Queensland State Archives

earsplittinggoodbeeInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

61 εμφανίσεις



Queensland State Archives

Public Records Brief
A RECORDKEEPING UPDATE FOR QUEENSLAND PUBLIC AUTHORITIES

OCTOBER 2010


Managing the Recordkeeping Risks Associated with Cloud Computing
Many Queensland public authorities may use or are considering using cloud computing
services. This Public Records Brief highlights the recordkeeping implications for the
management of public records when using cloud computing technologies to store public
records and provides advice on managing the risks involved.
What is Cloud Computing?
The National Institute of Standards and Technology (NIST) defines cloud computing as “a
model for enabling convenient, on-demand network access to a shared pool of configurable
computing resources (e.g. networks, servers, storage, applications and services) that can be
rapidly provisioned and released with minimal management effort of the service provider.”
1

Models for cloud computing can take a variety of forms including software, platforms or
infrastructure or a combination of these delivered as a service via the internet. Cloud
computing usually involves the transfer to or creation of content in data stores which are
maintained by a service provider and geographically remote from the customer. This means
that information may be stored or processed in physical locations outside Queensland or
Australian territorial boundaries.
2

Government may choose to use a ‘private cloud’ model, where cloud computing services are
hosted on government-owned infrastructure, and delivered over government-owned
networks. Use of private cloud computing services helps to address some of the risks
outlined in the next section.
What are the Recordkeeping and Information Management risks associated with
Cloud Computing?
There are a number of recordkeeping and information management risks to be considered
when implementing cloud computing services, specifically around the creation, storage
management and disposal of records with service providers. In particular, public authorities
should be aware that:
 Security and privacy of information in a shared environment may increase the risk of
unauthorised access particularly when service providers subcontract operations to other
companies.
3

 Ownership and control of data and/or infrastructure which does not reside within the
agency may impact on an agency’s ability to access records as required.
 If a service provider goes out of business or is sold to another company, a public
authority’s access to its records may change.
 As cloud computing relies on delivery via the internet there is a risk that IT performance
issues may impact on maintaining high levels of accessibility to records.
 Data protection measures may be inadequate or non-existent.

1
National Institute of Standards and Technology (NIST), Definition of Cloud Computing Version 15,
viewed 24/09/10, www.archives.gov/records-mgmt/faqs/cloud.html
.
2
Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing recordkeeping risks associated
with cloud computing. Available at
http://adri.gov.au/products/Advice%20on%20managing%20the%20recordkeeping%20risk

s%20associated%20with%20cloud%20computing.pdf
.
3

Public authorities have privacy obligations under the Information Privacy Act 2009 which
may impact on their use of cloud computing.


 Difficulties migrating data in and out of cloud environments into other systems may
generate issues when contracts end and records need to be returned to the public
authority’s system or another provider’s system.
 If stored in other jurisdictions, Queensland public records may become subject to other
legislative requirements and practices. This is of particular importance if the records are
stored in facilities located in a foreign country, and therefore subject to non-Australian
legislation e.g. privacy and security risks.
 Public records may not be disposed of appropriately when required as a result of multiple
backups in different locations.
 The evidential value of records may be damaged if it cannot be proven that such records
have remained inviolate and if appropriate audit trails and descriptions of management
processes performed are not maintained by the service provider.
 Cloud applications may not include recordkeeping functions with the result that records
may not be managed in accordance with the Public Records Act 2002, Information
Standard 40: Recordkeeping and Information Standard 31: Retention and Disposal of
Public Records.

Cloud computing is a means to achieve outsourcing of records storage. For further advice
about custody and ownership issues applicable to cloud computing refer to the Custody and
Ownership Guideline: Managing Public Records during Outsourcing or Privatisation.
4

Managing the recordkeeping risks associated with Cloud Computing
The following approach is recommended to public authorities for managing the
recordkeeping risks associated with cloud computing:
1. Identify the types of public records and information that will be stored or
processed using cloud computing service providers.
The level of risk that an organisation attributes to a proposed cloud computing
arrangement will vary according to the content or subject matter of the records and their
level of sensitivity and importance to the business of the agency.
 Determine how likely it is the records might be required as evidence or proof of
actions, transactions or decisions.
 Determine if there are records with special secrecy or confidentiality requirements.
 Determine if there are records too commercially valuable to entrust to a cloud
computing provider.
 Consider public expectations and privacy concerns particularly where information
about individuals may be sent interstate or offshore.

2. Conduct a thorough risk assessment before entering into any arrangements with a
cloud computing service provider.
A risk assessment checklist has been provided by the Australasian Digital
Recordkeeping Initiative (ADRI) which can be used by public authorities considering
using cloud computing service providers.
5
This allows agencies to assess the risks
associated with the implementation and use of the application.

3. Ensure ‘due diligence’ when selecting a cloud computing provider.
This should include checking reference sites or referees where appropriate. A useful list
of questions to ask service providers has been provided by the Australasian Digital


4
Custody and Ownership Guideline Managing Public Records During Outsourcing or Privatisation. Available at
www.archives.qld.gov.au/downloads/Guideline_Custody_and_Ownership.pdf
.
5
Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing recordkeeping risks associated with
cloud computing. Available at
http://adri.gov.au/products/Advice%20on%20managing%20the%20recordkeeping%20risks%20associated%20wit
h%20cloud%20computing.pdf
.

2

3

Recordkeeping Initiative (ADRI) for use by public authorities.
6
These questions will
assist public authorities to assess how providers plan to manage the data and its
security.

4. Negotiate contractual arrangements to manage known risks.
Public authorities should ensure all contractual arrangements with any service provider
recognise that:
 Ownership of the public records remains with the public authority.
 The public authority has a continuing responsibility for the proper management of
those records. This includes the disposal of records in accordance with an authorised
Retention and Disposal Schedule.
 Records and associated metadata will be returned to the public authority when
requested.

Agencies should consider how records and associated metadata will be managed when
contracts are terminated. In particular, the data should be returned in a useable form,
and removed permanently from the service provider’s systems.
Where possible, agencies should include a service level agreement as part of any
contractual arrangements with service providers. This should specify detailed
performance metrics against which the service provider can be measured to ensure
relevant requirements are being met, and the need for regular reporting against
performance metrics. This may include the need for regular independent auditing of
contractual obligations, particularly relating to security and recoverability. Arrangements
with service providers should also specify the agency will be advised of any changes to
its data storage arrangements such as change of location, back up and recovery
procedures or security controls.
For a Checklist of some examples of issues to be included in agreements refer to the
Custody and Ownership Guideline: Managing Public Records during Outsourcing or
Privatisation.
7

The Australasian Digital Recordkeeping Initiative (ADRI) has also provided a useful list of
contractual inclusions for consideration by public authorities when negotiating with cloud
computing service providers.
8


5. Monitor arrangements with cloud computing service providers.
As circumstances change, it is important to monitor arrangements with service providers
to ensure the public authority’s recordkeeping and information management objectives
continue to be met, and to check for any unacceptable risks that might emerge or
escalate.

For more detailed guidance on the management of public records, visit the Queensland State
Archives’ website at www.archives.qld.gov.au
, or contact us on:
Telephone: (07) 3131 7777
Email: info@archives.qld.gov.au
.



6
Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing recordkeeping risks associated with
cloud computing. Available at
http://adri.gov.au/products/Advice%20on%20managing%20the%20recordkeeping%20risks%20associated%20wit
h%20cloud%20computing.pdf
.
7
Custody and Ownership Guideline Managing Public Records During Outsourcing or Privatisation. Available at
www.archives.qld.gov.au/downloads/Guideline_Custody_and_Ownership.pdf
.
8
Australasian Digital Recordkeeping Initiative (ADRI), Advice on managing recordkeeping risks associated with
cloud computing. Available at
http://adri.gov.au/products/Advice%20on%20managing%20the%20recordkeeping%20risks%20associated%20wit
h%20cloud%20computing.pdf
.