While you may be able to outsource the collection or storage of your information, responsibility for managing that information remains with your agency. This information may include original information as well as metadata, transactional records and backup copies.
Contractual clarity around roles, responsibilities, ownership, management and costs for outsourced cloud services is essential to successfully manage your information, effectively manage risk, ensure security and maintain agency and public confidence in the solution. Agencies should ensure that they use the most appropriate contract type under the QITC framework and should refer to Creating an ICT contract specifically Module 3: As-a-Service.
For personal information, it is important to ensure that the cloud service provider is bound to the Privacy Principles as part of the contract. This is crucial, because if there is a breach, and you have failed to ensure the cloud service provider is contractually bound by the Privacy Principles, your agency will be liable for that privacy breach. The first step to ensuring clarity in cloud contracts is for your agency to understand the information management requirements of the information to be collected or stored in the cloud. It may be useful to include Records, Information Management and/or Privacy and RTI specialists from your agency in the planning and implementation of outsourced collection or storage solutions to ensure information management requirements are understood from the outset and then specified in the contract.
Any potential risks of cloud-based information collection or storage should be considered PRIOR to entering into any contractual arrangements (further information on cloud risk assessments can be found in the ICT-as-a-service risk assessment guideline). The value of your business information will determine what controls should be in place. Consideration must be given to the security classification of material to be collected or stored in the cloud and whether the service is hosted in an appropriate location. For example, the ICT-as-a-service offshore data storage and processing policy, stipulates that data classified above PROTECTED must not be stored offshore.
The responsibilities of your agency and the cloud service provider should be clarified as part of the contract. Ensure that prior to entering into any arrangements and agreeing to the conditions stipulated by the cloud service provider, that all Terms and Conditions and any associated documentation is read, understood and acceptable to your agency. Cloud service providers must be able to demonstrate that they comply with any relevant laws and regulations as well as the applicable Queensland Government policies, standards and principals. However, the onus is on the agency negotiating the contract to ensure due diligence in relation to the proper management of information.
From an information management perspective, the contract should include (but is not limited to):
- Who has the right to access information, how it can be accessed and under what circumstances it can be accessed. This is particularly important in relation to the deletion or migration of information from the cloud as well as to ensure business continuity during periods of downtime, maintenance or in the event of a disaster or incident.
- Ensure the Service Level Arrangements (SLAs) stipulated in the contract meet agency requirements and are sufficient for the ongoing monitoring and review of the contract.
- Ensure cloud service providers are contractually obligated to reports incidents related to, client data, tenancy breaches and where applicable, Notifiable Data Breaches.
- A ‘right to audit’ clause and details about audit requirements. This includes what audit information needs to be kept (and for how long) and any agency specific (as opposed to cloud service provider initiated) auditing. How will audit information be provided and how often?
- Arrangements for the return of information at the end of an agreement, including formats, any additional costs involved (e.g. for ending the contract early or for data migration) as well as a clear understanding of what, if any, data will remain with the provider and how that will be managed or deleted.
- The retention and disposal of records including the capacity of the cloud service provider to keep items that have long retention periods and how legal disposal will be authorised.
To explore existing contractual arrangements available across the ‘ICT-as-a-service’ spectrum, please consult the current whole-of-government ICT arrangements available on the Queensland Contract Directory