Considerations for Outsourcing Records Storage to the Cloud

Similar documents
Strategies for Developing a Document Imaging & Electronic Retention Program

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Cloud Computing: Legal Risks and Best Practices

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

How To Ensure Health Information Is Protected

Union County. Electronic Records and Document Imaging Policy

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Information Sheet: Cloud Computing

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

Cloud Service Contracts: An Issue of Trust

Cloud Computing and Records Management

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

NSW Government. Cloud Services Policy and Guidelines

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Responsibilities of Custodians and Health Information Act Administration Checklist

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

How the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP )

Standard: Information Security Incident Management

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance

The potential legal consequences of a personal data breach

Enforce Governance, Risk, and Compliance Programs for Database Data

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

Managing Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators

Wellesley College Written Information Security Program

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC.

Article 29 Working Party Issues Opinion on Cloud Computing

INFORMATION TECHNOLOGY SECURITY STANDARDS

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

plantemoran.com What School Personnel Administrators Need to know

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records

State of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN. January 2010 December 2012 DECEMBER 31, 2009

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

RECORDS MANAGEMENT POLICY

INTERNATIONAL SOS. Data Retention, Archiving and Destruction Policy. Version 1.07

Administrative Procedures Memorandum A1452

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Privacy in the Cloud Computing Era. A Microsoft Perspective

Cloud Computing Contracts. October 11, 2012

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

PHIA GENERAL INFORMATION

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Retention & Disposition in the Cloud Do you really have control?

DATA BREACH COVERAGE

A Privacy and Data Security Checklist for All

Cloud Computing Contracts: Hazards Ahead

Requirements for Technology Outsourcing

Service Schedule for CLOUD SERVICES

Generally Accepted Recordkeeping Principles

Operational Risk Publication Date: May Operational Risk... 3

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention

Credit Union Code for the Protection of Personal Information

Guidelines for Digital Imaging Systems

Procedure for Managing a Privacy Breach

PRIVACY BREACH POLICY

Data Protection Act Guidance on the use of cloud computing

Remote Deposit Service Terms and Conditions Personal and Business Accounts

Introduction Thanks Survey of attendees Questions at the end

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

HIPAA Security Alert

PIPEDA and Online Backup White Paper

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Privacy and Cloud Computing for Australian Government Agencies

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Global Headquarters: 5 Speen Street Framingham, MA USA P F

This form may not be modified without prior approval from the Department of Justice.

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Microsoft s Compliance Framework for Online Services

Accelerating HIPAA Compliance with EMC Healthcare Solutions

Personal Information Protection Act Information Sheet 11

How To Deal With Cloud Computing

Privacy Best Practices

Generally Accepted Recordkeeping Principles How Does Your Program Measure Up?

The HR Skinny: Effectively managing international employee data flows

VENDOR MANAGEMENT. General Overview

Signing the Contract - Contracture of People Managers

Montclair State University. HIPAA Security Policy

Which Backup Option is Best?

Data Processing Agreement for Oracle Cloud Services

Attachment A. Identification of Risks/Cybersecurity Governance

TAB Guide: Demonstrating Return-On-Investment for Records Management Initiatives

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Accountable Privacy Management in BC s Public Sector

Gain Efficiency, Cost Savings and Compliance with Iron Mountain s Portfolio of Services

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

Cloud Computing Contract Clauses

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Management: A Guide For Harvard Administrators

TECHNOLOGY AND INNOVATION DEPARTMENT BACKUP AND RECOVERY REVIEW AUDIT SEPTEMBER 23, 2014

Test Data Management for Security and Compliance

EHR Contributor Agreement

Transcription:

Considerations for Outsourcing Records Storage to the Cloud

2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage to Retention 4.0 Keeping it private and secure PART II: Making Cloud Storage Work: A Records Management Action Plan 1.0 Get it in Writing 2.0 Enforce the written requirements! 3.0 Establish Records Retention Periods 4.0 Make sure the solution supports retention periods 5.0 Understand Location Requirements 6.0 Assess information retrieval and accessibility capabilities 7.0 Perform a Privacy Impact Assessment PART III: Moving Toward a Cloud-Based Solution The phrase cloud computing can refer to a wide range of network-based applications and services. In the specific context of records and information management, the cloud more typically refers to network-based storage arrangements, whereby electronic records are actually moved to a vendor s storage hardware but retrieved and used from the customer s work locations via remote access. The more widely acknowledged benefits of such an arrangement include cheaper, higher capacity storage without the large capital outlay that an organization would require to build or expand its own infrastructure. Combine this with the increasing prevalence of electronic recordkeeping, and it s a wonder every business organization isn t actively moving its records to the cloud. So why are some organizations hesitating? This article explores the very real legal and business challenges that cloud computing can pose for an organization. While none of these challenges need be an impediment to realize the benefits of the cloud, they do warrant careful assessment and planning. By giving these questions full consideration and taking active steps to mitigate identified risks, an organization can enjoy the advantages of the cloud model while at the same time meeting the basic principles and objectives of an effective records management program. Part I: Identifying the challenges Challenge 1: Are we even allowed to move the records? The most common question that comes up regarding cloud-based storage is, Are we allowed to do it? In other words, is it legal? As with many questions in records management, the answer depends on a variety of legal and business factors. While statutes and regulations typically do not use phrases like cloud computing, laws in the United States, Canada and other jurisdictions can be quite specific about the location and format in which required records must be retained. A survey of commercial sector legislation in North America shows clear requirements to retain specified records and/or information in equally specific locations. Such locations may be geographically specified; that is, within the country, state, province, territory, or other legal jurisdiction by which the statute or regulation is issued. Other laws will require that records be kept at a corporate head office, registered office or other equivalent location, or at a work site, field station or other specified location. Similarly, laws may explicitly require that records be retained as hard copy, electronically, or in another specified format.

3 In the worst case scenario, the movement of records to network servers, data warehouses and other storage hardware that is well outside your organization s normal operating jurisdictions can also mean movement away from the legal obligations and remedies that records owners need to enforce their rights and meet their basic requirements. But the law isn t always bad news for an organization that is contemplating electronic storage, in the cloud or elsewhere. Even some of those same laws which require retention in the state or at the registered office may also make allowance for retention at some secondary location, provided that the record can be accessed promptly by inspectors or other relevant authorities. And whether your organization is subject to any of these requirements in the first place will depend on where you are located, which laws your organization is incorporated or otherwise established under, and the specific business operations you perform. Challenge #2: Maintaining Legal Control Issues of information ownership and control are by no means unique to cloud-based storage. Any scenario that sees an organization s important business records removed from their direct custody and stored by a third-party service provider can challenge the ability of that business to meet their legal requirements and enforce their legal rights with respect to those records. But cloud-based storage does raise ownership and control challenges well above those that are typically experienced in the more traditional situation of sending boxes of paper records to the local offsite warehouse. Whereas third-par ty paper storage typically takes place within a shor t drive from an organization s offices, the fast access capabilities of cloud-based storage make it possible to store information in another country or even on another continent! In the worst case scenario, the movement of records to network servers, data warehouses and other storage hardware that is well outside your organization s normal operating jurisdictions can also mean movement away from the legal obligations and remedies that records owners need to enforce their rights and meet their basic requirements. This situation can pose serious challenges to your organization s ability to: m Ensure that information security and integrity are safeguarded at a level required by legislation under your operating jurisdictions. m Review or monitor how information is handled and processed in terms of compliance with laws and contractual requirements. m Resume direct custody and control of your records in the event of contract termination or dispute. m Control and prevent access to your information by unauthorized parties.

4 In order to support the fundamental objectives of legal compliance and risk management, good records management practices dictate that records are kept as long as needed and disposed of in a legally defensible manner once all such needs have lapsed. Challenge #3: From Storage to Retention Any organization which aims to implement and maintain a records management program which meets ARMA International s Generally Accepted Recordkeeping Principles should note that the closely related requirements of records retention and disposition make up two of the eight principles. In order to support the fundamental objectives of legal compliance and risk management, good records management practices dictate that records are kept as long as needed and disposed of in a legally defensible manner once all such needs have lapsed. But how can we meet those principles in a situation where the normal challenges of electronic retention are compounded by those legal and contractual challenges already discussed? Some of the legal, technical and other challenges that cloud-based storage poses for meeting legally mandated retention times include: m Inability of the electronic records storage and retrieval system to apply event-based retention. In the more traditional world of paper filing, a file is typically closed at the arrival of some pre-identified trigger. The retention period for a specific collection or category of records will begin to accrue when the retention trigger takes place. The trigger might consist of something as regular as the end of a current fiscal year or the occurrence of a more discrete event, such as termination of a contract, completion of a project, or decommissioning of an asset. An electronic storage solution can apply retention with relative ease to those records whose retention periods automatically begin at year s end, but what about the event driven retention periods? Some level of human intervention is necessary to indicate when an event occurs, even if that intervention means entering certain metadata after records have already been created and stored on the system. A system that misses this inconvenient but undeniable reality runs a serious risk of either destroying records too early or failing to implement disposition processes at all. m Failure to retain and keep records available for entire duration of their records retention periods, especially where records are required to be kept for 10, 20, 30 or more years. Without effective strategies to combat the effects of hardware and software obsolescence, legacy data easily can become unreadable or corrupted after one or more system changes. Anyone who recently tried reading a floppy disk or watching a VHS cassette can attest to this reality! Meanwhile, even if migration strategies are in place for a given storage solution and vendor, what happens if and when that service arrangement is concluded? Records that are returned to their owner in some proprietary format accessible only via the vendor s technology may as well have been destroyed as far as usability and compliance are concerned. m Risk that back-ups and other copies of records remain on the vendor s systems after which the official or original records have been disposed, seriously compromising otherwise legally defensible disposition processes.

5 The world s legislators have given privacy concerns centre stage in emerging regulations of cloud-based storage and other technology solutions. Challenge #4: Keeping it private and secure The challenge of privacy and personal information protection bears special discussion, even though it directly touches on the issues of legal compliance, contractual coverage and records retention already discussed. Sensitive, identifying information about individuals can include everything from financial data to employment details to medical history. If this information is lost, stolen or inappropriately disclosed, the risks to those individuals can include identity theft, financial losses, reputational damage, or inaccurate medical diagnoses and treatment. It is little wonder then, that the world s legislators have given privacy concerns centre stage in emerging regulations of cloud-based storage and other technology solutions. One such emerging law, the European Union s General Data Protection Regulation, prescribes fines of up to 1 million Euros for breaches that relate to international data transfers, an error that could occur more easily when using cloud computing. Specific challenges that cloud-based computing can pose from a privacy perspective are as follows: m Removal of information from the privacy legislation and other legal protection offered by the customer s operating jurisdiction. m Inability to monitor and control how personal information is handled, protected and used. m Increased risk of hacking and other forms of unauthorized access and misuse, from literally anywhere on earth.

6 Part II: Making Cloud Storage Work - A Records Management Action Plan Your organization should develop a formal, documented audit and/or monitoring plan that addresses all pertinent issues, from basic hardware and software functionality through to security controls at the technical, administrative and physical levels. Action Item #1: Get it in Writing Implementing and enforcing a formal records management program requires more than blindly signing a cloud storage vendor s template service agreement. It is critical that records management requirements be directly accounted for in such contracts. Possible requirements to be addressed in these contracts include: m Acknowledgement that all information is the property of the customer. m Compliance with the customer s policies and standards with respect to such matters as records retention, information security and privacy. m Governance by the laws of federal and state/provincial/territorial jurisdictions specified in the agreement. m Guarantee that the storage provider will only use the stored information for purposes necessary to and consistent with providing the contracted services. m Segregation of the customer s information from that of other customers. m Notification of the customer in the event of an information security breach or other incident or condition which potentially threatens the security, integrity and/or availability of the stored records. m Timely remediation of security breach or other threats to records. m Return of all information to the customer s direct custody and control in the event of contract termination or dispute. Such clauses should also provide for an appropriate level of assistance by the vendor in making information usable and accessible, as well as the deletion or destruction of any back-ups and other copies which would otherwise continue to be retained by the vendor. Action Item #2: Enforce the written requirements! Don t be afraid to invoke the audit and monitoring clauses provided for in the service contract. In order for those clauses to meet their original purpose, they need to do more than pay lip service to your organization s rights and obligations to actively monitor how information is stored and handled. Your organization should develop a formal, documented audit and/or monitoring plan that addresses all pertinent issues, from basic hardware and software functionality through to security controls at the technical, administrative and physical levels. Then, put the plan into action. The fact that your records are stored on the other side of the world should not and cannot stop you from physically looking at the storage arrangement!

7 Once retention periods have been identified based on legal and business requirements and formalized as part of organizational information governance, the actual retention periods themselves should be directly factored into the identification and planning of storage system requirements. Action Item #3: Establish Records Retention Periods Already, we ve discussed the need to consider any legal requirements which directly impact the physical location and medium in which records are to be kept. It is equally important to proactively identify any legal and/or business requirements that affect how long records must be kept. A Records Retention Schedule meets this need by dividing records into clearly identifiable categories and prescribing standard time periods for keeping records in each category, subject to possible extension in the event of Legal Holds or other exceptional circumstances. An effective, legally defensible retention schedule should be based on documented research of applicable requirements, which include: m Direct, explicit requirements under statutes and regulations to keep specified records for a given time period. m Indirect legal requirements to keep records, in the form of legal limitation periods applicable to litigation, audits, and other proceedings which require discovery and production of records. m Business requirements to keep and use records, as identified by end users and other organizational stakeholders. Action Item #4: Make sure the solution supports retention periods Once retention periods have been identified based on legal and business requirements and formalized as part of organizational information governance, the actual retention periods themselves should be directly factored into the identification and planning of storage system requirements. Whether through vendor selection criteria or more active participation in the solution development process, records management professionals can and should help their organization s ensure that cloud-based systems support meeting records retention requirements by keeping records for as long as needed and helping dispose of them when all such requirements expire. Possible strategies for making this happen include: m Development and implementation of migration plans and conversion strategies that are expressly designed to ensure the forward compatibility of all legacy records with new or upgraded hardware and software. m Design of metadata taxonomies, workflows and other tools to help identify when retention events actually take place in the real world, triggering the accrual of retention periods for one or more related records. m Proactively addressing data back-up retention and disposition as part of service contracts and/or attached policies and procedures.

8 If, instead of being required to keep records in the state or at the registered office, your organization is only required to ensure that records are readily accessible, make sure the cloud-based solution is able to provide the fast, reliable access necessary to comply. Action Item #5: Understand Location Requirements Perform a comprehensive review of legal recordkeeping requirements applicable to your organization, including any statutes or regulations that specify where and in what format records must be kept. If this review has not already been factored into the Records Retention Schedule development described in Action Item #3, specialized research may be needed. Action Item #6: Assess information retrieval and accessibility capabilities If, instead of being required to keep records in the state or at the registered office, your organization is only required to ensure that records are readily accessible, make sure the cloudbased solution is able to provide the fast, reliable access necessary to comply. Specific retrieval times will vary depending on the specific inspection, audit or other timelines that apply to your organization. At the very least, the cloud solution must be able to ensure that information is available just as quickly as if the records were retained in paper or electronic format at the original place of business. Better yet, the cloud-based system may even be able to offer an improvement over more manual or ad hoc retrieval tools! Action Item #7: Perform a Privacy Impact Assessment While its exact form can vary across different risk scenarios, a privacy impact assessment can be a powerful tool in identifying applicable privacy requirements, risks and mitigation strategies. An effective privacy impact assessment works in tandem with the other action items described above and can include key elements such as: m Formal identification of specific statutes, regulations and industry standards governing privacy and personal information in the organization. m Declaration of authorized business purposes for which information may be collected, used, disclosed and/or retained. m Determination of requirements to seek individual consent for any collection, use or disclosure of personal information, including possible information access by records storage providers. m Description of contractual provisions and related enforcement controls related to information ownership, control, retention and protection. m Summary of records retention rules and any technology specifications, workflow processes or other tools for implementing those rules. m Assessment of information security and integrity risks, as well as any technical, physical or administrative safeguards to help prevent or mitigate those risks.

9 Part III: Moving Toward a Cloud-Based Solution Contact one of our representatives today. UNITED STATES 888.822.9777 CANADA 800.387.6212 www.tab.ca AUSTRALIA 800.50.3453 www.datafile.com.au EUROPE +31 20 6975333 www.tab.nl So, is moving toward a cloud-based solution for electronic records storage right for your organization? It just might be. The benefits of more storage space at a cheaper cost are hard to argue with in isolation, but those benefits can be negated if challenges with records ownership, retention, privacy and overall compliance cannot be adequately addressed. They key is to take a measured approach, considering all foreseeable risks and taking concrete, proactive steps to prevent and mitigate those risks. By taking actions such as those outlined in this article, a decision about records storage in the cloud becomes a lot less cloudy! If you d like to discuss whether a cloud-based solution is right for storing your electronic records, please get in touch.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information