Cloud computing and information management

Cloud computing poses both benefits and risks for your agency. Gains in cost, efficiency, accessibility and flexibility need to be weighed up against risks associated with security, privacy and information management.

Current government policy requires agencies to consider cloud solutions as a priority when rolling out or replacing ICT infrastructure, applications or services. You should do a risk assessment to identify and manage jurisdictional, governance, privacy, technical and security risks before engaging a cloud service provider. Information management issues must be addressed in contracts with cloud service providers.

Legislative context for business information in the cloud

Australian Government information that is created, stored and managed in the cloud is subject to the Archives Act 1983. Under the Act, all data and information your agency creates, uses or receives as part of its business is a Commonwealth record. Your agency is responsible for managing the storage, access, alteration, transfer or destruction of its business information.

Your agency must also comply with the requirements of the Freedom of Information Act 1982 and the Privacy Act 1988. You must take contractual measures to ensure cloud service providers do not breach the Australian Privacy Principles.

Contractual requirements for business information in the cloud

It is essential that contracts with cloud service providers ensure that business information created, stored and managed in the cloud is:

  • authentic, accurate and trusted
  • complete and unaltered
  • secure from unauthorised access and deletion
  • findable and readable
  • related to other relevant business information

You need to ensure that the software application used to manage information in the cloud has adequate and appropriate information management functionality.

More information

The Secure Cloud Strategy outlines a number of ways to help government agencies build understanding of cloud and confidence in using it, as well as growing the skills to transform old systems. The strategy is designed to prepare agencies for the shift to cloud and support them through the transition.

Cloud Computing Security describes the information security risks that need to be considered by agencies wishing to adopt cloud computing services. It also includes a list of cloud computing services endorsed by the Australian Signals Directorate (ASD).

Australian Privacy Principles regulate the handling of personal information by most Australian Government agencies.

Advice on managing the recordkeeping risks associated with cloud computing provides a list of practical measures on how government agencies can best utilise cloud computing services.

ASD Certified Cloud Services lists a number of cloud service providers and services endorsed by the Australian Signals Directorate (ASD).

Cloud Services Panel is a list of suppliers endorsed by the Department of Finance.

The ISO 16175 Principles and Functional Requirements for Records in Electronic Office Environments standard provides internationally agreed principles and functional requirements for software used to create and manage digital information in office environments.

The Business Systems Assessment Framework provides a streamlined, risk-based approach to the assessment of information management functionality in business systems.

General Records Authority (GRA) 40 - Transfer of custody of records under Australian Government outsourcing arrangements sets out the requirements for the transfer of custody of Commonwealth records to contractors providing services under outsourcing arrangements, either on behalf of or to the Australian Government.