After Validating my BEP last week, the next step is for me to start to producing information about my home. However, before I do so, I wanted to go over my data security requirements to make sure I haven’t missed anything, and that my data is safe to share on this blog.
Right, first thing’s first; If anyone is doing BIM and concerned about data security then the first document to consider should be PAS 1192-5. Note: I am personally not a fan of this document but that is another topic for another blog.
The goal of PAS 1192-5 is admirable, it intends to :
- Protect information about the location of sensitive assets;
- Protect information about assets that are considered sensitive; and
- Recognize where data collection could compromise the security of an asset.
However, once I had read PAS 1192-5 it quickly stops being relevant as my home does not form part of the national infrastructure and is not
yet a landmark; therefore is not considered a ‘sensitive asset’, meaning that the PAS 1192-5 does not apply. Instead, it suggests that I meet base security requirements as well as the Governments Cyber Essential Scheme and the Security Policy Framework. However, the Governments Cyber Essential Scheme is not applicable as I have outsourced responsibility for my network to Google (thanks Google) through hosting my files on Google Drive, and the Security Policy Framework is very high level and relates specifically do HMG data, of which I am collecting none.
So what next?
Thinking about it, my concern is not with Data Security but more do to with how to handle Personal Data. While I am happy for you to know lots about me, without my wife’s consent if I were to advertise our address and contents of our home there would certainly be data protection and personal safety (my personal safety!) issues. So I instead referred to information from the International Commissioner’s Office (ICO), who have several useful resources relating to the Data Protection Act. Which calls for me to assess:
- What information do I intend to share? The graphical models, non-graphical data, and documentation I will be producing about my home.
- What is the objective of sharing this information? To demonstrate how BIM Level 2 processes can be successfully applied to small scale residential scheme in a pragmatic and straight forward manner.
- How do I intend to share it? Place information within a Google Drive folder with public access.
- What risk does sharing the data pose? Provide unintended personal or sensitive data about occupant(s) and their home. “Oh look, Dan’s TV is right next to this window..“.Note: If is worth mentioning that data, such as contact details and addresses, can appear in many locations. Prior to the release of this post, my address could be found using a website identity service like whois.net (until this week when I paid to have this information hidden).
- Could the objective be achieved through anonymising it? Yes as the information doesn’t need to be complete, just consistent. However, there is a time resource to manipulating any information, therefore, the preferred method is to exclude sensitive deliverables for sharing.
- Will data be transferred out of Europe? I don’t know.
The Data Protection Act has strict rules around having personal information leave Europe #DataBrexit. Google have several data centre‘s across the globe so any personal information could be transferred to these. However, Google have established sufficient contract clauses to comply to the Data Protection Act and use their data stores outside of Europe. To avoid this problem, I should avoid the inclusion of any personal or sensitive data within my shared deliverables. Much like traditional risk assessments, the best solution is to follow ERIC (Eliminate, Reduce, Isolate, Control).
Luckily I have already been eliminating personal information from my documentation though removing addresses, as well as reducing the risk through supplementing real world coordinates for a 0,0 project base point in my BIM Execution Plan; therefore by controlling the remaining data within my models through removing any physical location information, I should not be sharing any personal or sensitive information.
And there you have it, by carefully considering my information requirements through using the (somewhat) relevant Standards, I have further enhanced by data security plan; fantastic. This means that I am ready to start producing information to answer my next Plain Language Question, PLQ 2.3
2.1 What existing information is available?
2.2 Is there sufficient information to produce a BEP?
2.3 What is the layout of the house?
2.4 What assets are contained within?
2.5 What asset information can be linked to the graphical model?
Now that I have properly considered data security, it’s time to produce some information and work out the Layout of my home…
Note: If you have any comments regarding my data security conclusions, then please let me know either on Twitter, or by commenting below.