Managing information in the Cloud

Fact sheet

Final | November 2018 | v1.0.0 | OFFICIAL - PUBLIC | QGCIO

Purpose

This factsheet provides guidance to Queensland Government agencies who currently store their information in the cloud, use cloud service providers to collect information or are considering doing so. Its focus is on the information management considerations of outsourced cloud service solutions, which includes elements of information security, records management, contract management, procurement and privacy. Factsheets published by the QGCIO are generally for information only and agencies are not required to comply. They are intended to help agencies understand the appropriate approach to addressing a particular issue or doing a particular task.

This factsheet is not intended to replace specific advice which already exists in these areas, but instead brings together the relevant material required to ensure Queensland Government information stored in the cloud is appropriately and actively managed – from creation through to disposal.

Background

The QGCIO Glossary defines Cloud computing as a utility model for gaining access to processing and storage capacity without having to own any hardware. A capacity-on-demand model where you pay someone else for the use of their capacity and you do not necessarily care how or where it is delivered.

In 2014 the QGCIO released the Cloud strategy (currently under review) which states that a cloud-based solution is the preferred option for all future digital and ICT investments. Since that time, there has been increasing adoption of a range of cloud services across Queensland Government, including the ongoing collection and storage of information.

Outsourced cloud services have the potential to lower storage costs, standardise services and deliver flexible and contemporary public services to the citizens of Queensland. However, these benefits can only be achieved by ensuring that any outsourcing risks, including those specifically relating to information management, are identified, monitored and appropriately actioned throughout the term of the outsourced cloud services contract arrangement.

While your agency may outsource information collection or storage to cloud service providers, it retains responsibility for all aspects of information management related to that information.

Legislative and Privacy Considerations

It is important to remember that any information your agency stores in the cloud remains subject to a range of legislative requirements including the Public Records Act 2002, the Information Privacy Act 2009 (IP Act) and the Right to Information Act 2009 (RTI Act). There may also be legislation specific to your agency (or the type of information you intend to store in the cloud) which dictates how or where that information must be stored, accessed and managed. It’s also important to remember that if your information is being stored in another jurisdiction, or your cloud service provider is incorporated outside of Australia, your information may be subject to the laws of those jurisdictions as well.

For personal information, the Privacy Principles contained within the IP Act regulate how QG agencies collect, store, use and disclose this information, while the RTI Act promotes the release of information and outlines the formal access application process. Whether you use your own ICT infrastructure or a cloud service provider, the onus is on your agency to ensure that the Privacy Principles are met.

More information on privacy considerations for cloud solutions can be found in Cloud computing and the privacy principles produced by the Queensland Office of the Information Commissioner.

Planning and preparation

While you may be able to outsource the collection or storage of your information, responsibility for managing that information remains with your agency. This information may include original information as well as metadata, transactional records and backup copies.

Contractual clarity around roles, responsibilities, ownership, management and costs for outsourced cloud services is essential to successfully manage your information, effectively manage risk, ensure security and maintain agency and public confidence in the solution. Agencies should ensure that they use the most appropriate contract type under the QITC framework and should refer to Creating an ICT contract specifically Module 3: As-a-Service.

For personal information, it is important to ensure that the cloud service provider is bound to the Privacy Principles as part of the contract. This is crucial, because if there is a breach, and you have failed to ensure the cloud service provider is contractually bound by the Privacy Principles, your agency will be liable for that privacy breach. The first step to ensuring clarity in cloud contracts is for your agency to understand the information management requirements of the information to be collected or stored in the cloud. It may be useful to include Records, Information Management and/or Privacy and RTI specialists from your agency in the planning and implementation of outsourced collection or storage solutions to ensure information management requirements are understood from the outset and then specified in the contract.

Any potential risks of cloud-based information collection or storage should be considered PRIOR to entering into any contractual arrangements (further information on cloud risk assessments can be found in the ICT-as-a-service risk assessment guideline). The value of your business information will determine what controls should be in place. Consideration must be given to the security classification of material to be collected or stored in the cloud and whether the service is hosted in an appropriate location.  For example, the ICT-as-a-service offshore data storage and processing policy, stipulates that data classified above PROTECTED must not be stored offshore.

The responsibilities of your agency and the cloud service provider should be clarified as part of the contract. Ensure that prior to entering into any arrangements and agreeing to the conditions stipulated by the cloud service provider, that all Terms and Conditions and any associated documentation is read, understood and acceptable to your agency.  Cloud service providers must be able to demonstrate that they comply with any relevant laws and regulations as well as the applicable Queensland Government policies, standards and principals. However, the onus is on the agency negotiating the contract to ensure due diligence in relation to the proper management of information.

From an information management perspective, the contract should include (but is not limited to):

  • Who has the right to access information, how it can be accessed and under what circumstances it can be accessed. This is particularly important in relation to the deletion or migration of information from the cloud as well as to ensure business continuity during periods of downtime, maintenance or in the event of a disaster or incident.
  • Ensure the Service Level Arrangements (SLAs) stipulated in the contract meet agency requirements and are sufficient for the ongoing monitoring and review of the contract.
  • Ensure cloud service providers are contractually obligated to reports incidents related to, client data, tenancy breaches and where applicable, Notifiable Data Breaches.
  • A ‘right to audit’ clause and details about audit requirements. This includes what audit information needs to be kept (and for how long) and any agency specific (as opposed to cloud service provider initiated) auditing. How will audit information be provided and how often?
  • Arrangements for the return of information at the end of an agreement, including formats, any additional costs involved (e.g. for ending the contract early or for data migration) as well as a clear understanding of what, if any, data will remain with the provider and how that will be managed or deleted.
  • The retention and disposal of records including the capacity of the cloud service provider to keep items that have long retention periods and how legal disposal will be authorised.

To explore existing contractual arrangements available across the ‘ICT-as-a-service’ spectrum, please consult the current whole-of-government ICT arrangements available on the Queensland Contract Directory

Monitoring and review

After you commence using cloud services, provisions should be in place to enable you to regularly monitor and review the cloud service provider to ensure that all contractual arrangements are being met in relation to the management of your information – this is particularly important when circumstances change over time (e.g. policy and legislative requirements or Machinery of Government changes). Monitoring and review activities may include:

  • Ensuring that the cloud service provider conducts (and provides the results of) regular and appropriate auditing. This will allow you to determine whether the security, access, integrity and evidentiary requirements of your information are being maintained in accordance with Queensland Government expectations as specified in the contract and any service level agreements.
  • Regularly reviewing the accessibility, readability and availability of your information to ensure its integrity remains intact. This may involve checking the results of migration activities, reviewing access logs and checking authorised deletions have occurred as requested.
  • Ensuring any records are kept and managed (including deleted) on an ongoing basis in accordance with the Public Records Act 2002 and the Records Governance Policy.
  • Closely monitoring any reported security breaches, unauthorised access, migration failures or any other incidents that may negatively impact your information. If an incident occurs, ensure appropriate action is taken, particularly if contractual arrangements are not being met.
  • Regularly monitoring the Service Level Agreement (SLA) stipulated in the original contract to ensure the cloud service provider continues to meet contractual requirements.
  • In the event of a data breach, agencies participating in the Queensland Government Insurance Fund (QGIF) may be covered for the costs associated with recovering from the data breach, including any amounts an agency may be liable to pay third parties.
  • Conducting or requesting periodic penetration or vulnerability testing of your cloud service provider to ensure it continues to meet the security policies, standards and compliance obligations required for your information.
  • Ensuring that if the staff member who signed the original contract is leaving the agency, there are processes in place to allocate responsibility for and access to the account to another officer and that the cloud service provider is advised of these changes.

Ensure that your agency’s policies, procedures, guidelines and training material clearly articulate how information collected or stored with cloud service providers should be managed.  To keep things simple, information collected or stored with cloud service providers should be managed in a manner consistent with the Information Security Policy (IS18:2018) as well as broader agency information management policies and business processes.

Exiting

There are many circumstances which may require you to change or end your agencies contract with a cloud service provider or delete information from the cloud. These may include:

  • The end of the contract.
  • The end of an approved retention period.
  • A cloud service provider going out of business.
  • A change in terms or conditions which means the cloud service provider can no longer meet your requirements.
  • A change of Queensland Government policy or legislation.
  • A change in policy or legislation from other jurisdictions (such as the introduction of the General Data Protection Legislation (GDPR)).
  • A decision to migrate your data to another service provider.

When the time comes to remove, move or delete your information from a cloud service provider, there are several information management issues to consider. You should ensure that:

  • The migration or deletion practices of the cloud service provider which were specified in the original contract can and will be applied prior to any action being taken.
  • The cloud service provider provides verification that the information has been removed.
  • All copies of your information (including any associated data such as metadata and backup copies) are returned or destroyed in accordance with your agency’s requirements and the Public Records Act 2002.
  • All of the information required to be returned is complete, accessible, useable and in the format specified in the original contract.
  • That plans or contingencies are in place should your agency suffer data loss or corruption.

Case Study: The PageUp Data Breach

PageUp is a Melbourne based company which provides cloud-based HR services to a range of both government and corporate enterprises. In May 2018, the company became aware of a malware infection which had resulted in an unknown third party accessing its internal systems, including those containing client data. Personal client data such as names, contact and address details, references, placement agencies, usernames and passwords were potentially accessed.

Although PageUp was responsible for the data breach (and compelled under the new mandatory data-breach reporting rules introduced in February 2018 to report the breach to both the authorities and its clients), the impact of the breach was potentially made much worse due to the poor information management practices of some users.

Some useful information management considerations for Queensland Government agencies highlighted a result of the PageUp data breach include:

  • Ensure cloud service providers are able to protect personal data in accordance with the relevant legislation and privacy provisions.
  • Specify how long cloud service providers should retain data - some companies had more than 10 years of recruitment data stored with PageUp.
  • Ensure that cloud service providers collect and retain only the minimum data required to undertake the required services.
  • Ensure that data which is no longer required is deleted on a scheduled basis.
  • Regularly update passwords. Prior to 2007 PageUp stored passwords in plain text and some users had used the same password for more than a decade.

Case study: The Typeform Data Breach

Typeform is a Barcelona based as-a-service company that provides software used to create web-based surveys and forms, conduct polls and facilitate quizzes, tests and contests. In June 2018, the company suffered a cyber-attack that resulted in attackers exfiltrating its client’s data contained in a partial backup file.  Customers potentially affected included the Queensland Government, the Tasmanian Electoral Commission, the Australian Republican Movement, CHOICE and the Townsville City Council.

Some useful information management considerations for Queensland Government agencies highlighted a result of the Typeform data breach include:

  • Ensure your service provider can provide the level of security required by the information you are storing with them.
  • You should closely monitor data collection practices particularly around personal or sensitive data.
  • Take measures to ensure internal security standards and monitoring are in place.
  • Consideration should be given to elements of data storage, particularly in relation to location, security and duration.


Last Reviewed: 19 November 2018