There are many amazing examples of GIS being used to help understand and respond to the COVID-19 crisis. In the UK, hundreds of organisations are using ArcGIS Online’s cloud-based tools to manage, analyse and communicate key data related to the crisis. Some of this data is very sensitive, ranging from maps of critical infrastructure through individual case data to lists of vulnerable people. While the ability to rely on highly available online systems has been invaluable, the need to manage this type of data in a secure and controlled manner is vital.
For some, the move to the cloud is a new experience. So they are asking good questions about how they can do this in a way that is safe and that meets their data security requirements. As a data owner or controller you remain responsible for choosing and validating that any systems you use meet your own needs. Here, I’ll explain how ArcGIS Online can address the requirements specific to handling personal, sensitive and health data in the UK. You can also find full documentation of how ArcGIS Online is aligned with Global security and privacy standards at our trust site (https://trust.arcgis.com/en/)
UK Data management frameworks
In the UK the management of personal or sensitive data, both on-premises and in the public cloud, is governed by a number of regulations and industry focused guidance. This includes guidance from NHS Digital, the National Cyber-security Centre (NCSC) and under the General Data Protection Regulation (GDPR). The Information Commissioners Office (ICO) who oversee GDPR compliance in the UK recently released advice for working with personal data during this crisis, outlining the importance of innovation in data when responding to the COVID-19 crisis, but also how to do this within the guidelines for data protection in the UK.
GDPR and ArcGIS Online
The management and processing of personal data is governed under law in the UK by GDPR. This sets out the rights and responsibilities of individuals and the organisations managing their personal data. You can find full details of how ArcGIS Online enables organisations to meet their GDPR requirements here. Some of the key aspects of this are:
Tools to allow organisations to effectively manage personal data
Certification under US-EU Privacy Shield regulation and additional contractual provisions
Robust security system and 3rd party auditing (see below)
Since that guidance was written, we have introduced a new ArcGIS Online EU hosting option for organisations, and while this is not a requirement under GDPR for personal data, it supports individual organisational policies requiring data to be hosted in the EU.
One of the key responsibilities of organisations managing personal data is to ensure the security of that data. How this is achieved will depend on the system in use and the level of security required, and will also apply to data that is not classed as personal under GDPR.
Data Security in ArcGIS Online
There is a huge range of advice for organisations regarding data security when working with public cloud systems. In the UK the National Cyber-Security Centre publishes guidance for the Public Sector, and other organisations, on assessing their use of cloud-based systems such as ArcGIS Online. The guidelines list 14 principles that can be used to asses a cloud service such as ArcGIS Online. This document outlines how ArcGIS Online addresses each of those principles.
NHS Digital also provide guidance to the health and social care sector on how to manage data in public cloud systems such as ArcGIS Online. This takes the form of a Good practice guide and is based on the 14 NCSC principles. You can use the document linked above to understand how ArcGIS Online addresses those principles.
We also publish a detailed breakdown of all the security controls implemented by ArcGIS Online as part of our cloud Cloud Security Alliance assessment. These controls are audited by a 3rd party as part of our FISMA accreditation. Some of the key controls are:
Data encryption at rest and in transit
Physical and logical access controls
Robust Configuration and Change Management Process
Physical and logical data separation
Secure development and patching life cycle
ArcGIS Online has been designed with strong security controls in place that means organisations can confidently use it to manage data in compliance with the National Cyber-Security Centre’s cloud computing guidelines.
Best Practices in ArcGIS Online
The security approach when using a public cloud based system is what’s known as a shared responsibility model, where both us as the provider and you as the organisation admin take responsibility for different aspects of security. The previous section has outlined the controls in place across ArcGIS Online, but there are also things that organisations should do to ensure security of the system meets their own data requirements.
Some of this best practice relates to how you model and store relevant datasets. Sensitive data can often be aggregated or anonymised before being used in analysis and maps. In fact there are many tools within ArcGIS that can be used to process the data before it is published. You can also carefully choose what level of data you need to work with to achieve your requirements.
As part of the security controls in ArcGIS Online there are a number of optional settings that organisations can implement, depending on their needs. You can find our detailed ArcGIS Online security configuration best practice here. To check the level of security you have configured, you can also use the Security advisor tool. This will check and make recommendations for the optional settings to ensure you are making the best use of the security features of the platform. Some of the options you can choose are:
Enable TLS support (https)
Implement an enterprise identity provider
Prevent public sharing and anonymous access
configuration of groups and custom roles
Access to detailed audit logs of access
Choice of data hosting location
Using the optional settings in ArcGIS Online you are able to configure your organisational account to meet your specific requirements and balance functionality against security, depending on your needs and the types of data you are storing.
ArcGIS Online implements strong security controls, that meet the guidelines set out for UK organisations working with the types of data important for COVID-19 responses. This supports both GDPR requirements as well as the security principles set out by the National Cyber-Security Centre for working with cloud systems. When combined with the ability to choose custom security and hosting options this enables organisations to securely make use of the powerful ArcGIS capabilities for data storage, analysis and presentation - while benefiting from the scalability, resilience and ease of deployment of using the cloud-based ArcGIS Online platform.