Hearing Services Program Cloud Service Provider Checklist

Hearing Services Program (HSP) HSP Cloud Service Provider Checklist / IRAP Assessment - MANAGE IT Regulatory

Provider Factsheet - Management of Client Records

The Department of Health (the department) is responsible for managing and administering the Australian Government Hearing Services Program (the program).

As specified in the Service Provider Contract (the contract), program client records are owned by the Commonwealth. Contracted Service Providers (providers) must manage, store, transfer and dispose of program client records in accordance with the contract, program legislation, the Archives Act 1983, the Privacy Act 1988 and the Freedom of Information Act 1982.

Client personal and health information is deemed sensitive information under the Australian Privacy Principles (APP) and extra precautions are required in the management of this information.

  • Cloud Storage

    Cloud storage allows for shared access to documents via the internet or a company network, but must still ensure the protection of client records. Under clause 17.5 of the contract, program client records must not be taken outside Australia without prior written approval from the Commonwealth. This includes storing client records on overseas servers.

    The Australian Signals Directorate (the ASD) no longer certifies cloud service providers and all previous certifications are now void. Providers can continue to use their previously certified cloud services. Any new providers entering the program or existing providers wishing to change their cloud provider or start using cloud services must contact the Program at hearing@health.gov.au before storing client records on a new service.

    • Providers must not use unsecured cloud services, such as Google Drive, Google Docs, Dropbox etc, as these may be hosted overseas and do not have Privacy Act protections.
    • If providers wish to change cloud providers or start using a cloud service, the security of the service must be assessed. Only an independent Information Security Registered Assessors Program (IRAP) assessor can perform this assessment. Providers should request a copy of a current IRAP assessment of the cloud service before contacting the program.
    • Any agreement with a supplier of cloud storage services must include an agreement that the client records will be hosted on an Australian server, will not be disclosed outside Australia and that the records will be encrypted to at least the equivalent of Unclassified with a Dissemination Limiting Marker of Sensitive: Personal or Official with an Access‑Information Management Marker of Personal-Privacy.