The Attorney-General, Mark Dreyfus QC, and the Minister Assisting for the Digital Economy, Senator Kate Lundy, today released a policy for the Government’s use of cloud computing which will ensure Government agencies can take advantage of the opportunities enabled by cloud computing and the National Broadband Network while maintaining the privacy, security, integrity and availability of personal information.
“The policy will aid decision-makers in determining when to allow the use of offshoring or outsourcing on a case-by-case basis,” Mr Dreyfus said.
The policy builds on the National Cloud Computing Strategy released in May 2013. A key goal of that Strategy is that the Australian Government will be a leader in the appropriate use of cloud services.
“This Government is an enthusiastic supporter of new technology such as cloud computing, especially where it not only facilitates government business but helps us get the best value for the tax payer dollar,” Senator Lundy said.
“Cloud technology offers not just agility, flexibility and scalability, but also cost savings. In fact, cloud computing is fundamentally changing the way we think about communications technology.
“Combined with the rollout of the National Broadband Network, cloud computing has the potential to revolutionise how we consume and use digital technology.”
Government holds much unclassified data which, subject to a risk assessment, can be stored in a public cloud.
Information that requires privacy protection, however, requires stronger safeguards.
“I have paid special attention to the security of personal information, which people expect will be treated with the highest care by all organisations, but by government in particular,” Mr Dreyfus said.
“Safeguards have been incorporated so that before personal information can be stored in the cloud, the approval of the Minister responsible for the information, and my own approval as Minister for privacy, must be given.
“This is to ensure that sufficient measures have been taken to mitigate potential risks to the security of that information.
“Government is trusted to hold a great deal of information on citizens and business and it is expected that this information is protected. As much of our work is online, and technology is constantly evolving, we must regularly ensure we are continuing to meet our obligations in protecting the information given to us,” Mr Dreyfus said.
“I am pleased to say we are now introducing a policy to assist Australian Government agencies in assessing the privacy and security risks which might occur in the cloud so they can decide when cloud arrangements are suitable for their business needs.
“The safeguards we have put in place will ensure the Government can take advantage of cloud computing to reduce storage costs and improve efficiency while still ensuring the external storage and processing of data only occurs where the privacy of personal information can be properly protected.”
Under these arrangements:
- information that doesn’t require privacy protection can be stored and processed in outsourced and offshore arrangements after an agency level risk assessment
- privacy protected information can only be stored and processed in outsourced and offshore arrangements with suitable approvals in place. The relevant portfolio Minister, and the Minister responsible for privacy and the security of Government information, currently the Attorney-General, will also need to agree to the arrangements.
- security classified information cannot be stored offshore unless it is in special locations (such as Australian Embassies) or under specific agreements.
The new policy is called: the Australian Government Policy and risk management guidelines for the processing and storage of Australian Government information in outsourced or offshore ICT arrangements.
It is available on the Protective Security Policy Framework website