Ask HN: How would you securely store and retrieve photocopied passports/ids
We're looking at building an app that requires us to store photocopied passports and ids of our clients.
We're using AWS and are located in Australia.
Are there any local/international laws that require us to encrypt the data at rest?
What's the best way of storing and retrieving this sensitive data?
3 comments
[ 2.5 ms ] story [ 17.0 ms ] threadLook at what the EU is requiring for this - it used to be called Safe Harbor.
A few things I remember about those requirements: - data encryption at rest and in transit - no onward transfer to third parties - opt-out methods for users to not allow you to capture the data
You may want to look into any restrictions on using a cloud provider or specific configurations you may need (i.e. no failover to a non-AU AWS farm).
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:O...
The best way to comply if your app is used in Europe is 1) start writing a .doc document detailling which data you want to collect, where do you store it, when do you use encryption (suggestion: both in the application and the data volumes - but be careful choosing the ciphers for volume and in-app), and why do you allow people to see the data.