Cloud Computing Recordkeeping Requirements Checklist

Jurisdiction, ownership and rights over data and information

1. Does the contract/agreement clearly identify your agency as the owner of the data created, transmitted and stored with the cloud service provider?

Any data and information created as part of government business, regardless of  location, are considered State records and under the scope of the State Records Act.

The public office has the obligation to ensure it maintains control of State records.

If yes, please go to the next question.

If no, negotiate with the provider to make ownership explicit in the contract/agreement.

2. Do NSW laws apply to the contract/agreement? Does the contract specify whether the cloud service provider also operates under another country’s jurisdiction such as the USA?

If only NSW laws apply, please go to the next question.

If no, negotiate with the provider to make NSW jurisdiction explicit in the contract/agreement.

In addition, request information on how the cloud service provider manages requests for access, release or disclosure of records, information and data from other jurisdictions. Ensure that mechanisms are in place to safeguard NSW records, data and information.

3. Is any of the data or information held outside the NSW jurisdiction?

Please note that cloud environments generally use multiple servers to store information and that these servers could be located in a computing network outside of Australia.

The public office has the obligation to ensure it maintains control of State records even when data or information is held outside the NSW jurisdiction.

If yes, assess and mitigate risk in relation to:

• potential foreign access to the data or information and its impact to the organisation’s functions and activities
• potential loss of control over its safe keeping (perceived or real) and its impact on the organisation’s business processes.

If no, please go to the next question.

4. Does contract / agreement clearly identify:

1. rights of providers over data and information (i.e. check for clauses that mention providing rights in perpetuity)
2. what data or information the cloud service providers will use
3. cloud service provider’s use of NSW public office’s data
4. extent of use, including subcontractors or third party use
5. intellectual property rights, specifically, where the public office and provider engage in product innovation?

NSW Public offices should assess and mitigate risks in relation to

• potential unauthorised use and misuse of data
• loss of potential rights over use of innovative products and services

If yes, please go to the next question.

If no, request information regarding the rights of the providers over the data and information.

Roles and responsibilities

5. Are the roles and responsibilities of the cloud service providers and subcontractors identified and addressed or documented and transparent in relation to records and information management?

At a minimum, NSW public offices should document the roles and responsibilities of the cloud service providers and subcontracts. This requirement ensures that responsibility for the management of records and information are addressed in the service arrangements. 

If yes, assess whether the information provided is sufficient for your organisation’s governance processes.

If no, depending on the cloud service provider procured, public offices and the cloud service provider should identify who will define, approve, implement, monitor and review:

• access controls and security measures
• audit logs
• systems design and metadata specifications
• technical documentation
  • quality assurance and quality control policies, procedures and processes.

6. Does the contract/agreement identify how your agency is/will be monitoring and managing the performance of the cloud service?   Will tools be made available for your agency to verify and monitor the performance of the cloud service?

NSW public offices should have the ability to monitor how the cloud service is performing against service level metrics such as service availability, incident response time, etc.  examples of monitoring records and tools NSW Public offices should ensure that the extent of performance monitoring applied is determined by the level of risk involved in the services procured and the business function or activity it supports.  Examples of monitoring approaches are:

• Direct monitoring by the procuring agency
• Regular reporting by the cloud service providers
• Independent third party monitoring.

If yes, retain records in official recordkeeping systems.

If no, consider putting in place controls such as:

• contract management system
• registers such as change registers, risk registers, contract registers
• recordkeeping procedures for creating and managing minutes or file notes of meetings or conversations between your agency and cloud service providers
• quality assurance and control procedures
• transition plans at terminations of contract/agreement.

Value, accessibility and retrieval

Service management and disaster recovery

NSW Public offices should ensure that in the event of a software/system migration, incident or disaster, the full restoration of records and information is possible within a reasonable timeframe.

Plans for back-up, business continuity and disaster recovery need to:

• be timely, robust, reliable, comprehensive and regularly reviewed and exercised
• address residual risk of continuity failure (i.e. a failure to be able to conduct business despite execution of the business continuity regime)
• if practicable, provide evidence to support claims of disaster recovery timeframes, processes, etc.

Public offices should also be aware of the risks to your records, data and information when:

• cloud service provider goes out of business
• cloud service provider is sold to another party.

It is recommended that clauses addressing the above scenarios are included in the contract / agreement. One of the mitigation strategies is having an up-to-date copy of the data in escrow, including any source codes or documentation to ensure data accessibility and useability.

If yes, ensure all such measures are specified in contract/agreement - including copies of Disaster Recovery Plan and Business Continuity Plan as an appendix.

If no, identify and assess your agency’s disaster recovery and business continuity requirements. Ensure that the cloud service provider puts in place measures or mechanisms to safeguard records and ensure service availability.

Sensitivity and security

For this set of requirements, we recommend engaging your organisation’s security and privacy teams to assess and verify the security measures in place for the cloud service.  

At a minimum, NSW public offices should ensure that appropriate security measures are in place to protect records and information from theft, unauthorised access, misuse or disposal.

If yes, please go to the next question.

If no, ensure that the cloud service has been accredited by a relevant accreditation authority. Check the Protective Security Policy Framework – 11 Robust ICT systems for more information.

At a minimum, NSW public offices should ensure that appropriate security measures are in place to protect data, records and information from theft, unauthorised access, misuse or disposal.

In addition, public offices should consider following the NSW Government Information Classification Labelling and Handling Guidelines.

If yes, assess whether the technical controls are sufficient.

If no, liaise with technical professionals within your public office or cluster who have an understanding of technical requirements for cyber security. Some of the items for consideration include:

• flow filters, content filters, antivirus software
• Australian Signals Directorate (ASD) approved cryptographic algorithms and protocols to protect data in transit and at rest
• processes, products and devices endorsed by the NSW and Australian Government
• virtualisation and multi-tenanted storage arrangements to ensure security and segregation of data
• notifications regarding any third party seeking to have access to records

Records disposal requirements

NSW Public offices should ensure that cloud service providers are able to:

• enable and confirm secure destruction of records (and any copies) on the system when it has been legally determined as time-expired.
• ensure only authorised persons will be able to initiate permanent deletion of time-expired records.
• prevent unauthorised deletion or destruction of data
• retain the data based on the minimum retention period in the relevant disposal authorities or disposal classes
• identify and implement strategies if it is likely to be an issue if the data is retained for longer than the minimum retention period.

If yes, save evidence of records deleted or disposed in official recordkeeping systems.

If no, ensure that roles and responsibilities for the deletion of records, including any assurance documentation are specified in the contract/agreement.

State Records Act s11  and Standard on records management 3.5, 3.6 and 3.7

NSW public offices should be able to evaluate disposal mechanisms of the cloud service provider.

In particular, consider the following:

• requirements for various retention and disposal scenarios e.g. if the records have a longer retention period than the expected life of the service agreement or if the records will have to be transferred to Museums of History NSW
• implementation of any ad-hoc disposal mechanisms by cloud service provider (e.g. storage quotas that enforce deletion, or administrative functions that purge information at will)
• availability of the necessary disposal functionality (this should include related functionality, such as disposal freezes).
• capability to impose holds on records (e.g. in the event of legal action).

If yes, ensure all such mechanisms are specified in contract/agreement.

If no, identify, assess and put measures in place to ensure disposal of records are carried out as per the retention and disposal authorities.

Termination of cloud services

At a minimum, NSW Public offices should ensure that cloud service providers are able to enable export of data in a format suitable for ingest into recordkeeping systems such as content management systems, EDRMS or the State Archives Management System (SAMS), ideally without any degradation or loss of data. Some of the important issues to consider:

• timing and duration of the return of records, information and data
• return mechanism and its security (over the network, or by physical media)
• testing, flexibility to vary the process and management control of return process, and provision for dealing with issues
• range of information to be returned/supplied and in what format –e.g. documents, databases, metadata and logs – linked together in complex ways
• agreed data exchange standards and documentation of data return format(s)
• availability of knowledgeable agency staff with appropriate skills to migrate and remediate the return process.

If yes, ensure termination provisions are accurately and thoroughly outlined in contract / agreement.

If no, specify, document, communicate and elicit agreement with the cloud service provider re: your agency’s format requirements and how data, records and information will be provided or returned.