangements are quickly overtaking traditional on-premises software licensing for many businesses. Some say they already have.

SaaS infrastructure (sometimes referred to as ‘cloud-based’ software) is often provided by a large supplier in a one-to-many model. Some big names include Amazon Web Services (AWS) and Azure. The scale of their operations means solutions can be offered by the software provider to multiple customers in a cost-effective and economical way. Fees are usually subscription or volume based.

Why would customers choose SaaS?

For the customer, advantages include quick start up, scalability and flexibility as to device and location. Access to the provider's disaster recovery arrangements can also bean important benefit.

Are there disadvantages

This model does depend on acceptable and reliable internet connectivity. Other business risks include service availability, service levels and data security. Service customisation is often limited.

These differ from the on-premises model where the concerns were around configuration, implementation and acceptance.

Deal is usually on the provider's standard terms and conditions and often 'take it or leave it', except for the very largest customers.

Can risks be managed?

Service availability and service levels can be locked down in the SaaS procurement contract, and the contract can provide recompense for any defaults – for example through service credits.

For healthcare providers in particular, risks around data security could be a deal breaker, depending on the amount and type of personal information that will be being used in the solution.

If you are considering using SaaS, you need to be satisfied of the supplier's standing and reputation. You would also be looking for certain warranties from the supplier about:‍

  • its intellectual property,
  • the stability of the platform,
  • that it is hosted on servers located in Australia,
  •  its penetration testing and vulnerability scans,.
  • its ongoing support and maintenance and the extraction of data to be returned to the customer, and
  • deletion of customer data from its systems at the end of the relationship.

The SaaS terms must document an agreed action plan in the event of a data breach. At a minimum it needs to acknowledge the requirements of the Privacy Act 1988 (Cth),for example that the supplier will report and provide an action plan to the client within 24 hours of any suspected data breach in relation to its platform and the parties will work together in good faith in assessing, mitigating, remediating and if necessary, reporting the data breach as required by the data breach notification provisions of the Privacy Act 1988 (Cth).

We can help you

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

About the author

Justin Fung

Justin Fung is a lawyer and the Head of Commercial and Corporate in our Avant Law team. Justin has over 15 years’ experience advising in commercial, corporate, risk, compliance, governance, regulatory enforcement and dispute resolution and advises clients in the private and public sectors. He was previously General Counsel of a national allied health group of companies and held Group and Divisional Head of Legal roles in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. Prior to these in-house legal roles, Justin was an Executive Counsel with the global law firm Herbert Smith Freehills where he practiced for over 10 years.


The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of this content. The information in this article is current to 15 July 2022.  Legal services are provided by Avant Law.  Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme. © Avant Mutual Group Limited 2024

To Top