Our Cloud Information Governance Policy

Information Governance

Version 1.0

18 September 2018

1. Purpose

The Cloud Information Governance Policy sets out the information governance arrangements for the National Archives of Australia’s information assets created, stored, or managed through the use of cloud computing (cloud). Information assets of the Archives include those created and received to support its business activities and the collection of the archival resources of the Commonwealth in the care of the Archives. The policy covers the ownership and control, privacy, security, and roles and responsibilities for and related to this information.

2. Scope

3. Policy Statement

As identified in the Archives' Information Governance Framework, the Archives is committed to effective information management practices in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations.

Information held in the cloud has the same information governance and cyber security requirements as information held on premise.

However, using cloud services requires making different assessments and meeting additional criteria in order to achieve this outcome. This policy identifies these different assessments and additional criteria that will be included in any decision to use cloud services.

4. Assessments

Assessing cloud options for the Archives' information assets aims to:

  • ensure adherence to maintaining the official record of the nation, as per the Archives' Corporate Plan 2018-19 to 2021-22;
  • ensure that the Archives meets the requirements of the Australian Government's Secure Cloud Strategy;
  • affirm the Archives' commitment to effective information governance for all information assets in order to meet legal obligations, accountability requirements, business needs and stakeholders' expectations;
  • comply with the necessary Information Security Manual (ISM) controls for the protection, management and monitoring of all information stored externally to the Archives' infrastructure;
  • ensure staff are aware of the definition and scope of cloud computing and cloud services, and how storing information in the cloud has specific information governance considerations;
  • position the Archives as a forward looking, innovative and exemplar Australian Government agency employing better practice approaches for managing information;
  • increase the Archives' maturity in using cloud services, with improved understanding and implementation, in line with Australian Government priorities;
  • ensure all staff understand when they are using cloud services and their information management responsibilities; and
  • provide assurance that appropriate risk management has been applied to cloud-based solutions.

The Archives uses cloud services in a considered and secure way to:

  • agilely adopt modern technologies;
  • support communication of Archives' business;
  • leverage current capabilities;
  • offer flexibility; and
  • innovate in more strategic ways.

These services can support and enhance the opportunities available to the Archives in realising whole-of-government efficiencies and achieving business goals.

The Archives will implement cloud services in accordance with whole-of-government policy and advice. Each use case will be assessed for suitability using the criteria listed below.

5. Archives' Cloud Information Governance Requirements

To ensure adequate information governance for cloud-hosted information assets, the following key requirements should be satisfied:

6. Implementation

All staff are responsible for following the Archives' Cloud Information Governance Policy.

The policy will be delivered by the Information Governance section through engagement across the Archives. Business areas will be responsible for working with Information Governance and Business Engagement sections, as well as the IT Security Advisor and Privacy Officer, to assess and evaluate cloud service providers against the requirements.

Business areas should receive and analyse regular reports on business performance and integrity checks. Changes to terms of service must be reviewed to ensure information governance requirements continue to be met. Any subcontractors used by a cloud service provider must meet the same information governance requirements.

Before acquiring and implementing any cloud services business areas of the Archives must ensure that all necessary assessments are completed by Information Governance, IT Security Advisor, and the Privacy Officer. If this is not done, the system owner will be directly responsible for any risks associated with the cloud service.

Cloud services will be registered in the Information Systems Architecture Register and will be monitored by the Information Governance section to ensure compliance with this Policy.

An Infonet page will be created with simple guidelines and advice on using cloud services at the Archives. The advice will define cloud services and outline the Archives decided approach to these services.

7. Roles and Responsibilities

The Director-General of the National Archives of Australia (also Chair of Archives' Information Governance Committee) is responsible for:

  • the standard of information management within the Archives;
  • the efficient, effective and ethical use of information resources within the Archives;
  • authorising the Cloud Information Governance Policy; and
  • promoting compliance with the Archives' information management policies and procedures.

The Information Governance Committee (which comprises members of the Executive Board) is responsible for:

  • providing sufficient support and resources for ensuring the successful implementation of the policy and guidance.

The Chief Information Officer shall:

  • represent the Archives in its implementation of whole-of-government initiatives, such as promoting and assessing the suitability of cloud services, and reporting; and
  • be responsible for the Archives' use of cloud services securely and responsibly.

The Chief Information Governance Officer shall:

  • support the Chief Information Officer in representing the Archives for whole-of-government initiatives and reporting;
  • ensure the necessary information governance processes, mechanisms and documentation exist for the Archives to successfully use cloud services;
  • once notified of any incidences involving cloud services, report to the Chief Information Officer and liaise with Security Advisory Unit, ICT teams and Privacy Officer to discuss remediation and mitigation strategies.

Assistant Directors, Information Governance (operating under the supervision of the Chief Information Governance Officer) shall:

  • assess the risks associated with creating, managing and hosting information in the cloud in consultation with the identified areas;
  • provide input and advice on the appropriate use of cloud services;
  • monitor the use of cloud services across the Archives on the Information Systems Architecture Register; and
  • develop information management plans and supporting documentation, such as information architecture, for the transparent and accountable management of the Archives' information assets stored in the cloud.

IT Security Advisor (ITSA) shall:

  • conduct security assessments according to the ASD and ACSC requirements;
  • promote and support secure use of cloud services to Archives' business areas; and 
  • ensure that technologies are developed and implemented efficiently and that they support cloud information governance as outlined in this document.

ICT teams, including system administrators, shall:

  • conduct change management and implementation of any infrastructure changes required to enable the use of cloud services (e.g. firewall exceptions);
  • provide Information Technology support; and
  • promote accessibility, usability and interoperability of the use of cloud services.

Business areas shall:

  • undertake risk assessments and initiate documentation of information governance and management needs with the responsible area (Information Governance Section) before the procurement of cloud services;
  • immediately report suspected or confirmed security incidences involving cloud services to the ITSA, Security Advisory Unit, and Information Governance;
  • develop incident response plans for any procured cloud services;
  • monitor cloud performance and service levels; and
  • update the relevant business continuity plans.

Archives staff and contractors shall:

  • understand the definition and scope of cloud computing and cloud services, such as web-hosted services;
  • immediately report suspected or confirmed security incidences involving cloud services to the ITSA, Security Advisory Unit, and Information Governance;
  • be familiar with the Archives' Cloud Information Governance Policy; and seek guidance from the Information Governance Section if there is any uncertainty over the use of the Policy.

8. Communication and Guidance

Communication on the Cloud Information Governance Policy will occur via email correspondence to all Archives employees and notification on the Infonet.

Further guidance can be obtained from the Information Governance Section via the Service Desk Portal.

9. Monitoring and Review

This Policy will be regularly monitored for emerging information governance risks and reviewed every two years from the date of approval, unless required earlier.

10. Authorisation

Approved by:

David Fricker
Director-General
National Archives of Australia

18 September 2018

Appendix 1 – Related Documents

Relevant legislation

  • Archives Act 1983
  • Privacy Act 1988
  • Australian Privacy Principles
  • Freedom of Information Act 1982
  • Electronic Transactions Act 1999
  • Cybercrime Legislation Amendment Act 2012
  • Crimes Act 1914
  • Evidence Act 1995
  • Copyright Act 1968
  • Public Governance Performance and Accountability Act 2013

Relevant Australian Government policies

Relevant Australian Government guidelines

Appendix 2 – Service Provider Obligations Checklist

In undertaking contracts or agreements with cloud service providers, the business owner should be familiar with Negotiating the Cloud – Legal Issues in Cloud Computing Agreements. Cloud services may also be implemented by agreeing to terms and conditions as part of signing up for web-hosted services.

Archives' business owners must document the following information governance requirements in any terms and conditions, agreements, and/or contracts that are approved as part of using cloud services.

Ownership

The Archives must retain ownership over its information hosted in the cloud. This ownership includes copyright and proprietary interests. The Archives' information cannot be used for any other purposes or disposed of without the Archives permission.

Location

The location of the information must be specifically identified in an agreement.

Availability

Information must be available as and when it is needed to support business.

Right to Access

Specify who has the right to access information and when, such as external appointed commercial auditors.

Access

Information must be accessible for the duration of the contract, and accessible to authorised persons as needed or requested.

Metadata

Metadata requirements for the management of the Archives business information as part of the contract– this includes the Minimum Metadata Set and any additional metadata that may be required.

Retention

All Archives' information must be maintained by the service provider unless otherwise notified by the Archives or outlined in the contractual obligations. The Archives will ensure retention of information is in line with the relevant records authorities.

Disposal

Appropriate destruction is specified at the end of a service agreement, including all back-ups and copies. Certification must be provided by the service provider.

Formats

Specify the format the information and associated metadata is returned to the Archives, formats used in storage, and processes to be followed when information is migrated. Preferably the provider should use open formats to support readability over time.

Migration

Must comply with the Archives' standards and clauses addressing future migration. This must be part of service agreements to prevent obsolesce and issues with migration at the cessation of a contract.

Incidences

Specify the process for loss of control (cloud service provider business operations change), security incidents and disaster recovery processes.

Notification

The Archives must be notified of any security incidents or issues by the service provider, including denial of service attacks or unauthorised access.

Backups

Regular backups to be undertaken by the provider to maintain access to information.

Audit Logs

Service providers must be able to provide for and maintain system audit logs to provide confirmation that required information protection requirements are being met.

Auditing

Each contract should specify a right by the Archives to audit a provider's compliance with the agreement, and audit the provider's IT services. Consideration for audit purposes should be given to restricting the locations where data may be held; any other audit rights for the Archives, the Auditor-General and the Information Commissioner; a right for the Archives to appoint a commercial auditor and where technically available the right to remotely monitor access to data.

Reporting

Must provide reports on business performance, integrity checks and faults.

Changes

Review any changes to terms of service for providers to ensure information governance requirements are met.

Subcontractors

Be aware of the use of third party contractors. Cloud service providers may work with subcontractors; specify the responsibilities of a sub-contractor, including the need to meet the same information governance requirements as the primary holder.

Return

Information must be returned to the Archives when requested.

Failure to meet the requirements of, or breaches to, the Cloud Information Governance Policy will require the business owner to notify the Chief Information Governance Officer when the failure occurs.

All confirmed or suspected security incidents must be reported to the Security Advisory Unit. All cloud services will have an incident response plan in place, and may also have a security risk management plan.