An earlier post talked about data privacy in cloud-agnostic settings. This post builds on that post while involving the cloud, which is everywhere these days. Companies want the cloud because it’s ubiquitous and depending on some factors cheaper than traditional IT infrastructure. It comes without saying that Memorandum of Understandings (MOU) and Service-Level Agreement (SLA) are a must when establishing a relationship with a cloud provider. It also important to have strong business process interruption remediation plans. Cloud models have different flavors, each with its target use. Existing cloud models are private, public, community, and hybrid. Though, public and private clouds are more common, but with the introduction of heavy data privacy regulations hybrid clouds are emering. Hybrid clouds combines the privacy of the private cloud and the availability (e.g. regions around the globe) of the public cloud.
The following list is not comprehensive or in order, but it should provide a good baseline for your data collection project involving the cloud.
- Cloud
- Private Cloud
- Role-Based Access Controls (RBAC)
- Attribute-Based Access Controls (ABAC)
- Internal Use vs External Use
Let’s dive into each practice to learn why you need to keep these in mind before, during, and after your data collection project that involves at least one cloud model
Cloud
Data collection projects involve cloud information systems, even if it’s imperceptible. More and more companies are building on the cloud. Legacy companies began migrating to the cloud as soon as it was feasible to do so. Four cloud models exists. These are public, private, community, and hybrid. The most common types of cloud models are public and private clouds. With these factors in mind, it’s technically possible that your data may be stored in cloud regions that are forbidden for the type of data you are collecting, specially if it contains health data and/or personally identifiable information (PII).
Private Cloud
Private clouds models are traditional IT infrastructure, servers, client computers, and applications. Private clouds are relevant in data collection projects that involve sensitive data such as PHI and PII. Many data collections involved somewhat inevatibly PII data, so private cloud makes sense to meet project regulatory requirements.
Role-Based Access Controls (RBAC)
Role-base access controls (RBAC) are access controls (ACL) that govern users permissions within the organization. In the perfect world, ACLs grant a user the ability to perform one job and only one job using information technology. Role-base access controls are the base access controls for a user in a data collection project.
Attribute-Based Access Controls (ABAC)
Attribute-based access controls (ABAC) are extensions of RBAC, usually in special projects such as data collection projects. ABAC, in practice, are ephemeral as opposed to RBAC that are permanent as long as the person is employed in the same role. ABAC are ephemeral because they tend to be active during a project and they go away as soon as the project concludes.
Internal Use vs External Use
Data collection projects are marketing, market research, or academic research. The data is held by the company that collected it, but it is possible that data is used and shared with internal and external collaborators. These type of arrangements tend to produce higher quality outcomes because people with specialized knowledge from different areas contribute, as opposed few internal people if the data were not shared. Sharing data is a tricky subject because sharing flexibility will depend on what was approved when the data collection project was reviewed and approved.