Cloud computing: implications for records management

Risks to consider in using cloud services

On this page

To manage risks, businesses should assess the service providers carefully, perform due diligence, establish clear contractual agreements, and regularly monitor the cloud service arrangements to ensure they meet all legal and organisational requirements.

Risks associated with using cloud computing services

Like any business activity, using cloud computing services comes with both risks and opportunities. These risks need to be carefully assessed and managed to reduce or avoid potential problems.

When using public cloud computing, content is often stored in remote data centres owned by the provider. This raises specific risks, especially around ensuring compliance with:

  • Legislative requirements: This includes managing information such as personal data according to the law.
  • Government requirements: Ensuring information security, disaster recovery, and business continuity are maintained.
  • Community expectations: Safeguarding government information and ensuring it is not used for unauthorised purposes.

When cloud services are used for government business, these data stores may contain sensitive government information and records.

This creates risks for both the organisation and the public, as people depend on the proper management of government records to prove their rights and ensure government accountability.

Therefore, any cloud computing service involving the creation, management, access, or storage of government information must meet the requirements of the State Records Act 1998, the Standards issued under the State Records Act and other relevant laws and policies for information management.

Types of risk

There are several business and information risks linked to using cloud computing services.

These risks include:

  • Sensitive data being stored or hosted outside the organisation’s own networks and servers.
  • Critical data being accessible only through the cloud service provider, which can lead to over-reliance on that provider.
  • As data is stored or managed externally, business continuity and disaster recovery processes are out of the organisation’s control and in the hands of the provider.
  • The organisation may not be able to properly control the information and records stored in the cloud, potentially failing to meet the requirement under section 11(1) of the Act, which demands the "safe custody and proper preservation" of state records.
  • A person in another state or country might claim ownership of the records or take control of them.
  • The records may be subject to local laws, making them discoverable in other jurisdictions. The service provider may also lack strong backup and disaster recovery strategies.
  • The provider may be unable to preserve records that need to be kept for long retention periods.
  • The service provider might destroy or delete records without approval, either unlawfully or inappropriately.
  • The provider may be unable to perform or properly document standard records management tasks, such as access control, transfer or disposal.
  • The records may not be returned when requested or at the end of the contract.
  • When records are returned, they may be in an unusable or inaccessible format for the organisation.
  • If the provider or business owner goes out of business, the data may not be recoverable.
  • Additionally, some providers may be risky to work with. For example, some may have unfavourable terms in their contracts, fail to disclose certain hosting arrangements, or have undisclosed business connections.
  • Some services may also offer inadequate software products for specific business needs or fail to generate necessary transactional information for the organisation.

Managing risks

In order to manage the recordkeeping risks associated with cloud computing, you should:

  • use the Cloud computing recordkeeping requirements checklist
  • identify and assess the risks involved in using cloud computing service providers to store or process government information including records
  • assess the software products offered by the cloud computing service providers for their capacity, appropriateness and adequacy to create, store, manage or process government information including records
  • perform ‘due diligence’ when selecting a cloud computing service provider and the service offerings
  • establish contractual arrangements to manage known risks
  • monitor the arrangements with cloud computing service providers.

Even if the cloud computing environment is fully within NSW, a proper risk assessment of the service and the provider should still be conducted.

Print this page

Request accessible format of this publication.

Previous
Cloud computing recordkeeping requirements
Page 5 of 6
Next
Public offices using cloud services
Top of page