Brought to you by

Data Privacy Day – time to smarten up on information security?

Posted 3 years ago in Xero news by Ashleigh Lambert

Today is Data Privacy Day. As an annual event, it’s probably not the best excuse for a team meeting at the pub and it almost certainly lacks the fun of Burns’ night or the sexiness of Valentine’s Day. Yet, in the digital era, Data Privacy Day is a good excuse to take a step back and consider the potential risks we expose ourselves and our businesses to.

Data Privacy Day

Data Privacy Day is about getting us thinking about how well we guard our personal and business data, and our all-important customer information. The fact that a hoax caller got a direct line to the British Prime Minister just days ago shows that no organisation is immune from the type of human error that culminated in his number being given away inappropriately.

Use correct and up-to-date records

For small businesses, running a tight ship reduces the likelihood of falling foul of the Data Protection Act, as well as potentially souring relationships and even leaving your firm open to damages claims. It’s also good manners and good housekeeping: using incorrect or out-of-date records not only risks annoying clients, but also wastes time and money when emails are deleted and letters go straight in the bin.

On the flip side, good information handling can improve your business’s reputation by increasing customer and employee confidence. Not sure how well you or your team are doing when it comes to best-practice? Take a look at this checklist from the Information Commissioner’s Office.

Keep your passwords secure

Then there’s the thorny issue of passwords. With logins needed for everything from your bank, supermarket or social network, using the same one over and over is clearly a bad idea. Yet make too many new or complex passwords and it’s easy to get mixed up or forget. It’s also good practice to change passwords on a regular basis. Here, apps such as 1Password that use secure encryptions for double protection can be incredibly convenient.

Where does your data end up?

Last but by no means least, before signing up to a new bank or software provider, don’t be afraid to ask questions about where your data will be stored and how it will be used. Keep in mind too that, like many things in life, the old adage ‘there’s no such thing as a free lunch’ is probably applicable. The main reason many software apps are free is because the data is used commercially or held for use at a later date.

Read more about Xero’s world-class data protection.


Chris Doms
January 29, 2015 at 8.31 am

I’m a big supporter of Xero, but this particular post is more than a little ironic. To date Xero’s data is all hosted by Rackspace in the USA, meaning it’s entirely subject to NSA snooping. Rackspace will claims that “your data belongs to you”, but so far have refused to take proactive action against NSA spying, as has Xero themselves.

Xero’s quiet position is that if you’re worried about the US government accessing your records you should chose another system, because the simple fact is that as long as they’re hosting in the USA the US government will have the capability and legal authority to access your data.

I urge Xero to do the right thing and start using a non-US provider for their cloud services.

As a post-script: if you don’t think this can happen, think again. A few years ago the FBI approached Rackspace without so much as a warrant, and Rackspace handed over the complete hard drives and server records, taking down server websites for the independent journalists organisation Indymedia. Racksapce were more than happy to do this, and didn’t put up any fight whatsoever over the matter. Indymedia hadn’t broken any laws.

Peter Whiting
January 29, 2015 at 11.48 am

I concur with Chris’ comments and note that Xero may have data protection and encryption but does not categorically state that others cannot access our data. We are not getting a free lunch, we are paying a fee for this service, so it would be nice to know that our data is secure from prying government agencies.

Andrea Silvers Xero
January 29, 2015 at 2.30 pm

Posted on behalf of Duncan Ritchie


We treat data privacy seriously and have a number of measures in place to protect your data stored on our systems. We encrypt data at rest and in transit and have no known mechanisms for the NSA to access data.

Our privacy policy outlines the conditions for releasing your data. In relation to your question we will release data when issued with a valid warrant as we have no choice but to comply with the law however we will not release data without legal compulsion or your permission.

We have a robust contract with Rackspace that covers data ownership, data privacy and security and we believe this provides appropriate protection.


January 30, 2015 at 10.00 am

You are correct Xero has no idea what arrangements backspace has with the NSA..
Because Xero does not know does not mean they don’t exist, your comment is meaningless, with regards to client data privacy..

Data hosted overseas is outside of the control of any Xero client, full stop..
“We treat data privacy seriousl” this si simply not true, Xero clients have been asking for MFA security option for ever Xero has chosen to do nothing, all major on-line service have offered for many years.. this is not taking data privacy seriously..

All commercial best practice cloud services, offer individual (read Xero client controlled data encryption), trusting a USA, or even NZ entity to protect your Australian client data and keys is quite bizarre.

Perry Robinson
February 3, 2015 at 1.33 pm

There has been a lot of misinformation about this topic over the years and I’d like to clarify. Rackspace learned early on as a young startup about the need to carefully handle government requests. This occurred in 2004 when we mishandled a request from the FBI regarding a customer’s servers. As we have previously stated on the Rackspace blog, Rackspace learned much from this event — we owned it. And in the 11 years since that event, we have built a legal team, which includes international members, who have specialized training on law enforcement requests for customer data, and who are recognized as experts in this area of law.

A lot has changed since 2004, but our policy and position that Rackspace developed after that event regarding law enforcement access to customer data has been consistent and clear: Your data is your data. Rackspace will not access, transfer or deliver data stored on servers by Rackspace’s customers in response to any government authorities other than pursuant to a properly issued, lawful request from appropriate law enforcement officials or other order from a competent body from the country in which the servers are physically located.

The fact is that every country has reserved some right to order access to data, and while disclosures to law enforcement agencies do inevitably occur, whether to U.S. authorities or those of other nations, Rackspace has not participated in any data mining or collection of customer data located within its hosted environments for U.S. law enforcement or security agencies, including the NSA. If we were served with such a warrant, we would fight it vigorously in accordance with this position and our agreement with customers like Xero.

Perry Robinson
VP, Legal

Leave a reply

Your email address will not be published. Required fields are marked *