| | Data Protection and Privacy Impact Asessment | | |
|---|
| DPIA and PIA | | 1. This document is both the Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA). While it may be common to use two different documents, this scope of this document enacpsulates both objectives. |
| Article 35 DPIA Evidence | | 1. The processor shall deploy whatever security measures it takes to eliminate the possibility of a reportable data breach. | | 2. The processor shall engage a Data Protection Officer to direct the protection of persons data as part of the Bespoke Application Service. | | 3. The Data Protection Officer shall continually review and revise the Data Protection Impact Assessment based on risks, threats, industry experience, press reports and ISO advice. | | 7. The Data Protection Impact Assessment shall include:- | | (a) a systematic description of the deployed processing operations and the purposes of the processing including the legitimate interest pursued by the controller. | | (b) an assessment of the necessity and proportionality of the processing operations. | | (c) an assessment of the risks to the rights of data subjects. | | (d) the measures deployed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. | | 8. The processor shall be compliant with ISO 27001 Information Security Standard and CSA Code of Conduct. | | 9. The controller may seek the views of the data subjects. | | +. Include technical and organisational measures to deploy "privacy by design" and to include:- | | (1) Data minimisation. | | (2) Pseudonymisation. | | (3) Transparency of functions and processing - no profiling. | | (4) Enable the data subject to monitor data processing - keep them in the loop. | | (5) Enable a means to create and improve security features. | | +. Include the origin, nature, particularity and severity of each risk. | | +. Assess and document the likelyhood and severify of each risk. Consider the nature, scope, context and purpose of proceessing and the sources of risk. | | +. Accountability: Article 5(2) states that the controller must be able to demonstrate compliance with Article 5(1) as Accountability. This can be demonstrated in the DPIA by cross reference back to GDPR articles. | | +. Protection by Design and Default: Article 25. This can be demonstrated by maintaining a timestamp of when processing is performed at the applicable time. Only provide the personal data needed to perform a process rather than making all personal data available. Every process is unique and has sight only of the personal data needed to complete that process. |
| UK ICO PIA Advice | | 1. Identify the need and involve all stakeholders: transparency. | | 2. Describe the information flows. | | 3. Identify the privacy and related risks: Risk to people, risk to organisation, compliance risk | | 4. Identify and evaluate the privacy solutions: eliminated, reduced, accepted. | | 5. Document the PIA Outcomes. | | 6. Integrate the PIA Outcomes into a project plan to improve the application service. | | 7. Consult with stakholders as needed. |
| DPIA Purpose | | 1. This DPIA is a living strategic document that is continually reviewed and revised by the Data Protection Officer appointed by the Data Processor. As new threats and risks are identified then this document must rapidly be improved. As better security methods are identified then this document must rapidly be improved. | | 2. The Data Protection Officer reports to the Data Processor and to the Data Controller, but more importantly, they report to the ICO in the event of any breach. The Data Protection Officer puts their entire career on the line as the person responsible for any data protection failure, no matter who is the root cause. A specific "contact us" facility is provided for any interested party to contact the Data Protection Officer who is available 24*7. | | 3. This Data Protection Impact Assessment (DPIA) is the strategic privacy requirement that must be created by the Information Security Manager deploying appropriate security methods. Privacy is a strategy of risk management. Security is a tactical set of methods and measures. | | 4. It is said that people are the primary cause of a data breach. Whatever is needed to prevent people being the cause of a data breach must be taken - education is not good enough. | | 5. This DPIA is only applicable to the business data processed by the Bespoke Application Service and it is not applicable to local data processed by people using application programs. The Owner and Data Controller must take full responsibility to the ICO for local data and emails stored on local computers that is not protected by the Bespoke Application Service. It may be impossible for the Owner and Data controller to fully comply with UK laws where application software like Office is used to process business data and One Drive is used to store business data outside the UK. |
| DPIA Summary | | 1. The Data Processor has chosen to eliminate the possibility of a data breach because the impact of a data breach would be greater than whatever it costs to eliminate the possibility. | | 1.1. The ICO is concerned with Personally Identifiable Information (PII), while the DPO is concerned with all business data, including any PII. This inclusive strategy, means that as the definiton of PII evolves, all solutions have alredy encapsulated any new requirements. | | 1.2. The requirement to catagorise different data fields is eliminated because all business data has the same "private" catagory. Data that is not business data is catagorised as "public", however public data may be restricted to a small number of approved people. | | 1.3. Business data is only stored as Pseudonymised and Replicated Encrypted Data (PARED) as Protection by Design Default in compliance with GDPR article 28. No business data is ever stored in a readable representation and so no business data can be stolen or lost. | | 1.4. Business data can only be accessed by approved people using approved computers on approved networks in approved locations between approved hours of the day on approved days of the week. A single authentication service is provided that is monitored 24*7 to stop criminal behaviour and to enable approved people to sign in. Where approved people put themselves at risk by not signing off, they will be signed off after a period of inactivity. Only approved people can process business data and some people will only be able to process some business data based on their role and other factors. | | 2. People: Four classes of people are at risk as: Customers, Suppliers, Approved People and everybody else. | | 2.1. Customer information flow is that the customer contact consents to share their data with the Bespoke Application Service and optionally suppliers. The customer contact is assigned an access code to grant then the right to access their own data, may correct their data and may erase their data at any time using online services. By providing a digital wallet shared between the customer contact and the Bespoke Application Service, the customer has transparency about what data is held and how it is used with the right to withdraw consent at any time. | | 2.2. Supplier information flow is that the supplier contact consents to share their data with the Bespoke Application Service. The supplier contact is assigned an access code to grant then the right to access their own data, may correct their data and may erase their data at any time using online services. By providing a digital wallet shared between the supplier contact and the Bespoke Application Service, the supplier has transparency about what data is held and how it is used with the right to withdraw consent at any time. | | 2.3. HR information flow is that an approved person consents to share their data with Bespoke Application Service. The approved person is assigned a pass phrase to grant then the right to sign in and access their own data, may correct their data and may erase their data at any time. By providing a digital wallet shared between the approved person and the Bespoke Application Service, the person has transparency about what data is held and how it is used with the right to withdraw consent at any time. The Data Processor has a team of confidentiallity bound by contract Second Level support people who have normal sign-in access rights as an approved person to be able to replicate defects and validate new business rules. No other Data Processor person has sign-in rights and because all business data is encrypted, they cannot access any business data. | | 2.4. Everybody else has access to "public" data and cannot process any "private" data. No super user or system administrator role exists to prevent risks of attack to people with elevated rights. Operations people with physical access to servers are only able to access encrypted data that is unintelligible, meaningless and worthless. | | 3. Companies: Four classes of organisation are at risk as: Customers, Suppliers, Data Controller (Owner) and Data Processor (ASP). | | 3.1. Customers would be well advised not to do business with a company that uses ineffective protection methods such as Office spreadsheet, leaks by phone and email and does not encrypt every instance of the customers data. Customers will quickly be able to identify non-compliant organisations who are not able to respond to subject access requests in a meaningful way. | | 3.2. Suppliers are already choosing not to do business with a company that uses obsolete data protection methods such as Office spreadsheets without encryption. Suppliers are providing encrypted online portals to eliminate data leaks by phone and email - businesses still leaking data by email no longer deserve to be in business. | | 3.3. The Data Controller has shared responsibilities with the Data Processor for business data stored in the Bespoke Application Service and total responsibility for all locally stored business data, emails, documents and reports. The Data Processor applies decades of professional experience, skill and qualified people to ensure that a data breach is not possible for business data stored in the Bespoke Application Service. The Data Controller must apply similar skills and security measures for business data stored on local computers and phones. | | 4. Outcomes: It is stated that the following four measures are adequate to eliminate the threat of a data breach. | | 4.1. Pseudonymisation is advoked by GDPR article 28 is deployed as "Protection by Design Default" for all business data. Pseudonymised data is encrypted so it cannot be stolen - it is unintelligible, meaningless and worthless to a criminal. Please see Pseudonymised topic below for more detail. | | 4.2. Replicated encrypted data is message switched to many secure date centers to eliminate problems of backup and restart. In the event that a data center is not available, business continues to be available by the same Bespoke Application Service provided by other data centers. Replicated data cannot be lost because it can always be recreated from many other secure data centers. | | 4.3. Authentication is elevated to a single point that is monitored 24*7 to stop criminals and enable approved people to sign-in. Only approved people using approved devices are granted the right to sign in. Passwords are not good enough and so assigned pass phrases are used together with many other factors are used to identify approved people and to block criminals. Please see authentication and SMS two-factor login topics below for more detail. | | 4.4. URL design is encrypted to prevent hacking by approved people and prevent leaks by approved people being exploited by criminals. It is expected that some approved people may not be skilled in security and may work in ways that are not secure, but the Bespoke Application Service must compensate for such behaviour and prevent bad things from happening. The life cycle of a URL is short enough to ensure that a criminal does not have time to decrypt its contents. |
| Risks and Threats: | | 1. Sharing passwords with other people. | | 2. Disabling anti-virus to access blocked content. | | 3. Using the same password for many services. | | 4. Sharing information with strangers. | | 5. Downloading programs (like Office) with vulnerabilities. | | 6. Downloading media from unlicensed sources. | | 7. People with little security education and motivation. | | 8. Lonelyness causing bad behaviour to gain attention. | | 9. Social demands for excitement from bed things happening. | | 10. Ransomware downloaded by clicking unapproved links. | | 11. Job applicants who are told too much and have the skills to disrupt. | | 12. Inadequate passwords and poor login procedures. | | 13. Inadequate patch management of operating system and application software. | | 14. Lack of encryption so data can be stolen. | | 15. Not signing off so session credentials can be stolen and reused. | | 16. Leaking critical data in emails and documents that are not encrypted. | | 17. No way to capture who and when business data on local machines has been accessed or copied. | | 18. Physical theft of computers containing business data. | | 19. Forgotten password procedure that is easy to fake and impersonate. | | 20. Call center people who can be intimidated (and abused) into revealing critical business data. | | 21. Backup system that has no way to recreate data processed between when the backup was taken and the system restarted. | | 22. No fallback so in the event of an office being not accessible, business cannot continue from any other place. |
| Authentication | | 1. Many threats and risks have a common solution as the continually monitored authentication service that is known as Identity and Access Management (IAM). | | 2. Login risks have been eliminated and replaced with a comprehensive sign-in authentication service that is the single point of entry before any private data can be processed. Criminal attacks on private data must get past this one authentication service that has been hardened by daily attacks for decades and regular external security audits. | | 3. Authentication is so important that every sign-in transaction is monitored 24*7 to ensure that criminal behaviour is stopped and blacklisted, while approved people are given every assistance. | | 4. Passwords risks have been eliminated and replaced with assigned pass phrases that are only known to the approved person and cannot be discovered by any other person. Pass phrases are never communicated by phone, email or in a way that can be intercepted by a criminal. Pass phrases are too important to be left to people to make-up without using the same ideas for many other web sites. | | 5. When a manager authorises a new approved person that manager is given a one-time pass-phrase that must be used by the approved person to sign-in within 15 minutes. The one-time pass-phrase may be communicated by word, by phone or by email, but its life cycle is limited. | | 6. When a new approved person signs in with their one-time pass-phrase, they are shown their permanent pass phrase that is not known to any other person. The one-time pass-phrase is disabled and the approved person must use their permanent pass phrase for all subsequent sign-in. | | 7. When an approved person forgets their permanent pass phrase, they will ask their manager to request a new one-time pass-phrase to be used in the next few minutes. When the new one-time pass-phrase is used, a new permanent pass-phrase is assigned to the approved person. | | 8. Where a new manager arrives and if an existing manager at that office is not available, then a support request can be created to ask Second Level Support to enter the new managers details and assign a one-time pass-phrase to that new manager. Managers are in complete control of their own teams and managers can help one another when a new one-time pass-phrase is needed. Where a manager is not available, a support request can be created with a rapid response by automated email. | | 9. Authentication deploys many factors including cookies and other secret characteristics of approved computers. | | 10. An approved person may be authorised to sign-in from a named office, but not sign-in from home or any other office. A few approved people may sign-in from many different offices and may be permitted to sign-in from their home network. An approved person may be permitted to sign-in from their smart phone using a named network or from any network. | | 11. An approved person may be authorised to sign-in between certain hours of the day and on certain days of the week. The behaviour of approved people is monitored to detect unusual behaviour and stop criminal behaviour such as a sign-in attempt at 03:00 on a Sunday morning. | | 12. Malware, keyloggers and people spying on others will leak a persons pass-phrase and additional measures are needed to manage the threat. Encrypted cookies and device characteristics identify when a pass-phrase is used by a different computer - monitoring triggers a potential alarm. Geo-location, network names, day of week, hour of day, size of screen, browser and computer operating system are checked and a phone call may be made to verify that the person has had a change of computer. | | 13. With more than 20 years of continual evolution of this single authentication facility, many security mechanisms have been incorporated to detect and stop criminal behaviour. Every day criminal attacks verify the robustness of the authentication service and every six months, external professional white hat hackers and security consultants are paid to simulate what a criminal agency could do. The attack surface is very small and continual improvements mean that as new cyber warfare attacks are discovered, the authentication service stays one step ahead. | | 14. The possibility of a phishing attack by a criminal impersonating an approved person is minimised by granting local management the right to manage their own teams. |
| SMS Two-Factor Login | | 1. Two-factor SMS message login is not used because it can easilly be demonstrated to be a major security vulnerability as follows:- | | 2. The criminal triggers the "forgotten" password procedure for the target and is asked a number of security questions where the reply can normally be guessed from the persons social media. | | 3. The criminal sends an email to the target stating that because of an attack and to keep them safe they need to login again after their security is checked. | | 4. The criminal shows the target a form that looks identical to the forgotten password form and shows the identical questions that the criminal is shown. | | 5. The target replies to each security question by entering the answer into the criminals form - the criminal replicates that same data into the real forgotten password form. | | 6. Eventually the forgotten password process says it is sending a SMS (or phone) message with an access code that must be entered into the form. | | 7. The target gets the access code and enters it into the criminals form - the criminal enters it into the real forgotten password form. | | 8. Eventually the criminal is asked to enter their new password - they make up a complex password that is unknowable to the target. | | 9. The criminal then is able to login to the application using the new password that they created while the target is told that the application is down for maintenance and will they try again later. | | 10. With very clear evidence that the majority of forgotten password procedures are not safe, the most effective solution is to deploy anything else that is safe and secure. |
| Pseudonymised and Replicated Encrypted Data (PARED) | | 1. Pseudonymisation has been used for more than a decade for some business data and the current thrust is to use the technique to store most business data. | | 2. Pseudonymisation means replacing a field value with a token and using that token to lookup a different data store that holds the real field value. For the last decade this was known as "code-description" options, but it has not been refined to incorporate encryption. | | 3. Real field values are encrypted and each is stored with its onw unique primary key. The primary key is encrypted by an algorithm into a token that is stored in the persons record. | | 4. Two levels of encryption are used: one level for the field value and one level for the token so the token cannot be associated with an encrypted field value. Different encryption methods are used for each field so the same token value may be replicated to represent totally different field values. | | 5. Every database table is only identified by a number and every column in a record is only identified by a number - meaningful meta data has been eliminated. It can be hard for a criminal to known if column 78 in table 123 that holds a token like 345 is a token to a person name or department name in any other table or file. | | 6. Web 2.0 technology means that each field is saved as it is entered so it is not possible to enter some data and forget to save it. This means that each field is updated one at a time and as the field value is updated in one database, the same encrypted transaction will update a different database in a distant data center. Replication of all data means that in the event of a failure in one data center, business continues to be provided by other data centers. |
| Notifiable Data Breach | | 1. For a data breach to have to be notified to ICO, then a risk must exist to personal data that has been lost or stolen. | | 2. It is a mission and an objective to do whatever it takes to eliminate the risk of a notifiable data breach. | | 3. Pseudonymisation is recommended by GDPR article 25 and 32 as a means to improve data protection. | | 4. Encryption of field values is recommended by GDPR article 32 and 34 as a means to improve data protection. Encryption means that if the stored data is accessed by a criminal agency, the data would be unintelligible, meaningless and worthless. | | 5. Replication is a means to provide integrity and availablity as required by GDPR article 32 because replicated data cannot be lost - data can always be recreated from many other data centers. By deploying the Bespoke Application Service over a large number of data centers, the possibility of all data centers failing at the same time is too small to estimate. The mission and an objective is for the Bespoke Application Service never to stop and cannot be stopped because some data centers will continue to operate. | | 6. Authentication with continual monitoring is a means to provide access control to only those approved people that have the right to process personal data at certain times. | | 7. It is stated that Pseudonymisation, Encryption, Replication and Authentication make the possibility of a notifyable data breach involving personal data being lost, stolen or accessed as negligible. |
| Customer Contact Workflow and Life Cycle | | 1. A customer contact agrees to a discussion or dialogue with a company - the sales person imagines they are "selling" and the customer contract knows they are "buying". The first step is that the company must disclose a lot of business data such as: who they are, where they operate, how long they have operated and what they offer. | | 2. When the customer contact is happy with the company data and what is on offer, the customer contact agrees to do a deal. | | 3. The customer contact must provide their personal data so the deal can proceed. The customer contact can self-register or provide their personal data to somebody else to transcribe - transcribing is more expensive and error prone. | | 4. The customer contact must formally consent to have their personal data - evidence of consent can be hard to prove if the meeting is face-to-face or by phone. Where the customer contact uses a self-register form, then a formal consent tick box can be included and all relevent information that the company must provide by law to the customer can be certain to be exchanged. Consent must be time limited and 13, 25 or 37 months may be reasonable durations. | | 5. A paper "terms of business" and "letter of authorisation" may be signed by the customer contact where the company is not ready minimise the cost of doing business by using electronic communications. Paper documents do not excuse the company from providing a large amount of data protection information and gathering evidence that the customer contact has accepted the data protection information. | | 6. After the customer contact has provided consent for their personal data to be used and has evidence that the person is aware of the data protection information, then the company may process that personal data. | | 7. The first sensitive process may be to credit check the customer contact involving sharing personal data with a third party - if the customer contact has formally consented to such a process and evidence has been saved. | | 8. The next sensitive process may be to obtain one or more supplier quotations for the customer contact involving sharing personal data with a third party - if the customer contact has formally consented to such a process and evidence has been saved. | | 9. Quotation details may then be shared with the customer contact for review and decision. | | 10. After the customer contact has made a decision, one supplier quotation will be accepted and other supplier quotations will be declined. The customer contract has the right to request that their personal data that was shared with the declined suppliers is erased - the right to be forgotten. | | 11. The accepted supplier will provide what was quoted for a period of time. The customer contract has the right to request personal data is kept up to date, that errors are rectified and that their personal data is erased as soon as a contract comes to an end. Personal data will not be erased while billing is still outstanding, but the person has the right to withdraw consent for their personal data to be processed at any time. | | 12. A contract may be renewed where the customer contact gives consent to that renewal. Where the contract is not renewed, then the company need to erase the personal data as soon as it is no longer necessary. | | 13. All personal data must have a formal life cycle and must be erased when it is not longer needed and the person must be informed when it is erased. | | ONLINE: This sample data workflow shows that the customer must continually be kept in the loop because the company must put the customer first. A regular dialogue between the customer and the company is mandated and where that relationship can prosper, then the company can prosper. The Bespoke Application Service is not just an internal CRM, its a constant communications vehicle with customers. |
| Digital Wallet: Private Block Chain | | 1. Personal data belongs to a data subject who may consent for a company to share that personal data for a period of time. | | 2. Personal data is locked up in a secure digital wallet that is known as a private block chain - block chain has a 20 year evidence of being very secure. | | 3. The data subject can access their digital wallet at approved times of the day and days of the week to view, rectify, download or erase their personal data or withdraw consent from their data being used by the company. The data subject has the right to take their digital wallet to any other company. | | 4. The company can access each digital wallet at approved times of the day and days of the week to process that personal data for as long as the data subject has given consent. | | 5. Ownership of personal data in a digital wallet is self-evidently with the data subject who must consent to that digital wallet being used by a company and can change their mind at any time. |
| Priviledged User Problem | | 1. The privileged user problem has been eliminated by removing the need to have any privileged user. | | 2. Approved people are granted normal sign-in rights and no other person can access any business data. | | 3. Approved people include the ASP Second Level Support team who can use the normal Bespoke Application Service forms that are used by all approved people. The only exception is that Second Level Support like Executives can access data that is owned by any selected office. | | 4. System administrators have access to raw encrypted data in multiple data centers but have no way to know what data is in any file or table and have no way to decrypt the contents. Vast amounts of encrypted business data is hidden in images that are lost in a massive image library - it is all meaningless to a criminal and to any person who has physical access to any equipment in any data center. |
| System Software | | 1. It is a business requirement to minimise the risk from vulnerabilities of system software running racks of servers. A risk is that an agency will gain physical access to a rack of servers - it will be impossible for that agency to install malware or fit monitoring equipment. A risk is that a criminal will gain remote access to a rack of servers - it will be impossible for that criminal to execute any programs or access any intelligible data. | | 2. Three Tier Architecture is the most secure server rack configuration that has been devised and is used to ensure that no database server or application server is connected to the Internet. Web servers are connected via an Intrusion Detection Server (IDS) with all ports disabled, except 443 for HTTPS traffic. | | 3. Wilux is the most secure operating system that is configured to disable all services, except the one dedicated to web, application or database services. No application programs are installed and no application programs are permitted to be executed. When Wilux has come to the end of its life cycle (between 19 and 28 months), then the machine is moved off line and refurbished. The risk of enabling regular patches to the operating system is greater than the risk of operating Wilux with all remote services disabled. Wilux is an engineered edition of Centos with encrypted configuration files that prevent access, even if the machine was stolen. | | 4. Anti-Virus is built into the CPU architecture to stop remote code execution and prevent any malware from being executed. The risk of anti-virus daily patch updates to software is greater than the risk of only using auti-virus hardware. | | 5. Servers are engineered as a simplified motherboard with CPU, local memory and encrypted flash memory. Multiple ethernet ports connect via local routers to other servers, but no graphics, USB or any other type of port exist. | | 6. Picture library is what will be seen if a server was stolen with all system software files stored as pictures - unintelligible privacy by design. Hundreds of thousands of the pictures are not used and it is impossible to distinguish which pictures hold real configuration details and which pictures hold fake configuration details. |
| Plausable Test Data | | 1. With more than a decade of continual improvements to the encryption methods, a mechanism of creating plausible fake business data has evolved. | | 2. All business data is encrypted using layer after layer of different methods so if one layer is cracked, other layers continue to protect the business data. | | 3. In addition, a lot of fake test data is also encrypted and stored as the plausible result of a criminal using massive processing power to guess all possible decryption solutions. It is assumed that the decryption procedure will stall when a load of plausible fake test data is revealed. | | 4. Periodically, additional layers of encryption are introduced so no single method is used to encrypt any specific field value. A field value encrypted last year will use a unique set of encryption methods and the same field value encrypted today will use a different set of encryption methods. This encures that if one set of encryption methods are cracked by massive processing power, other field values will remain protected. |
| Risk Checklist: | | 1. Equifax had hundreds of millions of personal details stolen over many months because they used a propriatory operating system that needed regular patches to prevent remote code execution. That risk is eliminated by not using a propriatory operating system the needs regular patching. That risk is eliminated by using a rack of dedicated servers where each server can only provide one and only one service. That risk is eliminated by disabling all system software services, except one specific service. | | 2. TalkTalk had millions of personal details stolen when a machine was physically stolen. Deutsche Bank had 20 servers stolen from their London office at midday by a gang of people armed with bolt cutters and sledge hammers. That risk is eliminated by only storing encrypted data and never storing readable data. That risk is eliminated by using a large number of single purpose servers that are housed in the same secure data centers that house the UK broadband backbone. | | 3. NHS and thousands of other companies lost use of their computers when ransomware spread by Office files were opened. That risk is eliminated by not installing any application software on any service and not permitting any application program to be executed. That risk is eliminated by not permitting emails to be stored on any machine that can see a server - every email is a potential threat to be erased as soon as possible. |
| Encryption Farm | | 1. Pseudonymised data is stored in encrypted files where many layers of encryption are deployed. The number of layers of encryption is a trade secret. Each different field type has a unique set of encryption methods and each field may have its own bespoke encryption layers. | | 2. An industry standard encryption layer using normal 2048 bit keys are used, but the result is further encrypted using many other methods. | | 3. Encryption includes the generation of fake business data that is a plausible result, but is just made up test data. Where a criminal was to spend vast resources to try to decrypt the stored data, they would discover many alternative plausible results where the majority of the results are fake. | | 4. Built into the encryption farm is a method of continual improvement so the encryption methods used one week will not be the same as the encryption methods used in a later week. It would be illogical to imagine that one encryption method could be satisfactory for all time, so continual improvements means that a criminal trying to decrypt the stored data would be faced with an ever improving set of encryption methods. | | 5. Obfuscation is the primary security method with no documentation to identify what data is stored in what table and no way to guess what a stored column token may represent. Table 123, column 78 may hold a value as 567890 that may or may not be a token to some pseudonymised file of encrypted field values - even the token is encrypted. A unique characteristic of the architecture is that all data objects are represented by a number and all tokens are represented by a number and all files are represented by a number. | | 6. Fragmentation is a characteristic of primary data objects that are not stored as fields in one record, but fragmented into fields many different records. | | 7. Field level encryption is based on more than one field value so the same field value that is encrypted for different records will have a different encrypted representation. For example, if LONDON is encrypted as 9876543 in one record, the same value for LONDON in a different record may be encrypted as 7654390. | | 8. Date field encryption is based the number of time units since a prior historical event where the time units may be a count of 345 second units and the historical event may be the date Kennedy was killed. While trial and error will eventually decrypt this date encryption method, another factor is continual evolution where the time units will vary and the historical event will vary based on other stored data. | | 9. The mission is not to prevent decryption, but to cause many plausible results to be possible. A solution is not to use an encryption method but to deploy many thousands of different encryption methods and have them layered on top of one another - five layers may be too hard to reverse. It has been said that it may be impossible for the most powerful computers in the world to decrypt a field value that has been encrypted using many different encryption methods in an order that cannot be determined. |
| Document Control | | Document Title: GDPR DPIA. | | Document Key Words: GDPR, policy, process, procedure, business rules. | | Document Description: GDPR DPIA. | | Document Privacy: Public shared for the benefit of humanity. | | Document Edition: 1.2. | | Document Released: 22 Aug 2017. |
|
|