The Checklist

 

The table below provides a list of security and privacy protection best practises when PII is involved.  This table provides high level guidance for cloud service providers to consider when implementing management, operational and technical measures.

 

Best Practises on Protecting PII Cloud Service Provider
assuming the role of Data User
Cloud Service Provider
assuming the role of Data Processor
Policy Management    
  • Observe the Personal Data (Privacy) Ordinance, in particular the Data Protection Principles (DPP)[1].
  • Understand and comply with the privacy laws applicable under the jurisdiction of the location where the PII is collected and stored, as the cloud environment may extend beyond HKSAR.
  • Conduct a Privacy Impact Analysis (PIA)[2] which helps identify and detect any privacy risks associated with unauthorized or accidental access, alteration, processing, erasure or other use of PII collected and stored in cloud platforms.
  • Establish and enforce a clear data protection or privacy policy within the organization in compliance with the personal data privacy law in the jurisdiction of the location where the PII is collected, processed and stored.
  • Conduct a periodic risk assessment and periodic review to ensure security risks are properly managed.
  • Establish proper contractual terms (or at least evaluate the need for contractual terms) to govern conduct in protecting PII.
Collection (DPP1)    
  • Collect personal data by fair and lawful means and only for purposes that are directly related to the functions and activities of the cloud service.
 
  • Collect personal data only when there is an actual need, and such data collection should not be excessive with respect to the intended purpose.
 
  • Provide a Personal Information Collection (PIC) statement whenever PII is collected on-line from individuals.
 
  • Inform customers the purposes for which their personal data are used and to whom that data may be transferred.
 
Retention & Accuracy (DPP2)    
  • Keep personal data accurate, up-to-date, secure and for no longer than necessary.
 
  • Retain personal data entrusted by clients no longer than is necessary.
 
Use & Processing (DPP3)    
  • Ask for and obtain consent before customer’s personal data are used for purposes other than the purposes for which they were collected.
 
  • Do not make use of personal data entrusted by client for any of the purposes not consented by the client.
 
Security Protection - Processes and Procedures (DPP4)    
  • Keep records of what type of PII is stored in the cloud.
 
  • Compile a list of applications and locations in which PII will be stored to facilitate effective monitoring.
 
  • Avoid storing PII in too many different applications and locations which may increase the risk of security exposures as well as efforts in monitoring and detection of unauthorized access.
  • Define a list of authorized computer equipment including mobile devices that can be used for administering cloud operations and their corresponding security requirements.
  • Establish a formal process and step-by-step procedures for requesting and approving access rights.
  • Establish rapid response protocols to deal with security incidents including suspicion of intrusion.
  • Review logs and audit trails on computer / network equipment for anomalies and possible attacks periodically.
  • Keep continuous improvement in data protection through ongoing monitoring and assurance reviews.
Security Protection - Technical Measures (DPP4)    
  • Encrypt PII or provide an encryption function for customers to encrypt their PII stored in the cloud.  In all cases protect the encryption keys with great care.
  • Encrypt PII when being transmitted over an open network.
  • Apply or provide strong authentication method, such as two-factor authentication, for customers to access PII on the cloud.
  • Implement security mechanisms, such as firewall, intrusion detection/prevention systems, at the network gateway for protecting the cloud services against external attacks.
 
  • Ensure that computer equipment are installed with –
    • anti-virus software with the latest virus definition files, real time detection feature enabled and a periodic full scan scheduled; and
    • latest security patches of the installed operating system and software.
 
  • Conduct regular scans for system vulnerabilities and apply remedial actions as soon as practically feasible.
 
  • Conduct regular backup with periodic testing of data recovery.
  • Prohibit the re-use or disposal of computer equipment without having the stored PII completely sanitized.
 
Compliance (DPP5)    
  • Inform customers of the commitment and relevant measures made to the protection of their personal data.  This could be in the form of a Privacy Policy Statement.
Access & Correction (DPP6)    
  • Develop and make use of a log subsystem to handle access and correction requests of personal data from clients.
 
Subcontractors’ Management    
  • Disclose PII of customers to subcontractors only for the purpose of delivering the required services.  Prohibit subcontractors from using PII for any other purpose.
  • Require subcontractors or any third parties that handle PII stored in the cloud platforms to have sufficient IT security mechanisms and associated procedures.
  • Keep an inventory of and monitor all subcontractors having access to the stored PII in cloud platforms.
Staff Management    
  • Define roles and responsibilities on resource control for PII stored in the cloud platform.  For example, designate an administrator responsible for implementing management decisions to grant access to PII stored in the cloud platform.
  • Assign staff for handling PII stored in the cloud platforms and also apply the principle of segregation of duties.
  • Establish strong password policy and ensure no shared account is used.
  • Conduct periodic review of staff access permissions to establish or re-establish eligibility, based on individuals' work responsibilities.  For example, revoke all access and accounts of a staff that had left the organization or transferred to other unit of the organization.
  • Provide adequate education and training to staff handling PII stored in the cloud platform.

 

 

[1] Refer http://www.pcpd.org.hk/english/data_privacy_law/6_data_protection_principles/principles.html on the data protection principles of the PDPO

[2] Refer http://www.pcpd.org.hk/english/resources_centre/publications/files/PIAleaflet_e.pdf on the leaflet “Information Leaflet on Privacy Impact Analysis” published by the Office of the Privacy Commissioner for Personal Data

 

 

Back Top