Cloud storage and services

Cloud computing (IT and software-as-a-service) arrangements are a form of outsourcing. They may be for storage or other online services like Office 365, Drop Box and Google Drive.

Arrangements may be public authority wide or specific to one or two people for a particular application or piece of software.

Your public authority is legally responsible for digital public records it makes or stores in the cloud. You need to make sure you can meet your legislative obligations when it comes to making, managing, accesing and disposing of digital public records.

Find out what you need to consider, including the risk to digital public records when using cloud services and how to assess recordkeeping risks.

See QGEA's ICT as-a-service security assurance guideline and the risk assessment guideline for more information.

General recordkeeping considerations

Recordkeeping responsibilities and requirements apply to all public records regardless of where they are stored.

Consider:

• what digital public records are most appropriate to store in the cloud–think about the level of risk (low-risk or low-value public records vs high-risk or high-value public records)
• access and/or security restrictions that need to apply to the digital public records
• the minimum retention period for the digital public records and if storing them in the cloud affects your ability to keep them for the full minimum retention period
• whether you can specify what format certain digital public records will be stored in–some cloud providers use file formats specific only to them, making it difficult to access and return those digital public records
• having provisions in place to regularly monitor or check on the cloud service provider–this will help you to ensure that digital public records are being managed and stored correctly, particularly if any responsibilities or legislation have changed
• how to prove that the digital public records stored in the cloud are made in a way that accurately shows actions or decisions and informs or contextualises those actions or decisions – if the service provider does not maintain appropriate audit trails, metadata and descriptions of management processes, the evidential value and integrity of your public authority's digital public records are damaged
• if you can tailor the service to your needs–if the cloud provider has a 'one size fits all' approach it may be more difficult to ensure you meet your legislative obligations.

Your agreement or contract with the service provider should:

• detail recordkeeping requirements including ownership, access, storage, disposal, the transfer of digital public records and any other responsibilities for the public records' management and care (e.g. specific formats)
• be constructed to ensure provisions will apply in future, even if administrative or machinery-of-government changes occur
• include definitions of key words (e.g. public record, permanent value, destruction)
• include provisions to reduce potential/identified risks to digital public records
• include details of each organisation's recordkeeping roles and responsibilities
• specify which provisions apply to which digital public records (e.g. custody, ownership, disposal, access and control, security)
• include provisions allowing you to regularly monitor digital public records stored in the cloud.

Staff using these services should be aware of their recordkeeping responsibilities and ensure that public records are made and kept as required.

Retention and disposal

Digital public records must be kept for the full minimum retention period and legally disposed of.

You will need to think about how digital public records:

• will be stored if they have long retention periods – the cloud is not designed to manage information for the medium to long term
• will be managed – make sure you can keep track of your digital public records, the associated data and how many copies there are and where they are stored
• will be disposed of legally and correctly – you need to be able to dispose all copies of digital public records and the associated data – this may be difficult depending on how well you can keep track of your digital public records
• are deleted and when (including associated information, back-ups, recovery files, metadata, control records, and any 'deleted' data).

Your agreement or contract with the service provider should:

• include provisions for how and when digital public records can be disposed of
• provide authorisation to dispose digital public records (if relevant) and the conditions under which this can occur
• delegate responsibilities to dispose digital public records (if relevant), including which digital public records and when (e.g. control records, metadata, backups).

Legislative considerations

You must ensure complete and reliable digital public records of your work-related activities are made, managed, accessible and lawfully disposed.

Consider your legal obligations in Queensland and the legal issues and requirements if a service provider is in a different state or country.

Service providers based or registered internationally are subject to the laws of that country, and possibly the laws of other jurisdictions. These laws may apply to the information and digital public records they store or manage on your behalf, even if that information is stored in Australia.

Your public authority's may need to seek legal advice to:

• ensure the contract includes provisions covering legislation that may impact on the agreement with your service provider
• take into account possible differences in similar pieces of legislation (e.g. US Privacy Act vs. Qld Information Privacy Act), legal interpretations and standard contracts.

Custody and ownership

Digital public records made by your public authority or digital records that document your public authority's business are public records. Ownership of public records of a local government vests in the local government. In other cases, the responsible public authority with custody of the public has ownership of the public record. Otherwise, ownership is vested in the State of Queensland. This includes associated metadata and control records.

Consider:

• potential issues regarding custody and ownership of digital public records – particularly metadata and control records
• who owns what – you own the digital public records but you don't own or control the infrastructure or systems that store the digital public records (ownership of metadata could be unclear).

Your agreement or contract with the service provider should:

• clearly state who has ownership of digital public records and the custody arrangements for the digital public records
• include details of who owns which digital public records – not just the original public record, but metadata, control records, and backup copies.

If these factors are in question, your public authority should seek legal advice.

Access and use

Access to digital public records should not be reduced or inhibited, and access restrictions need to remain in place.

Consider:

• how you access digital public records – ensure you are not losing interoperability or integration between the information and business systems
• your ability to access the digital public records – is it sufficient to support business needs (including RTI requests, legal discovery)? How long does it take to access the digital public records? Which records do you need to access continuously or regularly?
• IT performance issues that may impact your ability to access your digital public records (e.g. adequate internet access)
• your ability to access your digital public records if the cloud provider goes out of business, is sold, or if their processes, terms and conditions, or legislation changes–protection of information and data may be inadequate or non-existent.

Your agreement or contract with the service provider should specify arrangements for:

• continued access to regularly required digital public records
• accessing digital public records during downtime or maintenance of the service
• accessing digital public records for monitoring or compliance purposes
• details of access restrictions and requirements–this depends on the digital public records' type and security classification
• any other access requirements and restrictions (e.g. preventing external unauthorised access to digital public records).

Security, storage and handling

Digital public records must be stored and handled in a way that ensures their security and preservation.

Make sure the cloud provider has sufficient security and processes to ensure your digital public records remain protected – even from anything else stored on the same server or system. You may need to find out how often they check the security and integrity of stored information and how many of their staff will be able to access your digital public records.

Using cloud storage can increase the risks of unauthorised access because:

• the cloud is a shared environment
• service providers can subcontract operations
• security may not be as strong as if it was in-house
• the cloud relies on having a secure internet connection.

Some of your digital public records may have specific privacy requirements (e.g. personal information). Find out what privacy requirements apply and if the provider can comply. Office of the Information Commissioner Queensland  website details  how the Information Privacy Act 2009 applies.

Your agreement or contract with the service provider should include provisions about the storage and handling of the digital public records, particularly:

• specific storage requirements (e.g. preservation, migration of digital public records, storage media, digital rights management and encryption)
• specific format requirements
• requirements for privacy and release of information
• a requirement for the cloud provider to report incidents that impact your digital public records (e.g. security breaches, migration failures).

Disaster preparedness and business continuity planning

Public authorities need keep digital public records safe during disasters. Public authorities need processes in place to prevent and recover from incidents such as data corruption, migration failure, and lost digital public records.

Consider:

• the provider's ability to restore services and digital public records in the event of a disaster or other unforeseen circumstances
• how they back up client data and information, including when, where, why, how, and what data is included (e.g. multiple back-ups, back-ups in multiple locations – see back-ups for business continuity planning)
• how quickly they can restore services and data
• whether they can restore specific digital public records or sets of public records as opposed to all of them. Does this include metadata and control records?

Your agreement or contract with the service provider should:

• outline responsibilities for the protection and recovery of digital public records in the event of a disaster or incident
• include provisions for accessing digital public records during or after a disaster or incident.

Completion of agreements

You need to put arrangements in place for returning digital public records at the end of an agreement.

You should:

• ensure that all your digital public records are returned unless lawfully disposed
• check whether there will be any difficulties returning digital public records and metadata–talk to your IT area (strategies to mitigate these can be included in the planning stages and the agreement)
• consider what data remains with the service provider and how it will be managed and/or deleted
• check what the cost to your public authority would be for ending the agreement, either early or at the agreed time.

When digital public records are returned, check:

• all digital public records, including control records and metadata, have been transferred
• the information and digital public records are still usable and accessible
• the digital public records are complete and match the metadata
• digital public records have not been corrupted or made unusable as a result of the transfer.

Your public authority's IT specialists can help make sure digital public records are still usable and have been migrated correctly. Ensure the service provider does not alter or dispose of public records until this is complete.

More information

The following tools and advice may be helpful when developing an agreement.

• Using cloud computing services: implications for information and records management, State Archives & Records NSW
• Information about cloud computing, Public Record Office Victoria
• Cloud computing and information management, National Archives of Australia
• Advice on managing the recordkeeping risks associated with cloud computing, Australasian Digital Recordkeeping Initiative (ADRI)
• Information management requirements for software-as-a-service (PDF, 2.5MB), Australasian Digital Recordkeeping Initiative (ADRI) and Council of Australasian Archives and Records Authorities (CAARA)