Disclaimer: The below query has been made available for general information sharing purposes only. The advice provided was valid at the time of release and we realise the application of our response may vary from agency to agency. We recommend you also check your local policies and procedures for any requirements specific to your circumstances.
Agency question
I need some help with recordkeeping in the cloud. At present, our agency is publishing some of its public content via a branded website, X which is hosted via a simple WordPress CMS. All information on the site is published for public consumption. In essence, we’re wondering whether retaining within the CMS and backed up in a Cloud environment – is classified as adequate record-keeping?
QSA response
There is no requirement under the Public Records Act or from QSA to manage records in a specific application, however, regardless of where public records are held, agencies must ensure they are:
- managed securely and have appropriate access permissions applied
- retained for as long as required
- disposed of securely in a manner that is irreversible.
Electronic document and records management systems (eDRMS) have the above capabilities built in so if your agency has an eDRMS, you may need to develop and implement processes for capturing records from the cloud into the eDRMS.
If you are managing the records outside an eDRMS, you need to ensure the system can still meet the above requirements. You can find more information about determining business and technology requirements and the risks and issues with managing records in cloud storage and services on our website.
More information
You can contact us via email, telephone (3037 6630), and Twitter, or leave a comment below.