Key Points:

The US and UK Governments have already adopted a "cloud first" approach, and Australia could be next.

Cloud computing is increasingly becoming part of our everyday lives. If you use online banking, social networks or email accounts such as Gmail or Hotmail, you are using cloud services.

Likewise, governments across the globe are beginning to move into the cloud. The US and UK have already adopted a "cloud first" approach, and the Coalition's Policy for E-Government and the Digital Economy(released while in opposition) appears to indicate support for an increased use of cloud computing and acknowledgement of the importance of its adoption at the federal level.

Australian agencies already have a path into the cloud. How must they deal with the concerns most commonly raised as impediments to the use of cloud computing – privacy and data security – and what can they expect in the future?

Australian Government Policy

In May 2013 the Australian Government released The National Cloud Computing Strategy, which aims to maximise the value of cloud computing in government, promote cloud computing to small businesses, not-for-profits and consumers, and support the cloud services sector. It also sets out a range of actions to be undertaken by the Government to promote the adoption of cloud services.

The Strategy was followed by release by the Department of Finance though the Australian Government Information Management Office (AGIMO) of the Australian Government Cloud Computing Policy v2.1, a refresh of the whole-of-government policy on agency use of cloud computing, and a range of practical guidance documents to assist agencies procure and use cloud services.

Consistent with this policy, agencies must consider cloud services as an option when planning new ICT procurements; procure public cloud services for test and development environments where appropriate; and migrate existing public facing websites to cloud services at natural refresh points, where such cloud services represent best value for money and adequate management of risk compared to other options available.

Should you be concerned about privacy and data security?

Leaving aside issues about reliable internet connectivity, the most common concerns about cloud solutions are protection of privacy and data security. However, if the risks are identified and properly managed, these concerns should not be seen as obstacles to implementing cloud solutions that meet your objectives and offer value for money.

In fact, as the Government's "Better Practice Guide – Privacy and Cloud Computing for Australian Government Agencies" (Privacy and Cloud Computing Guide) says, "[D]espite common perceptions, cloud computing has the potential to enhance privacy safeguards used to protect personal information held by Government agencies".

There are four other key documents that agencies should consult as a starting point.

From a privacy perspective, agencies should consider the Privacy and Cloud Computing Guide.

For protective security, agencies must comply with the requirements of the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM), which complements the PSPF. The Australian Signals Directorate's "Cloud Computing Security Considerations Paper" also gives detailed guidance on security issues.

Agencies must also consider the "Australian Government Policy and Risk management guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements", which sets out approvals that are required depending on the type of cloud arrangement being used and the sensitivity of the information involved. Importantly, the policy provides that "security classified information cannot be stored offshore unless it is in special locations (such as Australian Embassies) or under specific agreements".

Before the procurement, agencies should conduct a thorough risk assessment, which means considering factors such as:

  • the type of information that would be moved into the cloud, and the sensitivity of that information (for example, is it confidential, security classified or subject to the Privacy Act?);
  • the agency's specific obligations in relation to the information (for example, health records have specific requirements in addition to confidentiality and privacy);
  • the security measures required to protect the information such as access controls and encryption, and what protections, including disaster recovery procedures, the cloud provider has in place;
  • the location of any data centres to be used;
  • foreign laws that might apply;
  • the cloud provider's reputation and experience with regards to privacy and security; and
  • the type of cloud solution being considered. For example, private clouds may cost more than public clouds, but can offer greater data security, flexibility and be more adaptable to the specific needs of a customer.

Key areas to address in the contractual arrangements with cloud providers include:

  • ownership and control of the data;
  • appropriate security, privacy and confidentiality provisions, including compliance with the Privacy Act's Information Privacy Principles (and Australian Privacy Principles from March 2014), the PSPF, ISM and other relevant Australian Government policy;
  • a process for reporting data breaches;
  • data back-up procedures, and business continuity and disaster recovery plans;
  • guaranteed access to the data by the agency and the return/destruction of the data at end of the arrangement as appropriate;
  • possible data segregation; and
  • restrictions on access to, and use of, the data.

Next steps for Australia: a community-government mix?

The UK Government's approach may give some insight into where Australia will head. Its "Cloud First" policy is intended to drive further adoption of cloud computing in the public sector; under it, agencies must consider the public cloud first in any IT procurements.

At its heart is CloudStore, an online catalogue of suppliers and cloud computing services, including public, private and hybrid (ie. public/private mix) models offered as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and Specialist Cloud Services (SCS). Agencies have been given a target to achieve 50% of new IT spend on cloud, and 25% use of Small and Medium sized Enterprises by value, by 2015. At least 75% of suppliers available through the CloudStore are SMEs.

As set out in its Strategy, one of the next steps for the Government is to explore the feasibility of a community government-cloud, similar to the UK's CloudStore. Part of this study will consider how the success of AGIMO's Data Centre Facilities Panel, currently being refreshed, can be built upon.

AGIMO recently announced that the Data Centre as a Service (DCaaS) Multi Use List (in place since 18 October 2012) has resulted in 22 contracts totalling $1,050,000 being put in place by agencies, including 15 private clouds and seven public clouds. Of those 22 cloud arrangements, 10 are PaaS, eight are IaaS and four are SaaS. AGIMO also noted that an unexpected benefit of the DCaaS Multi Use List has been "the use of the DCaaS service catalogue by agencies as a research tool to examine the options available from the emerging cloud services market place".

AGIMO is to report on the community government-cloud feasibility study by April 2014. While agencies will always need to consider their particular needs and circumstances the ability to use a government-cloud would make the process of procuring cloud solutions much easier, as key protections and risk mitigations would already be addressed.

You might also be interested in...

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.