What Defines Personal Information/Data in the Cloud ?


The cloud technology is great. It allows people and systems to deliver applications to a global scale, with ease and great management power. Data can be stored and retrieved from anywhere in the world. This is a huge benefit, and equally huge challenge.


If you deal with legal documents, store personal information, then independent of your preferred cloud provider (Microsoft, Amazon AWS, Google, IBM, HP etc.) there are challenges you need to consider to manage privacy issues.

The Case for Personal Identifiable Information

Many countries have laws that regulates how personal information data (PI) should be handled. For example, I live in Queensland, Australia and here we have the Information Policy Act 2009 also known as PI Act. This law defines what is PI data here:

"...information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in material form or not, about an individual whose identify is apparent or can be ascertained".

This is definition is already a great start to help identifying PI data for cloud projects. If you're curious on what's and what's not PI data, the Office of the Information Commissioner (OIC) has a checklist that address this question.

Not All Bytes are Born the Same

It is important to say that laws like the PI Act are applied to personal identifiable data, not only this law can be applied. Any other laws may come on top of that, for example laws that regulates insider trading, or identity theft, for example.

Now that we know the scope of the regulations, the next thing to be aware is that not all data is the same. It means that the type of information and its sensitivity levels have a direct impact on how the data needs to be handled.

Privacy Impact Assessment

Generally speaking, it is common for cloud migration projects handling such data to have them identified in the assessment phase. In these cases, if any personal information is found (for example, a database table that has names and street addresses or an Excel file that contains telephone numbers) a privacy impact assessment (PIA) is conducted. This PIA will generate a report that cross-check the data identified, the impact in the cloud project delivery and how to minimize or avoid any privacy risks involved.

And we are talking here only about data. The next item to check in your cloud migration project is the data flow. Data flow is equally important because what it is "legal" in a place might not be in another. For example, let's assume that Company X applied all measures required by law to protect personal data for a company, however this company has headquarters in another country. Could an email between offices of these 2 countries be shared with the same content?

So as you see, data flow can be as complex as data controls, but we will talk about this on another time.

Images from @MSAU

No comments:

Post a Comment