Contracted Service Provider Notice
Use of Cloud and other off-site approaches to the digital storage of client records
(CSPN - 2017/11)
Responses to the 2017 Self Assessment Tool (SAT) indicate that a large number of contracted hearing service providers (providers) have moved to, or are considering, storage of client records in the ‘Cloud’ and other types of off-site digital records storage. Cloud storage involves digitised data being stored on servers that are not physically located in your business, i.e. remote servers, and being accessed via the internet.
Please note that this CSPN does not apply to the use of off‑site data back-up services within Australia, providing that the data being stored is purely for recovery purposes and could only be restored to your production system by the entity providing the back-up service.
Under section 4.1(g) of the Service Provider Contract 2015-2018 (the Contract), providers acknowledge that all Records (as defined in section 1.1 of the Contract) are Commonwealth records.
Under section 4.1(h), providers acknowledge they must comply with all requests of the Commonwealth in relation to Records.
As Commonwealth records, client records, including digitised records, must be stored in compliance with the Privacy Act 1988 (the Privacy Act) and the Freedom of Information Act 1982 (the FOI Act), and be accessible and retrievable in accordance with theArchives Act 1983 (the Archives Act). In accordance with the Australian Privacy Principles, personal health information is sensitive information and there are greater obligations regarding its management.
Please note that any loss, publication or unapproved distribution of client records could result in actions by the Privacy Commissioner under the Privacy Act. This would also be a breach of the Contract and could result in compliance actions including suspension or termination.
Issues with Unsecured Digital Storage Services
A number of providers indicated in their SAT that they were using Google Drive, Google Docs or Dropbox for off-site digital storage. These services do not meet the requirements for storage of Commonwealth records.
Providers using Google Drive, Google Docs, Dropbox or any other unsecured cloud/off-site digital storage are directed to cease using these services, remove all program client records immediately and to notify us via email to email@example.com when this has been completed.
We will follow-up separately, with those providers that have indicated use of these services, in January 2018 to ensure this has occurred.
How to select a Cloud Storage Service?
To ensure compliance with the program requirements, providers should be using secure services for the storage of digitised client records.
Some cloud services have been assessed by the Australian Signals Directorate (the ASD) as meeting a base level of security (Unclassified with a Dissemination Limiting Marker).
A complete list of the certified cloud services can be found on the ASD website. Please be aware that not all cloud service products listed are available to private businesses.
Any agreement with a provider of cloud or off-site digital storage services, whether an ASD assessed service or not, must include an agreement that the records will be hosted on an Australian server, not on an overseas server.
You are requested to ensure you comply with the program requirements and take into account the above information prior to committing to, or renewing, any agreement for the electronic storage of client records. If the service has been assessed by the ASD, you should ask for their certification.
If the service you choose has not been certified by the ASD it is your responsibility to assess and confirm the security of the service. The ASD or an independent Information Security Registered Assessors Program (IRAP) assessor can perform this assessment. Further information on IRAP assessments can also be found on the ASD website.
We are currently reviewing our policy for management of client records in both paper and electronic form, to ensure that any digitisation, destruction, transfer, storage and/or sharing of client records is completed in accordance with the program requirements, including the Archives Act, the Privacy Act and the FOI Act. When this review is completed, further records management guidance will be published on the program website for the information of all providers.
For information about the Privacy Act and personal health information visit the Office of the Australian Information Commissioner’s Business Resource – Handling health information under the Privacy Act: A general overview for health service providers.
Read more Australia Privacy Principles
Download this CSPN CSPN - 2017/11 Use of Cloud and off site storage