Shopping cart

Your shopping cart is empty.
  1. Government Recordkeeping
  2. Cloud Computing Recordkeeping Requirements Checklist
Cloud Computing Recordkeeping Requirements Checklist

TOC

Overview

Any data and information created as part of government business, regardless of location, are considered State records and under the scope of the State Records Act 1998.
The use of cloud-based services does not diminish or remove a NSW public office’s statutory responsibilities under the State Records Act 1998:

  • to make and keep full and accurate records of its activities
  • ensure the safe custody and proper preservation of these records.
  • ensure that arrangements for the safekeeping, proper preservation and due return of these records are made or included in contract/agreements
  • maintain accessibility to technology dependent records
  • conform with the Standard on records management and AS/ISO 15489.1:2017 Records Management as the code of best practice.  

This checklist covers recordkeeping requirements under the State Records Act and Standard on records management. It is recommended that NSW public offices identify any statutory requirements which apply to the records, information or data that will be created and stored in the new cloud service offering.  These recordkeeping requirements must be included through procurement, commencement, review, monitoring and termination of cloud services.

When procuring software as a service (SaaS), NSW public offices should also refer to the Checklist for Assessing Business Systems. NSW Public offices should use the checklist to determine whether the SaaS application has recordkeeping functionality and what additional processes or practices may be required to meet recordkeeping requirements.

We recommend NSW public offices:

  • read and follow the NSW Government Cloud Policy. This policy provides guidance to NSW Government agencies in their  adoption and consumption of cloud services. 
  • use the checklist below to ensure custody and control of NSW State records and data created and managed from using the cloud service remains with the NSW Government.  

Requirements Checklist

Please note that the minimum compliance requirements have been modified to apply specifically to cloud-based services. Public offices should check service level agreements, contract or terms and conditions against the compliance requirements set out below.

 

Jurisdiction, ownership and rights over data and information

Jurisdiction, ownership and rights over data and information
Requirement Source of compliance requirements Explanation Action

1. Does the contract/agreement clearly identify your agency as the owner of the data created, transmitted and stored with the cloud service provider?

 State Records Act s11

Any data and information created as part of government business, regardless of  location, are considered State records and under the scope of the State Records Act.

The public office has the obligation to ensure it maintains control of State records.

If yes, please go to the next question.

If no, negotiate with the provider to make ownership explicit in the contract/agreement.

2. Do NSW laws apply to the contract/agreement? Does the contract specify whether the cloud service provider also operates under another country’s jurisdiction such as the USA?

 State Records Act s11 and Standard on records management 3.5 At a minimum, NSW laws should apply to the agreement. This ensures that any disputes about the agreements will be heard in NSW courts.
NSW public offices should take note of the Cloud Act which enables American authorities to subpoena any information or data from any of the cloud service providers that operate under their jurisdiction regardless of the location of the computing facility. This poses a serious risk to the protection of personal information and to information with commercial/economic value (including intellectual property), stored by any cloud service provider that operates in the USA

If only NSW laws apply, please go to the next question.

If no, negotiate with the provider to make NSW jurisdiction explicit in the contract/agreement.

In addition, request information on how the cloud service provider manages requests for access, release or disclosure of records, information and data from other jurisdictions. Ensure that mechanisms are in place to safeguard NSW records, data and information.

3. Is any of the data or information held outside the NSW jurisdiction?

Please note that cloud environments generally use multiple servers to store information and that these servers could be located in a computing network outside of Australia.

 State Records Act s11

The public office has the obligation to ensure it maintains control of State records even when data or information is held outside the NSW jurisdiction.

If yes, assess and mitigate risk in relation to:

  • potential foreign access to the data or information and its impact to the organisation’s functions and activities
  • potential loss of control over its safe keeping (perceived or real) and its impact on the organisation’s business processes.

If no, please go to the next question.

4. Does contract / agreement clearly identify:

  1. rights of providers over data and information (i.e. check for clauses that mention providing rights in perpetuity)
  2. what data or information the cloud service providers will use
  3. cloud service provider’s use of NSW public office’s data
  4. extent of use, including subcontractors or third party use
  5. intellectual property rights, specifically, where the public office and provider engage in product innovation?
 State Records Act s11 and Standard on records management 1.7

NSW Public offices should assess and mitigate risks in relation to

  • potential unauthorised use and misuse of data
  • loss of potential rights over use of innovative products and services

If yes, please go to the next question.

If no, request information regarding the rights of the providers over the data and information.
Roles and responsibilities

Roles and responsibilities
Requirement Source of compliance requirements Explanation Action

5. Are the roles and responsibilities of the cloud service providers and subcontractors identified and addressed or documented and transparent in relation to records and information management?

 State Records Act s11  and Standard on records management 1.7

At a minimum, NSW public offices should document the roles and responsibilities of the cloud service providers and subcontracts. This requirement ensures that responsibility for the management of records and information are addressed in the service arrangements. 

If yes, assess whether the information provided is sufficient for your organisation’s governance processes.

If no, depending on the cloud service provider procured, public offices and the cloud service provider should identify who will define, approve, implement, monitor and review:

  • access controls and security measures
  • audit logs
  • systems design and metadata specifications
  • technical documentation
    • quality assurance and quality control policies, procedures and processes.

6. Does the contract/agreement identify how your agency is/will be monitoring and managing the performance of the cloud service?   Will tools be made available for your agency to verify and monitor the performance of the cloud service?

 State Records Act s11  and Standard on records management 1.7, 1.8, 2.3, 2.4, 2.5, 2.6, 3.2 and 3.4

NSW public offices should have the ability to monitor how the cloud service is performing against service level metrics such as service availability, incident response time, etc.  examples of monitoring records and tools NSW Public offices should ensure that the extent of performance monitoring applied is determined by the level of risk involved in the services procured and the business function or activity it supports.  Examples of monitoring approaches are:

  • Direct monitoring by the procuring agency
  • Regular reporting by the cloud service providers
  • Independent third party monitoring.

If yes, retain records in official recordkeeping systems.

If no, consider putting in place controls such as:

  • contract management system
  • registers such as change registers, risk registers, contract registers
  • recordkeeping procedures for creating and managing minutes or file notes of meetings or conversations between your agency and cloud service providers
  • quality assurance and control procedures
  • transition plans at terminations of contract/agreement.
Value, accessibility and retrieval

Value, accessibility and retrieval
Requirement Source of compliance requirements Explanation Action

7. Are the records, information or data stored in the cloud of high value? Is the cloud service provider supporting your organisation’s core and/or critical functions or areas which are of high risk?

 State Records Act s11  and Standard on records management 2.2, 2.3, 2.4, 2.5, 3.3, 3.4, 3.5, 3.6 and 3.7

NSW public offices should ensure:

  • cloud services supporting high value, core functions and high risk business are trustworthy, reliable, usable, interoperable and secure
  • cloud service provider has sufficient ability to control access to the information based on business requirements.

For more information, see “Identifying and managing high value and high risk records and information” and “Identifying information risks that might be impacting on high risk business.

If yes, ensure visibility by including them in your agency’s information asset register and by identifying them as specified in the NSW Cyber Security Policy.

If no, identify, assess and manage potential risks to:

  • records, information and data
  • cloud service availability 
  • information security and access
    • unauthorised access and release of records, information aqnd data.
8. Does your agency have an agreement with the cloud service provider on the format of records, data and information, including reports furnished to you? State Records Act s11  and Standard on records management 2.1, 2.5 and 2.6

NSW Public offices should specify the format of the records and associated metadata that will be provided for the duration of the contract.

It is recommended that test migration or test data extraction be carried out upfront to ensure the format and quality are according to the agreed service levels. 

If yes, capture or save reports into your agency’s recordkeeping system or official business system.  

If no, specify and communicate with the cloud service provider your agency’s reporting requirements. Consider using sustainable formats to ensure accessibility of those reports.
Service management and disaster recovery

Service management and disaster recovery
Requirement Source of compliance requirements Explanation Action

9. Are tools available to your agency to verify and monitor the operation of the cloud service provider?

 State Records Act s11  and Standard on records management 1.7, 1.8, 2.3, 2.4, 2.5, 2.6, 3.2 and 3.4

NSW Public offices should ensure that they are able to verify and monitor service level agreements.     

If yes, use the tools provided to monitor the performance of the cloud service.

If no, check your contract and/or service level agreement whether the following is included:

  • monitoring tools for integrity checking, compliance checking, security monitoring and network management
  • maintenance and provision of system audit logs that provide confirmation that required compliance requirements such as information protection requirements are being met
  • notifications to your agency of any incidents with approved timeframes and impact assessments.
10. Does the cloud service provider offer appropriate offsite back-up, disaster recovery capabilities and do they have a business continuity plan in place in order to safeguard your agency’s records? State Records Act s11 and Standard on records management 1.7, 1.8, 2.3, 2.4, 2.5, 2.6, 3.2 and 3.4

NSW Public offices should ensure that in the event of a software/system migration, incident or disaster, the full restoration of records and information is possible within a reasonable timeframe.

Plans for back-up, business continuity and disaster recovery need to:

  • be timely, robust, reliable, comprehensive and regularly reviewed and exercised
  • address residual risk of continuity failure (i.e. a failure to be able to conduct business despite execution of the business continuity regime)
  • if practicable, provide evidence to support claims of disaster recovery timeframes, processes, etc.

Public offices should also be aware of the risks to your records, data and information when:

  • cloud service provider goes out of business
  • cloud service provider is sold to another party.

It is recommended that clauses addressing the above scenarios are included in the contract / agreement. One of the mitigation strategies is having an up-to-date copy of the data in escrow, including any source codes or documentation to ensure data accessibility and useability.

If yes, ensure all such measures are specified in contract/agreement - including copies of Disaster Recovery Plan and Business Continuity Plan as an appendix.

If no, identify and assess your agency’s disaster recovery and business continuity requirements. Ensure that the cloud service provider puts in place measures or mechanisms to safeguard records and ensure service availability.
Sensitivity and security

Sensitivity and security

For this set of requirements, we recommend engaging your organisation’s security and privacy teams to assess and verify the security measures in place for the cloud service.  
Requirement Source of compliance requirements Explanation Action
11. Does the contract/agreement identify and specify that the cloud service provider has sufficient and appropriate security measures in place for handling sensitive and personal information, and possibly security classified information? State Records Act s11  and Standard on records management 2.2, 2.5, 3.3, 3.4, 3.5, 3.6 and 3.7

At a minimum, NSW public offices should ensure that appropriate security measures are in place to protect records and information from theft, unauthorised access, misuse or disposal.

If yes, please go to the next question.

If no, ensure that the cloud service has been accredited by a relevant accreditation authority. Check the Protective Security Policy Framework – 11 Robust ICT systems for more information.
12. Have you identified what technical controls are in place over your agency’s records and related information  while being held by the cloud service provider and while it is in transit to or from the their systems? State Records Act s11  and Standard on records management 2.2, 2.5, 3.3, 3.4, 3.5, 3.6 and 3.7

At a minimum, NSW public offices should ensure that appropriate security measures are in place to protect data, records and information from theft, unauthorised access, misuse or disposal.

 

In addition, public offices should consider following the NSW Government Information Classification Labelling and Handling Guidelines.

If yes, assess whether the technical controls are sufficient.

If no, liaise with technical professionals within your public office or cluster who have an understanding of technical requirements for cyber security. Some of the items for consideration include:

  • flow filters, content filters, antivirus software
  • Australian Signals Directorate (ASD) approved cryptographic algorithms and protocols to protect data in transit and at rest
  • processes, products and devices endorsed by the NSW and Australian Government
  • virtualisation and multi-tenanted storage arrangements to ensure security and segregation of data
  • notifications regarding any third party seeking to have access to records
Records disposal requirements

Records disposal requirements
Requirement Source of compliance requirements Explanation Action
11. Is the cloud service provider able to delete information and records upon your instruction, and provide assurance or evidence that they have done so? State Records Act s11  and Standard on records management 3.5, 3.6 and 3.7

NSW Public offices should ensure that cloud service providers are able to:

  • enable and confirm secure destruction of records (and any copies) on the system when it has been legally determined as time-expired.
  • ensure only authorised persons will be able to initiate permanent deletion of time-expired records.
  • prevent unauthorised deletion or destruction of data
  • retain the data based on the minimum retention period in the relevant disposal authorities or disposal classes
  • identify and implement strategies if it is likely to be an issue if the data is retained for longer than the minimum retention period.

If yes, save evidence of records deleted or disposed in official recordkeeping systems.

 

If no, ensure that roles and responsibilities for the deletion of records, including any assurance documentation are specified in the contract/agreement.
14. Can your agency evaluate disposal mechanisms or processes applied by the cloud service provider?

State Records Act s11  and Standard on records management 3.5, 3.6 and 3.7

NSW public offices should be able to evaluate disposal mechanisms of the cloud service provider.

In particular, consider the following:

  • requirements for various retention and disposal scenarios e.g. if the records have a longer retention period than the expected life of the service agreement or if the records will have to be transferred to NSW State Archives and Records etc.)
  • implementation of any ad-hoc disposal mechanisms by cloud service provider (e.g. storage quotas that enforce deletion, or administrative functions that purge information at will)
  • availability of the necessary disposal functionality (this should include related functionality, such as disposal freezes).
  • capability to impose holds on records (e.g. in the event of legal action).

If yes, ensure all such mechanisms are specified in contract/agreement.

If no, identify, assess and put measures in place to ensure disposal of records are carried out as per the retention and disposal authorities.
Termination of cloud services

Termination of cloud services
Requirement Source of compliance requirements Explanation Action
15. Does the contract/agreement specify when, how and in what format will the cloud service provider return all required records and associated metadata? Does it specify that records and information returned or provided will be in sustainable and readable format to your organisation? State Records Act s11 and s21 and Standard on records management  3.4, 3.5, 3.6 and 3.7

At a minimum, NSW Public offices should ensure that cloud service providers are able to enable export of data in a format suitable for ingest into recordkeeping systems such as content management systems, EDRMS or the State Archives Management System (SAMS), ideally without any degradation or loss of data. Some of the important issues to consider:

  • timing and duration of the return of records, information and data
  • return mechanism and its security (over the network, or by physical media)
  • testing, flexibility to vary the process and management control of return process, and provision for dealing with issues
  • range of information to be returned/supplied and in what format –e.g. documents, databases, metadata and logs – linked together in complex ways
  • agreed data exchange standards and documentation of data return format(s)
  • availability of knowledgeable agency staff with appropriate skills to migrate and remediate the return process.

If yes, ensure termination provisions are accurately and thoroughly outlined in contract / agreement.

If no, specify, document, communicate and elicit agreement with the cloud service provider re: your agency’s format requirements and how data, records and information will be provided or returned.

 

Acknowledgements and further resources:

  1. InterPARES Trust, Checklist for cloud service contracts   (viewed 03 June 2020)
  2. National Archives of Australia, Outsourcing digital storage, https://www.naa.gov.au/information-management/store-and-preserve-information/storing-information/outsourcing-digital-storage (viewed 03 June 2020)
  3. National Archives of Australia, Cloud computing and information management, https://www.naa.gov.au/information-management/store-and-preserve-information/storing-information/cloud-computing-and-information-management (viewed 03 June 2020)
  4. Public Record Office Victoria, Recordkeeping Implications of Cloud Computing, 2013, www.prov.vic.gov.au/recordkeeping-government/document-library/cloud-computing-policy (viewed 03 June 2020)
  5. Australian Cyber Security Centre, https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-considerations (viewed 30 July 2020)
  6. NSW Department of Customer Service, NSW Cyber Security Policy, https://www.digital.nsw.gov.au/policy/cyber-security-policy (viewed 02 October 2020)
  7. NSW Department of Customer Service, NSW Government Cloud Policy,  https://www.digital.nsw.gov.au/sites/default/files/NSW%20Government%20Cloud%20Policy.pdf  (viewed 06 October 2020)

Published October 2020

GRK footer