Version 1.0
June 2015
Records Management and the Cloud
Introduction
Cloud based services are increasingly used by public sector organisations in New Zealand.
They offer efficient and cost-effective computer solutions. These benefits must however be
weighed up against the risks associated with privacy, security and records management.
This quick guide deals with the implications of the use of cloud services by public offices and
local authorities as defined in the Public Records Act 2005 (the Act).
What requirements should be taken into
consideration when assessing a cloud service?
The requirements of the Act and the Records Management Standard remain when records
are held in cloud services. Public offices and local authorities are ultimately responsible and
accountable for managing their records wherever they are held. Public Records and Local
Authority Protected Records must:
Retain their reliability, authenticity and have integrity
Be usable (accessible and retrievable)
Be able to be securely destroyed or transferred when authorised
Mandatory requirements for State Sector Agencies when adopting cloud services have been
issued by the Government Chief Information Officer in their Requirements for Cloud
Computing. This guidance outlines a robust information management process to undertake,
including classifying the information to be held in the cloud. No information classified above
RESTRICTED can be placed in public cloud systems. A risk assessment, including privacy
and security issues is necessary; with the expectation that risks are systematically identified,
analysed and evaluated with controls provided to effectively manage them.
When implementing cloud solutions, public offices and local authorities need to consider the
information governance issues around privacy, access and compliance. The organisation
needs to ensure that the cloud systems they use efficiently support their business-as-usual
records management processes. This maintains the business value of the records.
Some questions that arise are:
What is the impact of migration decisions on the reliability and completeness of data
(including metadata)?
What export will be possible – bulk/individual items/drag and drop?
Do the terms of use specifically forbid reuse of client data for other purposes?
What are the deletion practices?
Have the records management processes for associated tools been considered?
What legal issues arise with off-shore cloud service providers?
What is the possible impact of system updates on the integrity of information?
Page 1 of 3
Version 1.0
June 2015
My organisation stores data on cloud systems. Is
stored data a form of record?
Yes. The Act defines a record as:
information, whether in its original form or otherwise, including (without limitation) a
document, a signature, a seal, text, images, sound, speech or data compiled, recorded, or
stored, as the case may be, in written form on any material, or on film, negative, tape or other
medium so as to be capable of being reproduced, or by means of any recording device, or
process, computer, or other electronic device or process. (Public Records Act 2005 section
4)
Public offices and local authorities that use cloud services should do so in line with their
recordkeeping strategies and policies. This does not mean that an organisation should not
produce internal documents specific to their use of cloud services, but an organisation’s
approach should be consistent across all platforms.
Do staff responsible for records need to be involved
with the organisation’s use of cloud services?
Yes. The involvement of staff with responsibility for records will benefit an organisation when
it is considering the adoption and use of cloud services. The potential challenges around
managing records in the cloud need to be well understood and managed.
Staff with responsibility for records should be involved in the initial risk assessment and
planning, as well as well as during business-as-usual operation.
How is disposal affected?
Use of cloud services for the purposes of storage is not a form of disposal and staff need to
monitor the retention, destruction and transfer of records held there. Records held in the
cloud must have retention periods and the disposal action of either destroy or transfer to
Archives New Zealand applied to them. For public offices, the disposal authorities specific to
your organisation, and the general disposal authorities, will guide the management of these
records.
Information about disposal can be found in the Records Toolkit: Disposal
Do cloud services allow for the effective auditing of
the use and management of the records?
An organisation should understand the audit capabilities of their cloud service to ensure that
they are able to provide sufficient information about the use and management of the records.
This information is needed to assess if it will meet the requirements of the Act and the
Records Management Standard (with particular reference to the metadata requirements).
Page 2 of 3
Version 1.0
June 2015
Other Resources
Useful resources giving direction and advice on the use of cloud computing.
Requirements for Cloud Computing – Office of the Government Chief Information Officer.
New Zealand Cloud Computing Code of Practice – Institute of IT Professionals NZ
Cloud computing – A guide to making the right choices – Office of the Privacy Commissioner
Records Management and the cloud – National Archives of Australia
Frequently Asked Questions about Managing Federal Records in Cloud Computing
Environments – US National Archives and Records Administration
For further information please contact us at: rkadvice@dia.govt.nz
Page 3 of 3