Contracted Service Provider Notice
Use of Cloud Services for storage of client records
(CSPN - 202014)
The protection of client health and personal information is very important. Hearing Services Program (the program) client records are protected by the Privacy Act 1988, the Hearing Services Program (Voucher) Instrument 2019 and the Service Provider Contract.
The Management of Client Records factsheet and Frequently Asked Questions outlines program requirements about client records including use of cloud services. Providers were required to only use cloud services providers which had been certified by the Australian Signals Directorate (ASD).
As of 27 July 2020, the ASD ceased the Certified Cloud Services List and new arrangements are being established.
Until new arrangements are in place, those using previously ASD certified cloud services can continue to do so. If you are using a cloud service that was not previously certified by the ASD or you are not sure, please email us immediately via firstname.lastname@example.org with the details.
The Management of Client Records factsheet and FAQs have now been updated to support providers in managing their cloud services being used for program client information.
Cloud Services survey
To assist in its development of requirements for cloud services, the Department of Health is asking providers for information about the cloud services they are using. This information will help the department develop requirements that will be appropriate for all providers.
If you are currently using cloud services for the storage of client records, please complete the Citizen Space survey on cloud services.
Please contact your cloud services provider and confirm the appropriate responses to each question before starting the survey. Please ensure the responses are specific to the arrangements in place for your business.
The questions on the survey are:
- What is the name of the cloud service provider you are using (e.g. Microsoft, Amazon)?
- What is the name of the specific cloud service being used (e.g. Microsoft Azure, Office 365)?
- Is the specific cloud service being used a Platform as a Service (PaaS) or Software as a Service (SaaS)?
- If PaaS
What assurances do you have that the cloud platform service being used as well as the system installed on the platform is secure and configured appropriately?
- If SaaS
What assurances do you have that the cloud software service you are using is secure and configured appropriately?
- If PaaS
- Does your agreement with your cloud services provider state that the records will be hosted on an Australian server, will not be disclosed outside Australia, and will be encrypted to at least the equivalent of Official with a Dissemination Limiting Marker (DLM) of Sensitive?
- Approximately how many client records are stored within your cloud services or systems?
Download this CSPN 2020-15 Hearing Services Program Review Consultation Paper