Ngā ratonga Kapua
Cloud services
Overview
Public cloud-based services are information and communications technology (ICT) services that work together to store, process and manage an organisation’s information and records in the cloud. They are increasingly used by public offices and local authorities (public sector organisations) in New Zealand, as they offer efficient and cost-effective solutions. These benefits must however be weighed up against the risks associated with privacy, security, and information and records management (IM).
This guide aligns with strategy, policy and guidance issued by the Government Chief Digital Officer (GCDO) published on digital.govt.nz. It outlines considerations for public sector organisations’ decisions on using cloud-based services for their IM.
Please also see our quick guide to using public cloud services.
New Zealand's ‘Cloud First’ policy
The New Zealand government requires public sector organisations to accelerate their adoption of cloud services — in a balanced way — so they can drive digital transformation. The ‘Cloud First’ policy requires organisations to:
adopt cloud services in preference to traditional ICT systems
only store information classified as RESTRICTED or below in a cloud service, whether it is hosted onshore or offshore.
have and use a cloud plan
consider te ao Māori perspectives
consider high-level sustainability principles
make adoption decisions on a case-by-case basis following a risk assessment.
Requirements for public sector organisations when adopting cloud services have been issued by the GCDO. If your public sector organisation is using or considering the use of cloud services, you must undertake an information risk assessment, including privacy and security issues, following GCDO guidelines. The aim of this assessment is to systematically and regularly identify, monitor and review, analyse, evaluate and control all IM risks in a service level agreement or contract.
Use of the cloud in relation to the Public Records Act
The use of public cloud services to create, store and manage information and records does not diminish or remove the statutory responsibilities of your organisation in relation to the Public Records Act 2005 (the Act) and the mandatory Information and records management standard (the Standard).
Your IM staff must be involved in any cloud provider assessment process and the final decision-making to ensure your organisation meets the legislative requirements of both the Act and the Standard.
Assessing the risks
While the risk assessment process may seem lengthy, it is important to remember that the choice of a public cloud provider is ultimately your organisation’s decision and responsibility. Specialist knowledge is critical to ensure that IM requirements are taken into consideration during the assessment process.
A cloud service provider should be able to answer questions regarding the functionality, reliability, availability, security, privacy, information and records ownership/stewardship, integration and customisation of their service(s).
Your IM staff must be involved, with others, in the initial risk assessment and planning as well as during business-as-usual operation. Once you have started with a service provider, you need to make sure that there is a process in place for regularly monitoring how well your IM needs are being met by the cloud services used.
The GCDO has developed a risk discovery tool for public cloud services designed to help organisations discover and document what information is needed to do a risk assessment. The tool itself is not the risk assessment. You can use the tool to find out which risks and security controls you need to consider. This helps you do your risk assessment in a way that matches your effort with the risk and value of the information and records you’ll be storing in a public cloud service.
Use your answers from the tool to help you with your organisation’s risk assessment process. Find out if using the public cloud service fits:
your organisation’s purpose and business needs - what your staff will be using it for
how valuable the information and records are to your organisation, the New Zealand government and New Zealanders
the level of security assurance you need for your information and records — this depends on your decision about their value.
Key IM considerations for using cloud services are outlined below.
Information and records management considerations
NOTE: The questions listed below are indicative only; you should consider whether there are any additional questions that reflect your organisation's specific circumstances.
Content
Recommendations
The value, criticality and sensitivity of the information and records to be held in the cloud should be accurately assessed to ensure it is adequately protected.
Risks should be assessed based on content or subject matter of the information and records and the level of sensitivity and importance to the business of your organisation.
Key questions
What kind of information and records will be created?
What is the importance of the information and records?
Have they been identified for long-term retention?
What is the level of sensitivity?
Have they been classified as open or restricted access under the Act?
Ownership
Recommendations
Public cloud services are a way of outsourcing. Make sure the contract’s terms clearly define ownership over the information and records and the control you have over them.
Information and records outsourced to a cloud environment must remain the legal and intellectual property of your organisation.
Make sure that the contract’s terms of service also state whether or not the service provider might use your information and records for any purpose other than delivering the service.
Key questions
Does the contract clearly specify ownership of information and records?
If the service provider subcontracts parts of their operation to other providers, is ownership of the information and records documented and understood by all involved parties?
Location of provider
Recommendations
Assess, with help of legal experts, the jurisdictional risk of using a cloud provider based offshore, as it is likely to be subject to the law of the host country, and legislative requirements for IM may be different.
Follow the GCDO’s recommendations about identifying jurisdictional risk included in the risk discovery guidance.
If the provider is not able to support the requirements of New Zealand legislation, your organisation may be unable to comply with its regulatory obligations.
For organisations who hold information and records from or about Māori, extra consideration should be given to the location of the cloud provider.
Key questions
Where will the information and records be stored/hosted?
Which legislation, or other jurisdictional requirements, will the information and records become subject to?
Māori interests
Recommendations
If your organisation has stewardship for iwi, hapū, whānau Māori information and records, these must be managed in alignment with New Zealand’s Cloud First Policy which acknowledges Te Tiriti o Waitangi and the following treaty-based principles for considering public cloud:
Accountability
Ethics
Transparency, and
Collaboration
He Aratohu Kapua – Cloud Te Titriti Guidance : New GCDO guidance will be coming soon. It will provide resources to support Tiriti partners in working together on cloud-adoption decisions that involve iwi and Māori data. For now, please refer to the guidelines for Māori interests in public cloud published on digital.govt.nz
Key questions
Does your organisation hold data or information from or about Māori?
Where will the information and records be stored/hosted?
How will Te Tiriti obligations and partnership relationships be managed appropriately?
Māori data is defined by Te Mana Raraunga | Māori Data Sovereignty Network as:
“Māori data are data that are produced by Māori, and data that are about Māori and the environments we have relationships with. Data are a living tāonga and are of strategic value to Māori. Māori data include but are not limited to:
Data from government agencies, organisations and/or businesses
Data about Māori that are used to describe or compare Māori collectives
Data about Te Ao Māori that emerges from research.”
Protection, security and privacy
Recommendations
Information and records in the cloud are more exposed to unauthorised access; more so if the cloud service provider subcontracts parts of its operation to other companies.
You must assess the cloud provider against the risk of illegal release of information, and the level of reputation damage that this could cause. Information and records stored and managed in a cloud environment must also be protected from unauthorised deletion or alteration.
Check how your organisation’s information and records will be managed and accessed by third parties, especially if there is personal information involved. Where any information and records have access restrictions, you must ensure these are managed appropriately in the cloud environment.
Do a Privacy Impact Assessment (PIA), sometimes called a privacy risk assessment, before adopting any public cloud service that involves or might involve:
personal information
aggregated data derived from personal information.
Key questions
What kind of security framework is provided?
How does the provider prevent unauthorised disposal?
Will your organisation be consulted regarding a third party seeking access to its information and records?
If the provider stores your information and records with those of another organisation, what kinds of controls are in place to guarantee secure partitioning?
How are user identities and access controls managed?
How does the provider prevent unauthorised changes to your information and records?
Availability
Recommendations
As cloud services are provided over the internet, it is more likely that there may be some periods of service disruption where information and records are inaccessible. For critical activities where access to information and records is essential, the impact of loss of access even for a short time may be severe.
You must take business continuity and disaster recovery into consideration when assessing the cloud service, for example, check that back-ups are always accessible, and what costs for retrieving information from those back-ups.
Ensure the provider meets your organisation’s requirements for keeping its service and your information and records online, including, for example:
if the level of availability is stated and detailed in the service level agreement
how your service provider protects its services from denial-of-service attacks, both distributed and economic.
Check if your network, either directly managed or subscribed to by your organisation, supports using the public cloud service.
Key questions
Are your information and records discoverable 24/7, no matter what?
Does the provider have a business continuity plan in place in the event of an incident/outage? Does it meet the levels you require?
What are the practicalities of implementing the plan? And the cost?
Portability and interoperability
Recommendations
In a cloud environment, a lack of portability standards may make it hard to remove your organisation’s information and records to meet legislative requirements at contract termination.
Check that proprietary interfaces and programming languages used by cloud service providers won’t create barriers to migrating your information and records to another environment. Also ensure that system updates are only to be applied with detailed consultation with your organisation, so there is no loss of control over the integrity of your information and records.
To avoid the evidential nature of the information and records being compromised, your organisation must be able to prove that they could not have been altered in any way while stored in the cloud.
Key questions
What are the processes in place for migration, and how information and records will be accessible and readable after the migration to another provider?
What is the level of interoperability between different cloud applications used by your organisation?
What is the possible impact of system updates on the integrity of information and records?
Does the cloud system have the ability to easily migrate the information and records to another environment?
What is the impact of migration decisions by the cloud provider on the reliability and completeness of information and records, and associated metadata?
Metadata
Recommendations
Information and records created, stored and managed in a cloud environment must be able to link with their relevant metadata, providing context and thus ensuring their reliability as evidence.
Key questions
Have the minimum legislative requirements for metadata been applied?
Have the information and records been classified in accordance with your organisation’s business classification scheme(s)?
Search, audit and reporting functionalities
Recommendations
Information and records hosted in the cloud should be easily discoverable for information requests. This is because the Official Information Act 1982 and the Privacy Act 2020 legislation applies regardless of the location of information and records.
Reporting functionality should also be considered to facilitate internal and external audit processes.
The evidential value of your information and records may be affected if appropriate audit trails and descriptions of any management processes performed on them while in cloud systems, are not maintained.
Key questions
What are the cloud provider’s capabilities for search across information and records?
What kind of reporting and audit trail functionality exists?
Will your information and records remain easily and quickly discoverable for audits, legal inquiry or release?
Is the provider able to report easily on the management and use of your information and records, and provide sufficient details about this?
Are the cloud services auditable?
Digital preservation
Recommendations
Cloud systems used to store and manage public orand protected information and records must be able to actively preserve these until they are legally disposed of.
To ensure information and records are maintained for as long as required by the organisation, consider if the format will allow for continued accessibility long term. Preservation methods, software, system and/or infrastructure used by the provider must be carefully assessed.
Key questions
What kind of preservation activities and checks will be performed by the provider to guarantee your information and records remain accessible and usable over time, and unaltered?
Do the preservation activities performed include metadata as well?
Disposal capability
Recommendations
Use of cloud services is not a form of disposal. You must monitor the retention, disposal and transfer of any information and records held in the cloud.
While disposal coverage is not a prerequisite for signing-up with a cloud service provider, it is strongly recommended that if your organisation has a disposal authority (DA), this is applied at the point of creation when using a cloud service. Also check how easy it is to update any disposal settings if changes to your DA occur.
For public offices, information and records held in the cloud must have minimum retention periods and a disposal action of either ‘destroy’ or ‘transfer to Archives New Zealand’ applied to them.
Be aware that cloud service providers are not necessarily bound to follow the minimum retention periods in your DA and could unintentionally expose your organisation to litigation risk and additional costs, by retaining information and records longer than recommended. Conversely, information and records intended for long term retention or transfer to us might be deleted or overwritten by the provider’s server, thereby breaching the Act.
There is also a risk of information and records not being destroyed in a timely manner, after authorisation by your organisation. It is common for service providers to replicate information and records for multiple backups, sending copies to sites in different locations or even different jurisdictions. This can mean that information and records due for destruction are not properly deleted from every server held in every site, which poses a serious risk particularly for those containing personal or sensitive information.
Providers must delete and digitally ‘shred’ when required by a DA. Certificates of destruction should be asked for.
Key questions
For public offices, what export/extract functionality will be available (for example, for bulk/individual items, drag and drop) when permanent value information and records are due to be transferred to us?
How will you confirm the destruction of information and records from servers not under your direct control?
Can the cloud service offer destruction of information and records (including any copies) in a manner that ensures that the information and records are not able to be reconstructed?
How much resource will be needed from your organisation to confirm destruction by the cloud service provider?
Are the retention periods for backups aligned with your organisational retention periods?
Termination of contract
Recommendations
The contract terms and conditions should state that, if the contract is terminated, your organisation’s information and records will be returned in a usable form and removed permanently from the cloud service provider's systems.
Check that the contract includes specific details about termination, and the fate of information and records hosted.
The obligations of the cloud provider must be specified in the contract. Ensure there is a clause specifying that the terms cannot be changed regarding any IM requirements if a provider is declared bankrupt, sold to a new service provider or terminates its services.
Key questions
What are the conditions if you terminate the contract? Will your organisation be stuck, or locked-in (for example, by information lock-in, platform lock-in, tool lock-in), with your current provider because of the complications and costs of switching to a new provider?
If necessary, can the information and records be easily migrated to another provider, without the integrity of the information and records being compromised?
If the provider is changed, would the new provider have an obligation to honour the conditions in the previous contract? Would your organisation be guaranteed continued access to your information and records?
In what format will the information and records be exported back to you (such as an open format), and how long will it take before the information and records can be accessed again following termination of the contract?
What costs would be involved for your organisation?
If the service provider enhances your information and records in the cloud, will you also get a copy of those? Or is the agreement solely for the original versions?
Will the service provider be required to keep the information and records on its systems during a transition period?