Last updated:

What are cloud services?

Cloud services involve providing computing resources - like servers, storage, databases, networking, software and more - over the internet. Instead of owning and managing physical hardware or software, users can access these resources on-demand from cloud service providers. Cloud services offer scalability, flexibility and cost-effectiveness since users can pay for what they use without the need for extensive infrastructure investments. This type of system allows flexibility for agencies and to support employees to work remotely.

Cloud computing services are broadly divided into the following categories:

Infrastructure-as-a-Service (IaaS)

IaaS provides virtualised computing resources over the internet. Users rent or lease IT infrastructure - such as virtual machines, storage, networking and other resources - rather than owning and maintaining physical hardware and data centres.

IaaS typically hosts applications containing database records but also accommodating documents. Organisatons can generally wield significant control of these services, enabling configuration of retention and disposal mechanisms as needed.

Platform-as-a-Service (PaaS)

PaaS provides a complete platform allowing developers to build, deploy and manage applications without dealing with the underlying infrastructure. PaaS offers a comprehensive environment that includes tools, libraries, development frameworks, middleware and more, to streamline application development lifecycle. The Google apps store is just one example of this service.

PaaS grants organisations more control over the platform, however considerations regarding data management and governance need to be thought through and understood to maintain control of public records and long-term management of those records.

Software-as-a-Service (SaaS)

SaaS delivers software applications over the internet, allowing users to access and use the software through a web browser or application interface without needing to install. manage or maintain the software on their own devices or servers. These could include a remote CRM such as Salesforce, a cloud-based collaboration tool like Slack or Google Workspace (formally G suite).

Data retention in SaaS, particularly for platforms that manage documents (like DiligentBoard) and data (Tableau), requires understanding of vendor policies and retrieval procedures for long-term management of public records. It's crucial to consider implications of payment lapses or subscription termination. SaaS poses challenges in retention and disposal due to fewer configuration options compared to PaaS and IaaS. Furthermore, risks such as unauthorised use of Victorian Government data for marketing, training or AI model generation purposes should be addressed proactively.

 

Decision-making for cloud services

Victorian government agencies are actively managing numerous services and data storage functions to cloud-based environments. It is crucial for agencies to uphold their responsibilities concerning public records when opting for cloud services. Public records (including data/information) should only be housed in cloud environments that meet the mandatory PROV Standards when using externally provided technologies/ infrastructure. Contracts with cloud service providers must include clauses that safeguard agency records.

Factors to consider

  1. Information and data security: Ensure robust measures are in place to protect the confidentiality, integrity and availability of public records. This includes from unauthorised access, breaches or cyber threats.
  2. Privacy: Understand how personal information will be handled by the cloud service provider, mitigate privacy risk and ensure compliance with privacy legislation is monitored and reviewed (See also Privacy and Data Protection Act 2014 and OVIC privacy resources for organisations for further clarification).
  3. Destruction and disposal: Providers should be able to facilitate agencies mechanisms for authorised and complete record destruction and prevent any unauthorised disposal.
  4. Longevity and reliability: Assess the provider's stability and the long-term viability of their cloud systems to ensure continuity of service.
  5. Data integrity and metadata maintenance: Ensure data remains intact and unaltered, including the maintenance of metadata for proper context and accuracy.
  6. Authenticity and auditability: Providers should offer means to demonstrate the authenticity of data and enable audit trails for accountability.
  7. Protection of copyright and proprietary interests: Ensure measures are in place to protect against unauthorised use or infringement of proprietary data.
  8. Retrieval and extractability: Verify the ease and reliability of retrieving records (including data) while it's stored in the cloud and ensure the ability to extract records in case of service discontinuation.
  9. Accessibility and continuity: Ensure seamless access to records for agencies is maintained with consideration for fulfilling obligations related to Freedom of Information (FOI) applications, inquiries, Royal Commissions or other legal requirements.
  10. Data sovereignty and governance: Verify where records (including data/information) are hosted, ensuring arrangements to safeguard that data is held in accordance with legislative requirements. Consider potential foreign legislative, regulatory or administrative obligations for foreign-owned companies that may impact the security and accessibility of public records.
  11. Recordkeeping integration: Integrate recordkeeping requirements into strategic planning and design phases of information technology infrastructure, system procurement, implementation and decommissioning to ensure compliance and continuity of public records management.

Agencies should prioritise their obligations regarding public records and focus on selecting providers and services that ensure high-quality treatment of agency records. 

See the PROV Recordkeeping and cloud services policy for further information.

Guidelines and tools

Regulatory compliance is essential when considering recordkeeping in cloud services. Agencies are required to manage public records in line with the Public Records Act 1973 (the Act) and in accordance with the Recordkeeping Standards issued by the Keeper of Public Records under the Act. regardless of the format or where they are stored.

This means understanding requirements concerning creation, management, preservation and disposal of public records even when employing cloud services for storage or data management.

There are also other legislative considerations that involves public records including privacy, legal disclosure, security, evidence integrity, disposal prevention and copyright protection.

See the legislation topic page for more information.

In line with the mandatory Operational Management Standard, agencies must ensure that recordkeeping requirements are included and properly discharged in the contracting of a provider to deliver services.

The procurement process serves as a critical mechanism for ensuring that recordkeeping requirements are appropriately considered and addressed when leveraging cloud services. By integrating recordkeeping considerations into procurement practices, agencies can enhance compliance, mitigate risks and safeguard the integrity and accessibility of their records in the cloud.

The process allows agencies to:

  • assess whether cloud service providers comply with relevant recordkeeping regulations and standards
  • conduct risk assessments to identify potential risks associated with cloud-based recordkeeping
  • assess data security, privacy measures, data sovereignty and the provider's ability to meet recordkeeping requirements. Addressing these risks upfront helps in selecting a provider that aligns with the agency's risk tolerance and compliance needs
  • negotiate contractual terms that specifically address recordkeeping requirements. This includes stipulating data retention periods, access controls, auditability and the provider's obligations regarding data disposal. Clear contractual agreements help establish accountability and ensure that recordkeeping obligations are met throughout the service agreement. 

It is also important to ensure that the procurement process is not a one-time event but an ongoing practice. Agencies should continuously assess their cloud service providers' performance in meeting recordkeeping requirements. This includes periodic reviews of compliance certifications, audits and updates to contractual agreements to reflect changes in regulatory landscapes or agency needs.

See the procurement - sourcing and contract management topic page for more information.

Identifying risks for cloud environments

The Act refers to the significance or importance of records as evidence of activities, functions, decisions and transactions of an organisation or government agency. A record is defined as a document, as specified under the Evidence Act 2008

Evidential value is a critical concept in records management. It determines whether a record should be retained for legal, administrative, historical or other purposes. Records with high level evidential value are typically those that document key decisions, actions, policies and transactions that have legal or operational implications.

In line the Public Records Act 1973 and following the mandatory Standards set forth by the Keeper of Public Records under the Act, public records must be properly managed and preserved to ensure their authenticity, reliability and accessibility over time. This includes establishing appropriate recordkeeping systems, retention schedules and procedures for the disposal or transfer of records to archival institutions.

PROV acknowledges the need for prioritisation in managing resources. PROV advocates for a value and risk-based approach to records management, where the importance of records to the public office, government and community, as well as the risks associated with improper management, determine resource allocation. Strategies for preservation and risk mitigation should be implemented to ensure records remain accessible and useable for their required retention period, especially for records that outlast the systems in which they were created.

All cloud service environments should undergo a comprehensive value risk assessment, encompassing the definition and establishment of recordkeeping requirements within contractual arrangements with service providers. This assessment should include monitoring performance against these requirements as part of contract management, ensuring accessibility for service managers and users, effective service management, maintenance of evidential value for record authenticity and reliability, implementation of mechanisms to ensure integrity against unauthorised modification, and compliance with relevant Victorian legislative requirements and standards for privacy and information security.

See the Value and Risk Policy for more information.

Conducting risk assessments are highly recommended and aligns with the Department of Treasury and Finance's Risk Management Framework for Victorian government. Agencies need to identify and evaluate risks associated with cloud environments through stakeholder consultations, analysis and scenario planning. Using existing methodologies and templates can streamline the process.

Assigning likelihood and consequence rankings to identified risks using a risk matrix allows agencies to visualise priorities and plan remediation strategies effectively. Engaging both internal and external stakeholders, learning from past incidents and using lessons to evaluate risks can enhance risk assessment accuracy.

The risk management process should encompass a continuous loop of communication and consultation, monitoring and review, recording and reporting, with risk assessment and treatment placed at is core.

RiskDescription
Unauthorised access/ Cyber-attackUnauthorised access (including through malicious attack) to public records and data stored in the cloud, potentially leading to theft of sensitive information, loss of confidentiality and reputational damage
Loss of records Accidental or malicious deletion of records stored in the cloud, resulting in record loss and potential compliance violations
Loss of access/ service outageTemporary or prolonged unavailability of cloud services, disrupting access to records and business operations
Inadequate Service Level Agreements (SLAs)Poorly defined SLAs that do not clarify provisions for records accessibility and recovery during service disruptions or outages
Limited data backupInadequate backup procedures for cloud-stored records, increasing the risk of record loss in the event of system failures or disasters
Record/data corruptionIntegrity issues with stored records, such as data tampering or corruption, impacting the reliability and accuracy or records
Inadequate management of data, including metadataLacks the capability or has limited ability to effectively capture and store relevant metadata and related information needed to make the record easily retrievable and ensure credible and verifiable evidence
Incomplete/inaccurate data migrationInadequate provisions in place to ensure the accuracy and authenticity of data migration/transfer, particularly relevant at the beginning and cessation of arrangements with service provider
Inadequate data encryptionInsufficient encryption measures to protect data in transit and at rest, increasing the risk of unauthorised access and data breaches
Content integrity and authenticityIncomplete or non-existent audit trails tracking access and modification to records, hindering compliance reporting and forensic investigations
Software vulnerabilitiesSecurity flaws or weaknesses in cloud service provider software, exposing stored records to exploitation and compromise
Vendor lock-inDependency on a single cloud service provider, limiting flexibility and increasing the risk of service disruptions or price hikes
Compliance audit failureInability to demonstrate compliance with recordkeeping regulations during regulatory audits
Compliance violationsFailure to adhere to regulatory requirements governing recordkeeping in the cloud leading to legal actions and reputational harm
Data mining or scraping/ copyright protectionLack of appropriate safeguards, controls and guidelines to protect data mining or scraping in cloud environments.

 

  1. Implement robust access controls and encryption mechanisms to safeguard data confidentiality and integrity
  2. Regularly audit cloud service providers' security practices and compliance certifications to ensure alignment with regulatory requirements
  3. Conduct thorough risk assessments and implement appropriate controls to mitigate identified risks
  4. Conduct a thorough review of SLAs to ensure they include robust provisions for record accessibility, availability and recovery in case of service disruptions or outages
  5. Establish comprehensive data backup and disaster recovery protocols to minimise the impact of data loss and service disruptions. This may involve exploring diverse provider options to enhance redundancy coverage
  6. Develop and enforce policies and procedures for secure recordkeeping practices in the cloud, including employee training and awareness programs
  7. Establish terms of use agreements and fair use principles to reduce copyright infringement
  8. Diversify cloud service providers and negotiate contractual agreements that address data security, privacy and compliance requirements
  9. Stay informed about emerging threats and vulnerabilities in cloud technologies and understand providers ability to act promptly to mitigate risks
  10. Engage legal counsel or compliance experts to assess regulatory compliance and develop risk mitigation strategies tailored to specific industry requirements.

A crucial mitigation approach involves consistently involving your recordkeeping specialist in decision-making regarding requirements. They can play a key role in setting up procedures and delivering essential training for your agency, ensuring compliance and cohesive utilisation of cloud services.

A risk matrix is a tool used to assess and prioritise risks, traditionally presented as a heat map table that assesses likelihood versus consequence. Using a risk matrix provides a framework for identifying, assessing and mitigating risks associated with recordkeeping in cloud services. This can help agencies make informed decisions to protect their record assets and maintain compliance with regulatory obligations.

A consequence/likelihood matrix serves to assess and convey the comparative severity of risks by considering a consequence/likelihood pair typically linked to a specific event.

Example of a basic consequence/likelihood matrix* for recordkeeping risks for cloud services aligned with AS ISO 31000:2018 and the Office of the Victorian Information Commissioner (OVIC) Victorian Protective Data Security Framework Business Impact Level Table V2.1:

LikelihoodConsequenceDescriptionVPDSF Business Impact Level
Almost CertainCatastrophicTotal loss of critical records/dataException (5)
 MajorSignificant loss of important records/dataSerious (4)
 ModeratePartial loss or corruption of records/dataMajor (3)
LikelyMajorSignificant data breach or unauthorised accessSerious (4)
 ModerateMinor data loss or corruptionMajor (3)
 MinorTemporary unavailability of records/dataLimited (2)
PossibleMajorLimited data breach or unauthorised accessSerious (4)
 MinorMinor data loss or corruptionLimited (2)
 InsignificantMinimal impact on recordkeeping operationsMinor (1)

 

Developed in line with AS ISO 31000:2018 Risk Management - Guidelines and AS/NZS IEC 31010:2020 Risk Management - Risk Assessment Techniques.

*Agencies are encouraged to evaluate their own needs and procedures using an applicable risk matrix tailored to their specific circumstances.

Managing public records in cloud services

Ensuring the accessibility, security and longevity of records stored within cloud services is vital for agencies tasked with maintaining public records. This entails a thorough evaluation of the agency's capacity to uphold public records accessibility, especially in scenarios of service unavailability or cessation. A notable example is the integration of M365 operations with cloud services, which underscores the importance of robust contingency planning. 

The ramifications of compromised access to cloud services extend beyond mere inconvenience; they pose a direct threat to the retrieval of essential records and can disrupt vital agency operations. Hence, meticulous planning and the implementation of secure backup strategies are essential measures. These proactive steps help mitigate risks associated with potential service disruptions, ensuring the confidentiality, integrity and availability of public records remain intact. 

Additionally, it is important for agencies to ensure the identification and transfer of digital records with permanent value to PROV in the required VERS Encapsulated Objects (VEOs) format for long-term preservation. There is also a recommendation to convert temporary digital records with extended retention periods into VEOs. VEOs contain digital records in an approved long-term preservation format along with relevant metadata.

View the Microsoft 365 and VEO creation topic pages for additional information. For detailed definitions of permanent and temporary digital records, consult our glossary guide and Appraisal topic page.

 

Other considerations

Resourcing is an important part of managing recordkeeping requirements for cloud environments. The PR Act places responsibility on the head of each Victorian public office to ensure compliance with PROV Standards. This involves establishing and maintaining a records management program, ensuring adequate resourcing and governance, authorising strategies and policies and providing organisational direction on recordkeeping requirements. While responsibility for the program may be delegated, the head retains a vital role in signaling support and emphasising the importance of good recordkeeping. Delegated roles must be sufficiently senior to govern, enforce and resource recordkeeping effectively. Operational staff must possess requisite expertise, with measures taken to address skill gaps as needed. Given records' dispersion across organisational systems, those responsible for records management must have authority to implement effective controls throughout these systems and processes. See the Staff resourcing model for more information.

Artificial Intelligence (AI) is used in various ways in cloud services to enhance functionality, improve efficiency and provide value-added services. As AI technologies continue to advance, their applications in the cloud are expected to expand further, enabling more intelligent and efficient services across various industries.

AI in cloud services can be leveraged to enhance efficiency, improve service delivery and better meet the needs of users, however care need to be taken to uphold recordkeeping requirements and principles of accountability, transparency, security, privacy and ethical use, and to avoid unintended consequences. See the Artificial Intelligence topic page for more information.

 

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples