Overview
Any data and information created as part of government business, regardless of location, are considered State records and under the scope of the State Records Act 1998.
The use of cloud-based services does not diminish or remove a NSW public office’s statutory responsibilities under the State Records Act:
- to make and keep full and accurate records of its activities
- ensure the safe custody and proper preservation of these records.
- ensure that arrangements for the safekeeping, proper preservation and due return of these records are made or included in contract/agreements
- maintain accessibility to technology dependent records
- conform with the Standard on records management and AS/ISO 15489.1:2017 Records Management as the code of best practice.
This checklist covers recordkeeping requirements under the State Records Act and Standard on records management. It is recommended that NSW public offices identify any statutory requirements which apply to the records, information or data that will be created and stored in the new cloud service offering. These recordkeeping requirements must be included through procurement, commencement, review, monitoring and termination of cloud services.
When procuring software as a service (SaaS), NSW public offices should also refer to the Checklist for Assessing Business Systems. NSW Public offices should use the checklist to determine whether the SaaS application has recordkeeping functionality and what additional processes or practices may be required to meet recordkeeping requirements.
We recommend NSW public offices:
- read and follow the NSW Government Cloud Policy. This policy provides guidance to NSW Government agencies in their adoption and consumption of cloud services.
- use the checklist below to ensure custody and control of NSW State records and data created and managed from using the cloud service remains with the NSW Government
- read and comply with the General authorityGeneral authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35) for records migrated from on-premise storage to cloud-based storage services.
Requirements Checklist
Please note that the minimum compliance requirements have been modified to apply specifically to cloud-based services. Public offices should check service level agreements, contract or terms and conditions against the compliance requirements set out below.
Acknowledgements and further resources:
- InterPARES Trust, Checklist for cloud service contracts (viewed 03 June 2020)
- National Archives of Australia, Outsourcing digital storage, https://www.naa.gov.au/information-management/store-and-preserve-information/storing-information/outsourcing-digital-storage (viewed 03 June 2020)
- National Archives of Australia, Cloud computing and information management, https://www.naa.gov.au/information-management/store-and-preserve-information/storing-information/cloud-computing-and-information-management (viewed 03 June 2020)
- Public Record Office Victoria, Recordkeeping Implications of Cloud Computing, 2013, www.prov.vic.gov.au/recordkeeping-government/document-library/cloud-computing-policy (viewed 03 June 2020)
- Australian Cyber Security Centre, https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-considerations (viewed 30 July 2020)
- NSW Department of Customer Service, NSW Cyber Security Policy, https://www.digital.nsw.gov.au/policy/cyber-security-policy (viewed 02 October 2020)
- NSW Department of Customer Service, NSW Government Cloud Policy, https://www.digital.nsw.gov.au/sites/default/files/NSW%20Government%20Cloud%20Policy.pdf (viewed 06 October 2020)
Published October 2020, Links updated December 2020