Ask HN: How would you securely store and retrieve photocopied passports/ids

4 points by skyisblue ↗ HN
We're looking at building an app that requires us to store photocopied passports and ids of our clients.

We're using AWS and are located in Australia.

Are there any local/international laws that require us to encrypt the data at rest?

What's the best way of storing and retrieving this sensitive data?

3 comments

[ 2.5 ms ] story [ 17.0 ms ] thread
One thing comes to mind is the personally identifiable information (PII) that is in the passport/ID. Usually it will have ID numbers but also name, address, etc.

Look at what the EU is requiring for this - it used to be called Safe Harbor.

A few things I remember about those requirements: - data encryption at rest and in transit - no onward transfer to third parties - opt-out methods for users to not allow you to capture the data

You may want to look into any restrictions on using a cloud provider or specific configurations you may need (i.e. no failover to a non-AU AWS farm).

Take a look at the new data protection Directive from the UE (will be in effect from June 2018) - Eventually all states will have some kind of regulation similar to this:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:O...

The best way to comply if your app is used in Europe is 1) start writing a .doc document detailling which data you want to collect, where do you store it, when do you use encryption (suggestion: both in the application and the data volumes - but be careful choosing the ciphers for volume and in-app), and why do you allow people to see the data.

Before you do any of this: in many countries it is illegal to store/copy ID documents of your Clients.