We're looking at building an app that requires us to store photocopied passports and ids of our clients.<p>We're using AWS and are located in Australia.<p>Are there any local/international laws that require us to encrypt the data at rest?<p>What's the best way of storing and retrieving this sensitive data?
Take a look at the new data protection Directive from the UE (will be in effect from June 2018) - Eventually all states will have some kind of regulation similar to this:<p><a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG&toc=OJ:L:2016:119:TOC" rel="nofollow">http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:O...</a><p>The best way to comply if your app is used in Europe is 1) start writing a .doc document detailling which data you want to collect, where do you store it, <i>when</i> do you use encryption (suggestion: both in the application and the data volumes - but be careful choosing the ciphers for volume and in-app), and <i>why</i> do you allow people to see the data.
One thing comes to mind is the personally identifiable information (PII) that is in the passport/ID. Usually it will have ID numbers but also name, address, etc.<p>Look at what the EU is requiring for this - it used to be called Safe Harbor.<p>A few things I remember about those requirements:
- data encryption at rest and in transit
- no onward transfer to third parties
- opt-out methods for users to not allow you to capture the data<p>You may want to look into any restrictions on using a cloud provider or specific configurations you may need (i.e. no failover to a non-AU AWS farm).