Cloud computing is where organisations (including state government agencies) utilise internet-based services by external suppliers to store and manage data rather than internal servers.

The hardware, software and networks through which information is transmitted and stored, are owned by these external suppliers and can be located anywhere in the world and can be split across data centres in multiple countries.

When an agency utilises a cloud service provider, the information they transfer to that provider may be subject to the data privacy laws of more than one country.

Cloud computing can pose a range of privacy issues as a result.

The Information Privacy Principles Instruction (IPPI) exists to ensure state government agencies keep personal information safe from inappropriate collection, use and disclosure. The Principal Officer (usually the Chief Executive) is accountable for personal information their agency holds, whether it is stored in the agency or through a cloud service provider.

It is recommended a privacy impact assessment (PIA) is undertaken when considering the use of a cloud service provider. A PIA will help ensure personal information is safely stored in the cloud if the privacy risks are recognised at the foundation of a project or initiative and embedded into contracts.

For more information regarding contracts, see Contract Service Providers.

Agencies can demonstrate a commitment to best privacy practice by discussing the following with the service provider:

  • What level of control a foreign company/sovereignty (if the service provider is owned or controlled overseas) will have over data handled by the service provider?
  • Will the provider store the information in low-risk sites?
  • Will the information only be relocated with the agency’s permission?
  • What is the legislative environment of those sites if in a foreign country?
  • What security measures will be used for storage and what (if any) encryption will be used during transmission when the data is most vulnerable?
  • Who will have access to the information, and how will unauthorised access be prevented?
  • Is the provider willing to undergo on-demand or periodic audits by the agency or a nominated third party, in relation to information security and access arrangements?
  • Will back-up copies of the information be made; how will those copies be protected and how long will they be kept?
  • How will the provider notify the agency of any data breaches and what breach response processes are in place?
  • Will the agency have immediate access to the information when required?
  • How (and in what format) will information be returned to the agency, as required by the State Records Act 1997 (SR Act), at the conclusion of the contract?
  • How will the service provider destroy information, no longer required by the agency, at the conclusion of the contract?

Agencies will also need to ensure good information management principles are followed when using cloud computing and comply with the SR Act.

The Department of the Premier and Cabinet provides some guidance to support agencies when determining the suitability of cloud services.

Page last updated: 14 June 2024