Records and information management FAQs – Using cloud services based outside of NSW October 14, 2015
In August this year, the Department of Finance, Services and Innovation issued version 2 of the NSW Government Cloud Policy. This policy notes:
The positive experience of NSW agencies so far with the benefits of cloud services leads to the expectation that ICT procurements for commoditisable, non-core business solutions will be provided via cloud-based services – unless there is a specific consideration preventing this from happening.
Perhaps in response to the release of the new policy, or perhaps coincidentally, we have recently received a number of enquiries about using cloud services from NSW public offices. In particular, people have been contacting us to ask ‘can we use cloud services based outside of NSW?’
In terms of the State Records Act 1998 the answer is ‘generally yes subject to some conditions’.
The General authority for transferring records out of NSW for storage with or maintenance by service providers based outside of the State (GA35) gives approval for public offices to manage and store records via cloud services based outside of NSW without the need to seek further approval or authorisation from State Records. This permission is given on the condition that the organisation has undertaken an appropriate risk assessment and the records are managed in accordance with all the requirements applicable to State records under the State Records Act.
In particular public offices must:
- assess and address the risks involved in taking and sending records out of the State for storage with or maintenance by service providers based outside of NSW
- ensure the service providers’ facilities and services conform to requirements in standards issued by State Records
- ensure contractual arrangements and controls are in place to ensure the safe custody and proper preservation of records
- ensure that the ownership of the records remains with the public office
- monitor the arrangement to ensure the service provider is meeting relevant requirements.
It’s important to note that this authorisation to take and send records out of NSW is given in terms of the State Records Act only. NSW public offices must not take or send records out of NSW in contravention of any other legal responsibilities or business interests the public office may have. Part of a public office’s risk assessment should involve the identification of all statutory or other limitations on their actions.
The NSW Government Cloud Policy notes that contractual provisions for cloud services should:
confine data storage and processing to specified locations where the regulatory framework and technical infrastructure allow the public agency to maintain adequate control over the data.
The Department of Finance, Services and Innovation has published a number of case studies illustrating how NSW Government agencies have adopted cloud services.
State Records has also published some more detailed advice about the records and information management implications of using cloud services.
Leave a Reply
You must be logged in to post a comment.