Cloud services are everywhere these days, from data backup to music streaming, so it’s not surprising that the cloud has entered the world of records management too. For records managers, the cloud promises cheap and scalable on-demand document storage, which is a very exciting prospect.
However, as with all new solutions, the cloud comes with new questions and new challenges. For example, is it legal to store records in the cloud, especially when you can’t be sure of the physical location of the servers on which they are hosted? Who maintains legal control of documents stored in the cloud? Do cloud solutions support retention schedules?
Approaching the Cloud Sensibly
As you consider a move to cloud storage, these 6 tips will help you approach it sensibly – avoiding the risks and realizing the full benefit.
- Make sure you retain ownership. When researching the cloud vendor’s services and negotiating your agreement, examine the legal aspects thoroughly. Make sure that your rights of ownership will be maintained under different scenarios and across different legal jurisdictions in which the records may be stored. Build this into the written contract!
- Understand location-specific legal aspects. With the cloud, your documents may be stored in any number of physical locations, including multiple countries and continents. Unfortunately, many records are subject to strict legal requirements about where they may be stored. Consult the legislation that applies to your records and your industry to make sure your cloud solution is compatible with your legal responsibilities.
- Enforce the written requirements. It’s not uncommon for operational changes at a cloud provider to affect previously agreed service terms. When your cloud service is active, invoke the audit and monitoring clauses of your agreement on a regular basis to check that records are being stored in accordance with your agreement.
- Establish and enforce records retention periods. Retention schedules are an essential part of a good records management program, no matter where you happen to store your records. To make sure that you consistently dispose of records according to schedule it is critical that your cloud provider supports records retention periods.
- Make sure your documents are accessible when needed. In some cases, records are legally allowed to be stored in the cloud only if they can be accessed in a timely fashion when needed. Be sure to check the retrieval capabilities and turnaround times of your cloud provider. Make sure that your records will be produced quickly when called for.
- Perform a privacy impact assessment. This important step documents the many issues and remedies that you have explored in the other tips. A privacy impact assessment captures all the key information about your cloud storage arrangement and surrounding practices. It helps defend your solution in case of an audit or legal proceedings. Among other things, the privacy impact assessment should specify:
- Who can access which documents under which circumstances.
- Requirements for consent when requests for access are made.
- An assessment of information security and privacy risks.
Cloud storage is fundamentally different from anything records managers have seen before. These steps will ensure that you mitigate the risks surrounding ownership, legal compliance and security.