Attorney-General Mark Dreyfus and the Minister Assisting for the Digital Economy, Senator Kate Lundy, have released the policy as part of the Government's push into cloud computing. The new announcements are particularly concerned with cloud's data security aspects.
It is part of a larger Protective Security Policy Framework (PSPF), a complex series of documents outlining how government agencies should “protect people, information and assets, at home and overseas.”
The cloud guidelines are designed to ensure government agencies can “take advantage of the opportunities enabled by cloud computing and the NBN while maintaining the privacy, security, integrity and availability of personal information,” said Dreyfus in a statement. “The policy will aid decision-makers in determining when to allow the use of offshoring or outsourcing on a case-by-case basis.”
The policy builds on the National Cloud Computing Strategy released at CeBIT in May by former Minister Stephen Conroy. “A key goal of that strategy is that the Australian Government will be a leader in the appropriate use of cloud services,” said Senator Kate Lundy, who now represents Conroy’s old department in the Senate.
”This Government is an enthusiastic supporter of new technology such as cloud computing, especially where it not only facilitates government business but helps us get the best value for the tax payer dollar,” she said.
“Cloud technology is fundamentally changing the way we think about communications technology. Combined with the rollout of the NBN, cloud computing has the potential to revolutionise how we consume and use digital technology.”
Lundy said that much of the Government’s unclassified data can be stored in a public cloud, subject to a risk assessment. “Information that requires privacy protection, however, requires stronger safeguards.”
Dreyfus said the Government has paid special attention to the security of personal information. “People expect this information to be treated with the highest care by all organisations, but by government in particular,” Dreyfus said. He did not mention the recent kerfuffle over data retention, in which his department has been accused of secrecy and withholding information (CommsWire, 5 July).
“Safeguards have been incorporated so that before personal information can be stored in the cloud, the approval of the Minister responsible for the information, and my own approval as Minister for Privacy, must be given. This is to ensure that sufficient measures have been taken to mitigate potential risks to the security of that information.
“Government is trusted to hold a great deal of information on citizens and business and it is expected that this information is protected. As much of our work is online, and technology is constantly evolving, we must regularly ensure we are continuing to meet our obligations in protecting the information given to us,” Dreyfus said.
“We are now introducing a policy to assist Australian Government agencies in assessing the privacy and security risks which might occur in the cloud so they can decide when cloud arrangements are suitable for their business needs.
“The safeguards we have put in place will ensure the Government can take advantage of cloud computing to reduce storage costs and improve efficiency while still ensuring the external storage and processing of data only occurs where the privacy of personal information can be properly protected.”
He was referring to the Government’s new Protective Security Policy Framework (PSPF) which specifically mentions cloud computing and data storage. It is intended to ensure, amongst other things, that:
- Information that doesn't require privacy protection can be stored and processed in outsourced and offshore arrangements after an agency level risk assessment.
- Privacy protected information can only be stored and processed in outsourced and offshore arrangements with suitable approvals in place.
- Security classified information cannot be stored offshore unless it is in special locations (such as Australian Embassies) or under specific agreements.
The cloud aspects of the new policy have been bundled together and snappily called The Australian Government Policy and risk management guidelines for the processing and storage of Australian Government information in outsourced or offshore ICT arrangements.
It is available at the PSPF website: www.protectivesecurity.gov.au