Cloud storage and services

Cloud computing (IT and software-as-a-service) arrangements are a form of outsourcing. They may be for storage or other online services like Office 365, Drop Box and Google Drive.

Arrangements may be agency wide or specific to 1 or 2 people for a particular application or piece of software.

Your agency is legally responsible for records it creates or stores in the cloud. You need to make sure you can meet your legislative obligations when it comes to capturing, managing and disposing of public records.

Find out what you need to consider, the risk to records when using cloud services and how to assess recordkeeping risks.

See QGEA's ICT as-a-service security assurance guideline and the risk assessment guideline for more information.

General recordkeeping considerations

Recordkeeping responsibilities and requirements apply to all public records regardless of where they are stored.

Consider:

• what records are most appropriate to store in the cloud–think about the level of risk (low-risk or low-value records vs high-risk or high-value records)
• access and/or security restrictions that need to apply to the records
• the retention period for the records and if storing them in the cloud affects your ability to keep them for the full period
• whether you can specify what format certain records will be stored in–some cloud providers use file formats specific only to them, making it difficult to access and return those records
• having provisions in place to regularly monitor or check on the cloud service provider–this will help you to ensure that records are being managed and stored correctly, particularly if any responsibilities or legislation have changed
• how to prove that the records stored in the cloud are complete and reliable–if the service provider does not maintain appropriate audit trails, metadata and descriptions of management processes, the evidential value and integrity of your agency's records is damaged
• if you can tailor the service to your needs–if the cloud provider has a 'one size fits all' approach it may be more difficult to ensure you meet your legislative obligations.

Your agreement or contract with the service provider should:

• detail recordkeeping requirements including ownership, access, storage, disposal, the transfer of records and any other responsibilities for the records' management and care (e.g. specific formats)
• be constructed to ensure provisions will apply in future, even if administrative or MOG changes occur
• include definitions of key words (e.g. public record, destruction)
• include provisions to reduce potential/identified risks to records
• include details of each organisation's recordkeeping roles and responsibilities
• specify which provisions apply to which records (e.g. custody, ownership, disposal, access and control, security)
• include provisions allowing you to regularly monitor records stored in the cloud.

Staff using these services should be aware of their recordkeeping responsibilities and ensure that they capture all business records.

Retention and disposal

Records must be kept for the full retention period and legally disposed of.

You will need to think about how records:

• will be stored if they have long retention periods–the cloud is not designed to preserve information for the medium to long term
• will be managed–make sure you can keep track of your records, the associated data and how many copies there are and where
• will be destroyed legally and correctly–you need to be able to destroy all copies of records and the associated data–this may be difficult depending on how well you can keep track of your records
• are deleted and when (including associated information, back-ups, recovery files, metadata, control records, and any 'deleted' data).

Your agreement or contract with the service provider should:

• include provisions for how and when records can be disposed of
• provide authorisation to destroy records (if relevant) and the conditions under which this can occur
• delegate responsibilities to destroy records (if relevant), including which records and when (e.g. control records, metadata, backups).

Legislative considerations

You must ensure complete and reliable records of your business activities are created, kept, managed and lawfully disposed of.

Consider your legal obligations in Queensland and the legal issues and requirements if a service provider is in a different state or country.

Service providers based or registered internationally are subject to the laws of that country, and possibly the laws of other jurisdictions. These laws may apply to the information and records they store or manage on your behalf, even if that information is stored in Australia.

Your agency's legal team may need to:

• ensure the agreement includes provisions covering legislation that may impact on the agreement
• take into account possible differences in similar pieces of legislation (e.g. US Privacy Act vs. Qld Information Privacy Act), legal interpretations and standard contracts.

Custody and ownership

Records created by your agency or records that document your agency's business are public records and are owned by the State of Queensland or relevant Local Government. This includes associated metadata and control records.

Consider:

• potential issues regarding custody and ownership of records–particularly metadata and control records
• who owns what–you own the records but you don't own or control the infrastructure or systems that store the records (ownership of metadata could be unclear).

Your agreement or contract with the service provider should:

• clearly state who has ownership of records and the custody arrangements for the records
• include details of who owns which records–not just the original record, but metadata, control records, and backup copies.

If these factors are in question, talk to your agency's legal team.

Access and use

Access to records should not be reduced or inhibited, and access restrictions need to remain in place.

Consider:

• how you access records–ensure you are not losing interoperability or integration between the information and business systems
• your ability to access the records–is it sufficient to support business needs (including RTI requests, legal discovery)? How long does it take to access the records? Which records do you need to access continuously or regularly?
• IT performance issues that may impact your ability to access your records (e.g. adequate internet access)
• your ability to access your records if the cloud provider goes out of business, is sold, or if their processes, terms and conditions, or legislation changes–protection of information and data may be inadequate or non-existent.

Your agreement or contract with the service provider should specify arrangements for:

• continued access to regularly required records
• accessing records during downtime or maintenance of the service
• accessing records for monitoring or compliance purposes
• details of access restrictions and requirements–this depends on the records' type and security classification
• any other access requirements and restrictions (e.g. preventing external unauthorised access to records).

Security, storage and handling

Records must be stored and handled in a way that ensures their security and preservation.

Make sure the cloud provider has sufficient security and processes to ensure your records remain protected–even from anything else stored on the same server or system. You may need to find out how often they check the security and integrity of stored information and how many of their staff will be able to access your records.

Using cloud storage can increase the risks of unauthorised access because:

• the cloud is a shared environment
• service providers can subcontract operations
• security may not be as strong as if it was in-house
• the cloud relies on having a secure internet connection.

Some of your records may have specific privacy requirements (e.g. personal information). Find out what privacy requirements apply and if the provider can comply.

Your agreement or contract with the service provider should include provisions about the storage and handling of the records, particularly:

• specific storage requirements (e.g. preservation, migration of records, storage media, digital rights management and encryption)
• specific format requirements
• requirements for privacy and release of information
• a requirement for the cloud provider to report incidents that impact your records (e.g. security breaches, migration failures).

Disaster preparedness and business continuity planning

Records need to be protected from disasters. Agencies need processes in place to prevent and recover from incidents such as data corruption, migration failure, and lost records.

Consider:

• the provider's ability to restore services and records in the event of a disaster or other unforeseen circumstances
• how they back up client data and information, including when, where, why, how, and what data is included (e.g. multiple back-ups, back-ups in multiple locations–see back-ups for business continuity planning)
• how quickly they can restore services and data
• whether they can restore specific records or sets of records as opposed to all of them. Does this include metadata and control records?

Your agreement or contract with the service provider should:

• outline responsibilities for the protection and recovery of public records in the event of a disaster or incident
• include provisions for accessing records during or after a disaster or incident.

Completion of agreements

You need to put arrangements in place for returning records at the end of an agreement.

You should:

• ensure that all your records are returned unless lawfully destroyed
• check whether there will be any difficulties returning records and metadata–talk to your IT area (strategies to mitigate these can be included in the planning stages and the agreement)
• consider what data remains with the service provider and how it will be managed and/or deleted
• check what the cost to your agency would be for ending the agreement, either early or at the agreed time.

When records are returned, check:

• all records, including control records and metadata, have been transferred
• the information and records are still usable and accessible
• the records are complete and match the metadata
• digital records have not been corrupted or made unusable as a result of the transfer.

Your agency's IT specialists can help make sure digital records are still usable and have been migrated correctly.

More information

The following tools and advice may be helpful when developing an agreement.

• Using cloud computing services: implications for information and records management, State Archives & Records NSW
• Information about cloud computing, Public Record Office Victoria
• Cloud computing and information management, National Archives of Australia
• Advice on managing the recordkeeping risks associated with cloud computing, Australasian Digital Recordkeeping Initiative (ADRI)
• Information management requirements for software-as-a-service (PDF, 2.5MB), Australasian Digital Recordkeeping Initiative (ADRI) and Council of Australasian Archives and Records Authorities (CAARA)