Records management and the cloud – considerations for local government July 8, 2015

This morning Catherine Robinson from State Records spoke at Akolade’s Cloud Services in Local Government conference in Sydney. This conference aimed to illustrate how local councils can successfully procure, implement and manage ‘as a service’ cloud platforms.

Catherine’s talk focussed on the considerations for records and information management when using cloud services. Catherine talked about:

  • NSW Government requirements for cloud services
  • requirements for the retention and disposal of records in NSW local government
  • managing the risks associated with cloud arrangements.

Although Catherine’s talk was aimed at local government, it may also be of interest to the broader NSW public sector.

NSW Government requirements

In recent years, NSW Government has developed a number of policies and guidelines for the management of NSW Government digital information. While these policies and guidelines are applicable to NSW Government agencies, its useful to be aware of these considerations and the practices which are being implemented into NSW Government.

These requirements were established by the Office of Finance and Services and are designed to work together and help organisations better manage digital information regardless of location.

The NSW Government Digital Information Security Policy establishes the policy for security requirements but also sets out the need for Government to better understand the types of digital information it creates and manages. The policy requires that all NSW Government agencies assess ‘all digital information’ to determine its classification to ensure it receives an appropriate level of protection. By understanding the types of information that your organisation holds, whether it should be classified or unclassified, and if it has certain sensitivities or confidentialities, the organisation can then appropriately protect the information and manage it in accordance with privacy, access, and records legislation.

Building on this requirement, the Information Classification and Labelling Guidelines provide further detail for NSW Government agencies on classifying their information and the use of the dissemination limiting markers (DLMs) or labels which are applied to different information types to manage the storage, handling, providing access and disposal of information.

While these first two set the scene, the key requirement which will be of interest to you is the NSW Government Cloud Services Policy and Guidelines. While this policy does not apply to NSW Local Government, it should be considered best practice for organisations within the broader NSW public sector and considered when evaluating and assessing cloud services. It covers infrastructure services (IaaS), platform services (PaaS) and software services (SaaS).

The NSW Government policy recognises the potential of cloud-based services for Government ICT services and strategies, but also notes that not all government information or ICT will be suitable for cloud.

The policy includes a number of key considerations that Government organisations should consider in determining whether they opt for cloud services and whether Government information should be in the cloud. The key considerations are:

  • cost benefit
  • complying with regulatory frameworks
  • risk management assessment for the storage and maintenance of public sector information and records by a cloud provider
  • contract terms
  • skills and capabilities requirements for the organisation
  • change management
  • technical considerations
  • use of technical standards for security, interoperability, and data portability
  • information management.

The policy looks at each of these in detail, but today I’d like to discuss briefly the two which are the most relevant for this presentation: the regulatory frameworks and information management.

The policy identifies a range of regulatory frameworks, which must be carefully considered. These include the State Records Act 1998, privacy and access to information legislation (Privacy and Personal Information Protection Act 1998, Health Records and Information Privacy Act 2002, Government Information Public Access Act 2009), and the NSW Government Digital information Security Policy.

The policy also requires that organisations consider information management as a key component of the planning and delivery of cloud services. This includes ensuring that NSW Government retains ownership of information assets; that organisations understand how long information needs to be retained, and how information assets will be sustained over time to support ongoing business and other requirements, and the accountable disposal of information held in the cloud; security, privacy and access of data and information assets; business continuity; and strategies for moving data and information from one provider to the next.

I would encourage any local government organisation intending to use the cloud, to consider the policy and these key considerations.

I’d now like to turn to another set of NSW Government requirements for using cloud services which are derived from the requirements of the State Records Act 1998. The State Records Act covers NSW Local Government, so these requirements do need to be properly considered by Councils when looking towards using cloud services.

The requirements of the State Records Act cover the creation, management, protection and ongoing accessibility to records and information.  The Act covers records and information in all formats, including both digital and physical records.

The General Authority for Transferring records out of NSW for storage with and maintenance by service providers based outside of the State (GA 35) is applicable to all types of organisations covered by the State Records Act, including local government.

Under section 21 of the State Records Act, State records may not be taken or sent outside of NSW unless authorised by the State Records Authority. This General Authority is the explicit approval for records to be transferred outside of NSW into cloud environments provided that an appropriate risk assessment has been made and the records are managed in accordance with all the requirements applicable to State records under the State Records Act. This means that any NSW council wanting to use cloud services needs to:

  • assess and address the risks involved in taking and sending records out of the State for storage or maintenance by a service provider based outside of NSW
  • ensure the service providers facilities and services conform to requirements in standards issued by State Records Authority
  • ensure that contractual arrangements and controls are in place to ensure the safe custody and proper preservation of records
  • ensure that the ownership of the records remains within the public office, and
  • monitor the arrangement to ensure the service provider is meeting relevant requirements.

The third aspect of the NSW Government Framework is the new Standard on records management which was issued by the State Records Authority to public offices, including NSW Local Government, in March this year.

The new standard has been specifically designed to assist organisations with the current and emerging digital business environments for records and information management, including the cloud environment. There are 3 requirements which specifically address the records and information management and the cloud. Councils will need to demonstrate how they conform to these requirements:

  • Requirement 1.7 is designed to ensure that records and information management responsibilities are addressed in all service arrangements that the organisation enters into, including cloud services and arrangements. This means that the corporate records and information policy in your organisation should include a requirement for these responsibilities and that the organisation undertakes risk assessments and addresses issues prior to entering contractual arrangements. Organisations will also need to ensure that the portability of records and information is assessed and addressed in cloud arrangements.
  • Requirement 2.4 is designed to give organisations greater visibility of their information, regardless of format or where they are located. If an organisation knows what records and information it has, then they can better manage and protect these assets. Knowing that the organisation has information placed in the cloud, means that the organisation can better manage and protect this information.
  • Requirement 2.6 is designed to ensure that records and information are managed appropriately through system migrations and service transitions, such as upgrades of systems and services offered in cloud environments. It’s important that organisations have documented migration strategies, planning and testing and Q&A processes to ensure that records and information are not ‘left behind’ or disposed of unlawfully. Migrating records and metadata in a cloud environment needs to result in trustworthy and accessible records post-migration. This requirement is also relevant to the portability of records and information from one cloud provider to the next service provider and that nothing is left behind, or if the organisation wants to retrieve all the information, it can be returned complete and without any loss, and that nothing is left behind in the service provider’s systems.

Requirements for the retention and disposal of records in NSW local government

The General Retention and Disposal Authority – Local Government Records (GA39) provides the authority for Councils to dispose of records lawfully. GA39 identifies those records which are required as State archives and provides approval for the destruction of certain other records after mandatory minimum retention periods have been met.

In the case of GA35 which I mentioned earlier, this is the explicit approval by the State Records Authority for local government to use cloud services, provided the conditions for the approval are met.

The new Standard on records management includes three requirements which are also relevant in the discussion on the retention and disposal of records:

  • Requirement 3.4 is fairly straightforward and requires public offices to protect records and information.
  • Requirement 3.6 requires that records and information are kept for as long as they are needed for business, legal and accountability requirements. This means that records and information need to be sentenced and disposed of according to current authorised retention and disposal authorities. This includes records and information located in business systems, in the cloud, or in physical records storage. Disposing of digital records and information may also be part of a planned migration process or the decommissioning of systems. As part of this requirement, records that are required as State archives should be routinely transferred to the State Records Authority of NSW.
  • Requirement 3.7 requires that your organisation implements policy, business rules and procedures which identify how the destruction of records and information is managed, including the deletion of data and the decommissioning of systems. Organisations must be able to account for their retention and disposal of records and information. This includes providing evidence that the disposal of records and information was permitted and authorised under legal obligations, including the State Records Act, and accountability requirements.

Managing the risks associated with cloud arrangements

I’ve talked about the frameworks for using the cloud, but what are the risks that each organisation needs to assess and mitigate with using cloud services?

This is not a complete or comprehensive list of business and records related risks, but it will give you an appreciation of the types of risks that need to be assessed and managed:

  • Will sensitive data be hosted or stored outside of your organisation’s networks and servers?
  • Will critical data be only accessible through the cloud service provider? How acceptable is this dependency?
  • As data is managed and/or stored externally, business continuity and disaster recovery processes are outside the organisation’s control and in the hands of the provider. Is this acceptable?
  • Does the service provider have robust backup and BCP and disaster recovery strategies and systems?
  • Can the organisation control the relevant information and records hosted in the cloud? And meet the requirement of s.11(1) of the State Records Act to ensure the ‘safe custody and proper preservation’ of State records?
  • Where is the information stored? Is data sovereignty an issue? Could a person in another State or country claim ownership or take control of the records?
  • Could the records be subject to a different legal jurisdiction?
  • Can the provider preserve records with long retention periods, for example for longer than 30 years?
  • Could the provider destroy or deleted records without approval, unlawfully or inappropriately?
  • Can the provider perform and document common records management tasks such access control, transfer and disposal of records?
  • Will the records be returned upon request or at the conclusion of the contract?
  • Will the records be returned in a format that the organisation can access and use?
  • What happens if the provider or owner of the business goes out of business? Can the data be recovered?

How do I manage the risks?

In order to manage the risks, you should:

  • identify and assess the risks involved in using cloud services to store or process government information including records
  • assess the software products offered by the cloud service providers for their capacity, appropriateness and adequacy to create, store, manage or process government information including records
  • perform ‘due diligence’ when selecting a cloud service provider and the service offerings
  • establish contractual arrangements to manage known risks
  • monitor the arrangements with cloud computing service providers.

And remember, your organisation may have some records which are too sensitive or important to trust to a public cloud service arrangement.

Cloud arrangements – contractual issues

To help with managing the records and information management risks associated with cloud services, we have developed a list of contractual issues. These are all listed in our advice on the records and information management implications of using cloud services.

This advice also includes a checklist to ensure that all records and information management risks have been covered.

Photo credit: “Sunrise on the penguin colony” – Brian Gratwicke (CC BY 2.0)
Leave a Reply

You must be logged in to post a comment.