News item | 29-08-2022 | 16:57
Under strict conditions, State Secretary Alexandra van Huffelen (Digitalization) will offer government agencies more room to use commercial cloud services. This is stated in a letter sent to the House of Representatives today. Until now, government agencies were only allowed to use their own cloud services.
Working in ‘the cloud’, which makes use of external storage capacity, applications, networks and other ICT facilities, offers potential advantages. State Secretary Van Huffelen writes this in a letter to the House of Representatives. “For many people and companies, the cloud is already a familiar fact. The government has deliberately waited for this. Unlike a few years ago, the benefits now outweigh the risks. That does not alter the fact that we still impose strict conditions, especially in the field of security and privacy,” says Van Huffelen.
Commercial cloud services have developed at lightning speed in recent years, partly under the influence of the corona pandemic. The costs are relatively low and risks are often easier to manage than before. This is partly due to the fact that suppliers invest large amounts and deploy a great deal of expertise in securing their services. The cloud thus offers an attractive perspective for the development towards a more innovative, transparent, flexible and efficient digital government.
In order to minimize security risks, government institutions are obliged to make a risk analysis beforehand. Moreover, the use of commercial cloud services is not permitted for the storage or processing of state secret information and no services may be purchased from suppliers from countries with an active cyber program that is directed against Dutch interests. The Ministry of Defense falls outside the scope of this new policy.
The principle of no, unless, applies to data from the basic registration data and special personal data.
The new cloud strategy replaces the current policy, which dates from 2011. Commercial cloud services have not yet been used. In the new situation, government organizations are allowed to purchase cloud services externally. All storage and processing of personal data takes place in a responsible manner, which is in line with applicable privacy requirements.
Before the end of 2022, the chief information officer of the central government will draw up a guideline for this risk assessment, together with the CIOs of the ministries involved. CIO Rijk monitors the application of this policy and is involved in decision-making about exceptions. Supervision of compliance with the rules falls under the existing statutory duties of the Netherlands Court of Audit, the Central Government Audit Service and the Dutch Data Protection Authority.