Cloud computing poses both benefits and risks for your agency. Gains in cost, efficiency, accessibility and flexibility need to be weighed up against risks associated with security, privacy and information management.
Current government policy requires agencies to consider cloud solutions as a priority when rolling out or replacing ICT infrastructure, applications or services. You should do a risk assessment to identify and manage jurisdictional, governance, privacy, technical and security risks before engaging a cloud service provider. Information management issues must be addressed in contracts with cloud service providers.
Legislative context for business information in the cloud
Australian Government information that is created, stored and managed in the cloud is subject to the Archives Act 1983. Under the Act, all data and information your agency creates, uses or receives as part of its business is a Commonwealth record. Your agency is responsible for managing the storage, access, alteration, transfer or destruction of its business information.
Your agency must also comply with the requirements of the Freedom of Information Act 1982 and the Privacy Act 1988. You must take contractual measures to ensure cloud service providers do not breach the Australian Privacy Principles.