Public offices using cloud services

By addressing the following considerations and risks, public offices can make informed decisions about using cloud services while ensuring compliance with legal and recordkeeping requirements. Proper due diligence and ongoing monitoring of cloud service arrangements are critical to managing these risks effectively.

Creating or storing State records outside of NSW

In many cases records can be managed and stored via cloud services based outside of NSW.

State Records NSW has issued the General Authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the state (GA35).

This authority allows records to be transferred outside of NSW for storage or maintenance by providers, but only if certain conditions are met.

These conditions include conducting a proper risk assessment and ensuring the records are managed according to the requirements of the State Records Act 1998. All other relevant laws regarding information management must also be followed before entering into any agreements.

Specifically, public offices must:

• Assess and address the risks involved in transferring records out of the state for storage or maintenance by service providers based outside of NSW.
• Ensure that the service provider’s facilities, systems, and services (including software and storage systems) meet the required standards set by State Records NSW.
• Put in place appropriate contractual arrangements to ensure the security, safekeeping, and ongoing accessibility of records.
• Ensure that the contracts address the exportability and return of records and information when required.
• Ensure the ownership of the records remains with the public office.
• Implement controls to manage the lawful and approved deletion or disposal of records and information.
• Regularly monitor the arrangements to ensure the service provider complies with all relevant requirements.

Deciding whether to manage State records in-house

The level of risk an organisation sees in using cloud computing depends on what the records are and how sensitive or important they are. In some cases, the records may be too important or private to trust with a public cloud service provider.

Cloud services and your information management framework

All internal systems, external services, and cloud-based services that create, manage and store an organisation’s information and records should be governed by proper information management rules.

This means that all processes and systems for creating, receiving, storing, protecting, managing, accessing, preserving (to ensure continued access) and disposing of information must be part of a well-organised and consistent strategy for managing records across the whole organisation.

Contractual issues to consider

The content of the contract in these types of service arrangements is very important.

An agency entering into a service arrangement for using cloud computing services for key business activities or storage of critical business information should normally seek a legal opinion.

Contracts should address a range of issues, including (but not limited to):

• data location
• data ownership
• standards used
• privacy requirements
• non-disclosure requirements
• defining roles and responsibilities
• access
• security
• incident reporting
• enforcement mechanisms
• business continuity and disaster recovery
• data restoration
• monitoring arrangements
• return of data
• exportability of data (the transfer of data to another system or provider)
• destruction of data from providers’ systems.

What to ask before you enter into arrangements

• Business and recordkeeping requirements: How will the service or product meet your organisation’s specific business and recordkeeping requirements?
• Data export format: What format will the information be exported in, and what metadata will be included in the export?
• Charges for data removal: Will there be any additional charges if the organisation needs to remove information from the cloud or terminate the service?
• Jurisdictional commitments: Will the provider commit to storing and processing your information in specific jurisdictions that align with your organisation’s requirements, particularly those with legal frameworks that match Australia’s standards?
• Privacy compliance: Will the provider commit to meeting privacy requirements, both locally and in the jurisdiction(s) where the information is stored?
• Data retention after contract termination: Can the provider assure you that no copies of the records or information will be retained after the contract ends?
• Record destruction assurance: Can you regularly specify records to be destroyed, and will the provider offer assurance (e.g. certificates) of destruction?
• External security audits: Is the service provider regularly subjected to external security audits or certification processes?
• Administrator access: How many of their staff have administrator-level access to your records, and what controls are in place to regulate their access?
• Use of records for other applications: Can the provider assure you that your records won’t be used for purposes other than those specified in the contract (for example, for data matching with databases of other clients)?
• Third-party access: Will you be consulted if a third party seeks access to your records?
• Third-party access management: How would third-party access to your records be managed, especially if required by a government organisation in the jurisdiction where the records are stored?
• Data backup and restoration: Does the provider have measures in place, such as geographically separated backup sites, to ensure they can restore your records if needed? How long would this process take?
• Restoring specific records: In the event of data corruption, how will the provider locate and restore specific records, and what timeframes do they guarantee?
• Preserving record structure and metadata: When restoring records, will the provider ensure the structure of the records and associated metadata are preserved?
• Subcontracting: Does the provider subcontract any part of their service to third parties, and if so, what contractual agreements govern those arrangements?
• Compliance standards: Are there any recognised standards the provider is certified as meeting?
• Service disruptions: Will the provider guarantee acceptable service levels in the event of disruptions, and what compensation or actions will they take if disruption occurs?