Cloud systems use internet-based cloud services to store and manage information rather than internal servers.

The hardware, software and networks supporting cloud systems are owned by external cloud service providers (providers). These providers can be located anywhere in the world and sometimes split across data centres in multiple countries.

Agencies need to ensure any cloud system they use takes into consideration government and legislative requirements in relation to information management and privacy.

Applicable legislation and policies

For state government agencies, cloud systems must meet the requirements of the:

They should also align with your agency’s business and ICT strategies.

The Department of Treasury and Finance provides several resources to support agencies when determining the suitability of cloud systems. Privacy considerations are also discussed in more detail below.

As with all official records, those created, stored and managed in the cloud by state government are subject to the:

Agencies should conduct a thorough due diligence process before entering any arrangement with a provider. Consultation with procurement services (e.g. in-house and/or Procurement SA) and legal (e.g. the Crown Solicitor’s Office) is also recommended.

For further information on contracting and information management see Contracting and Information Management.

Cloud systems and official records

Agencies are responsible and accountable for managing the storage, access, alteration, transfer and destruction of their official records, regardless of where they are held.

Official records need to:

  • retain their integrity, authenticity and reliability
  • be accessible and retrievable
  • be securely and completely destroyed when authorised
  • be retained if they have a permanent value.

Storage and maintenance of official records with providers outside of the state and/or Australia can have a variety of business and legal risks that need to be identified, managed and mitigated.

  • Your agency may have legislation that prohibits sending or storing official records outside of the state or Australia.
  • Interstate/international providers may not comply with legislative or regulatory requirements of your agency.
  • Official records may be subject to legislation and other requirements of the interstate/international provider jurisdiction.
    • For example, privacy laws of an overseas jurisdiction may apply to any information stored within the jurisdiction, even if the information did not originate in that jurisdiction.
    • Other laws may permit access to your information by investigative or watchdog bodies within the provider jurisdiction.
  • Your agency may not be able to undertake site inspections and audits of interstate/international providers. Accordingly, your agency may not be able to ensure official records are stored and maintained in accordance with the SR Act.
  • There may be increased risk associated with unauthorised access to official records, particularly where providers subcontract parts of their operations to other companies. In addition, providers may co-locate your official records with those of another organisation.
  • Record accessibility may be at risk. There is the potential for periodic disruption to service where official records may be inaccessible. Your agency needs to ensure timely access to official records for business purposes including FOI.
  • There may be a risk of official record destruction or loss where:
    • an entity in another state or country accesses and claims ownership or takes control of the official records
    • the official records are not returned upon request or at the conclusion of the contract, or returned only on payment of a fee
    • the provider has inadequate backup and restoration arrangements
    • the provider upgrades to hardware/software which is not compatible with your agency’s, leading to potential data loss or official records not being readable upon return
    • the provider disposes of official records without your agency’s approval.
  • Official records (appropriately authorised by your agency) may not be disposed of completely, or in a timely manner. Some providers replicate records for multiple backups, sending copies to sites in different locations or even different jurisdictions. This can mean time-expired records are not fully deleted.
  • The evidential value of official records may be altered or damaged. Providers need to maintain appropriate audit trails and descriptions of management processes performed on records.

When using cloud systems, your agency needs to ensure the provider has the capability to store and manage agency information in accordance with agency requirements. This may include management of the entire information lifecycle, depending on the contract.

Additional safeguards and/or contract conditions are required if the official records include sensitive personal information or secrecy/confidentiality requirements.

Your agency should ensure contractual arrangements with any provider acknowledge:

  • ownership of the records remains with the agency
  • the agency has a continuing responsibility for the proper management of official records, including disposal of records in accordance with an approved disposal schedule
  • official records and associated metadata will be returned to the agency when requested and at the conclusion of the contract.

Your agency should plan for how official records and associated metadata will be managed when contracts are terminated. In particular, the data should be returned in a useable form and removed permanently from the service provider’s systems.

Where possible, agreements should include requirements for regular reporting against recordkeeping measures. Arrangements should also specify your agency will be advised of any changes to storage arrangements, back-up and recovery procedures or security controls.

Cloud systems and privacy

Agencies need to ensure all official records (including those that contain personal information) held in cloud systems are protected. The personal information you transfer to a provider may become subject to the data privacy laws of more than one country. Using cloud storage can pose a range of privacy issues as a result.

The IPPI exists to ensure state government agencies keep personal information safe from inappropriate collection, use and disclosure. Your Principal Officer (usually the Chief Executive) is accountable for the personal information your agency holds, whether it is stored in your agency or through cloud storage. Local Government agencies and universities need to refer to their privacy policy.

It is recommended a Privacy Impact Assessment (PIA) is undertaken when assessing a provider’s suitability. Conducting a PIA at the start of a project will identify privacy risks and enable protections to be embedded into the contract. This will ensure personal information is safely stored before it is even transferred. For more information regarding PIAs, see Privacy Impact Assessment Guideline.

Your agency should ensure contractual arrangements with any provider include reference to the IPPI.

Checklist – Questions to ask

Cloud service providers should be able to answer questions regarding functionality, reliability, availability, security, privacy, data ownership/stewardship, integration and customisation.

Consider asking the following:

  • Will ownership of the records remain with your agency?
  • Will the provider store the records in low-risk sites?
  • Can you specify functionality and metadata requirements to meet your agency’s regulatory and business requirements?
  • Will the information only be relocated with the agency’s permission?
  • What is the legislative environment of those sites if in a foreign country?
  • What security measures will be used for storage and what (if any) encryption will be used during transmission when the data is most vulnerable?
  • Who will have access to the information, and how will unauthorised access be prevented?
  • Is the provider willing to undergo on-demand or periodic audits by the agency or a nominated third party, in relation to information security and access arrangements? Or are they subject to external security audits and/or certification processes?
  • Will back-up copies of the information be made; how will those copies be protected and how long will they be kept?
  • Does the provider have disaster recovery measures in place? Is restoration of your information possible, in a reasonable timeframe, in the event of an incident?
  • Can the provider guarantee your agency’s records aren’t used for applications not specified in the contract (for example to data match with databases owned by other clients)?
  • How will the provider notify the agency of any data breaches and what breach response processes are in place?
  • Will the agency have immediate access to the information when required?
  • How (and in what format) will information be returned to the agency, as required by the SR Act, at the conclusion of the contract?
  • How will the service provider destroy information, no longer required by the agency, at the conclusion of the contract?
Page last updated: 18 November 2025