The Public Record Office Victoria (PROV), the state record authority for Victoria established under the Public Records Act 1973 (Act), has released its issues paper on the record keeping implications of operating in a cloud computing environment. PROV has called for comments and feedback from agencies subject to the Act, as input to PROV finalising its policy directions on record keeping implications of cloud computing.
The issues paper, in addition to providing a detailed description of various facets of cloud computing, describes in some detail the issues, risks and benefits associated with cloud deployment models, being private cloud, public cloud, community cloud and a hybrid cloud. After considering these cloud deployment models in the context of Victorian government agencies and Victorian Councils, PROV sets out recommendations that it proposes to include in its final policy direction on record keeping implications of cloud computing.
The PROV paper identifies a significant number of issues faced by Victorian public sector agencies and organisations when considering sending data to the cloud. The paper also demonstrates:
- the potential difficulties with, and the extensive analysis that agencies must conduct prior to, entering into a contract for a cloud based software, platform or infrastructure service delivery model
- the importance of seeking legal advice, from practitioners who are familiar with the concerns arising from cloud technology, before transferring data to a cloud provider.
It should be recognised that cloud based technology has the potential to offer public sector agencies and organisations the ability to improve their services by reducing costs and improving efficiency. However, agencies and other bodies with obligations under the Act should be mindful of these obligations and well as information privacy, control, confidentiality, intellectual property and other commercial implications of cloud based solutions.
Victorian public sector agencies and organisations who may be impacted by the cloud computing policies resulting from the issues paper may wish to consider submitting a response to the issues paper. The closing date is 31 May 2012.
The recommendations made by the Public Record Office of Victoria on the record keeping implications of operating in a cloud environment are as follows:
Recommendation 1: Agencies should deploy either the private or community cloud model as these models offer less risk for agencies.
Recommendation 2: Agencies should conduct a thorough risk assessment prior to adopting a cloud computing environment and consider risk mitigation strategies, as some data may be so sensitive that it should never be stored in a cloud. PROV also recommends that agencies familiarise themselves with the Australian Government Protective Security Policy Framework.
Recommendation 3: Agencies should ensure that vendors are able to demonstrate and exhibit due diligence (a thorough investigation or audit of the cloud service provider, prior to signing the contract).
Recommendation 4: Agencies must ensure that outsourced contracts or agreements with cloud service providers meet requirements 21 to 29 of the PROV Strategic Management Specification [PROS 10/10 S1 Strategic Management Specification].
Recommendation 5: PROV is proposing to require all agencies storing data on a cloud server to categorise the sensitivity of the data.
Recommendation 6: Agencies storing personal or sensitive data on a cloud server should use servers located in an Australian jurisdiction. A company that operates the server must be registered in an Australian jurisdiction, although it may be a subsidiary of an overseas company.
Recommendation 7: Where agencies store data on a cloud server located outside an Australian jurisdiction, the agency should ensure that:
- the circumstances have been assessed by a Victorian legal expert on behalf of the agency with a documented recommendation from the legal expert that it is acceptable for the agency to store its data outside an Australian jurisdiction
- the contract with the service provider follows industry best practice regarding records management in accordance with the legislative and regulatory requirements for the Victorian jurisdiction
- data is easily migrated to the agency or another service provider
- the provider will provide compensation for any breaches in privacy and make the necessary changes to its systems to ensure that the breach does not reoccur.
Recommendation 8: Where personal or sensitive data is stored in a public or community cloud, a Protective Security Policy Framework analysis should be performed.
Recommendation 9: Agencies should obtain evidence that the cloud service provider has had their internal controls and IT systems and processes independently audited to ensure a suitable standard of service delivery. This should be undertaken prior to the selection of its service provider, and at regular intervals throughout the provision of service. Audits should include the inspection and testing of services provided.
Recommendation 10: Agencies should be able to demonstrate knowledge of what data is being stored in the cloud and the impact of it being unavailable for various periods of time.
Recommendation 11: Agencies should be required to keep a copy (such as a back-up) of the data stored in a cloud in a separate location (that is, somewhere other than with the service provider).
If you consider these issues may affect your agency or organisation or if you wish to discuss the potential impact of the issues paper and any resulting policy please contact Robert Gregory, Andrew Whiteside or any other member of the Information, Communications and Technology Team.