
Ask HN: How would you securely store and retrieve photocopied passports/ids - skyisblue
We&#x27;re looking at building an app that requires us to store photocopied passports and ids of our clients.<p>We&#x27;re using AWS and are located in Australia.<p>Are there any local&#x2F;international laws that require us to encrypt the data at rest?<p>What&#x27;s the best way of storing and retrieving this sensitive data?
======
eb0la
Take a look at the new data protection Directive from the UE (will be in
effect from June 2018) - Eventually all states will have some kind of
regulation similar to this:

[http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:O...](http://eur-
lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG&toc=OJ:L:2016:119:TOC)

The best way to comply if your app is used in Europe is 1) start writing a
.doc document detailling which data you want to collect, where do you store
it, _when_ do you use encryption (suggestion: both in the application and the
data volumes - but be careful choosing the ciphers for volume and in-app), and
_why_ do you allow people to see the data.

------
matt_s
One thing comes to mind is the personally identifiable information (PII) that
is in the passport/ID. Usually it will have ID numbers but also name, address,
etc.

Look at what the EU is requiring for this - it used to be called Safe Harbor.

A few things I remember about those requirements: \- data encryption at rest
and in transit \- no onward transfer to third parties \- opt-out methods for
users to not allow you to capture the data

You may want to look into any restrictions on using a cloud provider or
specific configurations you may need (i.e. no failover to a non-AU AWS farm).

------
sparkling
Before you do any of this: in many countries it is illegal to store/copy ID
documents of your Clients.

