Data classification and protection of sensitive personal information: Addressing the challenges. The LocoMotion case study

LocoMotion is part of the innovation community program Montréal in Common, led by the City of Montréal. LocoMotion is a car-sharing project, where citizens can share cars, bikes (many of them electric) and bike trailers. Owners and borrowers can book private and shared vehicles via the www.locomotion.app website. The LocoMotion development team received targeted support from Open North to strengthen its data management practices.

Subsequently, the organization implemented basic measures on the topics identified, stemming from the Montréal in Common Data Governance Framework, notably through an iterative approach divided into several sessions, involving the identification of bottlenecks, the formulation of hypotheses and the monitoring of progress in order to ultimately draw learnings from it.

Introduction

In today’s world, data is omnipresent, and its use is essential to many activities. Protecting sensitive personal information has therefore become a top priority. As part of information security management, data classification is a key process which identifies, labels and classifies data according to its level of sensitivity and confidentiality.

Data classification categorizes information according to its level of confidentiality, its value, and the risks it presents in the event of unauthorized disclosure. Classification enables organizations to better understand their data, define appropriate security policies and implement effective protection measures.

Sensitive personal data is at the heart of data classification. In the case of particularly sensitive data, its unauthorized disclosure can have serious consequences for individuals, including identity theft and violation of privacy.

The LocoMotion platform: challenges and opportunities

In light of these security and confidentiality risks, increasing user confidence in the LocoMotion platform represents a major challenge. 

This is a significant issue, as various stakeholders are involved in the use of this data. The stakeholders may include direct users such as borrowers, owners, co-owners, community administrators or the development team. However, it should be noted that, with the exception of occasional authorized access required for testing and patching, there is otherwise no need for the development team to access sensitive data. 

In addition to these categories, the organization itself must have access to the data for analytical purposes. Finally, indirect stakeholders such as technology service providers like Google Cloud and Mailchimp are also impacted.

For the organization, it is therefore imperative to establish clear and transparent policies regarding these issues, and work to improve identity and data access management practices.

Another priority identified by the team was to improve access management. Since there are two types of access involving two systems (i.e. access to data through development tools and access to data through the app), the team decided to implement a data classification system to address this aspect. 

Towards data classification for improved identity and data access management

To begin this data classification, LocoMotion carried out an inventory of access and permissions for all roles. Next, it was important to determine precisely which roles existed and which were yet to be defined, and then to determine the protocols for granting access according to these roles, while keeping security risks in mind. Finally, documenting the access authorization and revocation process was also a key element. 

Two initiatives related to data classification were implemented. The classification was designed by the team according to the level of sensitivity, openness and other relevant categories. It was imperative to develop a data classification system adapted to each type of data. 

In concrete terms, this data classification system would be segmented according to these different categories:

• the nature of the data; 
• the sensitivity of the data;
• conditions for accessing, modifying and deleting data according to roles (global administrator, community administrator, user and third parties).

Peer support: A quick way to tackle challenges

LocoMotion called on the Montréal in Common Community of Practice to help them create this data classification system. They asked the following questions:

• How do you classify your data? Do you have a classification system? A suggested format (spreadsheet, app, standard document)? Classification categories?
  
  
• How do you document roles? How do you document access (track it, revoke it if necessary)? Do you know any best practices?
  
  
• How do you ensure that people only have access to data that is strictly necessary for them?

These questions led to the sharing of a data classification model created by Tomat.

Their data classification model was instrumental in assisting LocoMotion with their strategies for mapping all the data on their platform. In particular, the data was classified by category of use, domain (personal, private, public), degree of openness (shared, open, closed) and by roles, where different user profiles give access to different data within the platform depending on each person's role.

Solutions

Thanks to the targeted support, LocoMotion was able to develop its own data management system based on its own categories, including: 

• data sensitivity;
  
  
• data hosting;
  
  
• conditions for accessing, modifying and deleting data according to roles (global administrator, community administrator, user and third parties); 
  
  
• date of archiving and destruction of data; 
• any regulatory obligations to which specific types of data are subject, such as personal information, etc. 

Lessons learned

The first version of the data classification table will be improved to enable better identification of personal information and of any legal obligations that may apply. It would also be beneficial to consider an (updated) privacy policy as well as procedures for the retention and destruction of certain data (in accordance with the law, for example). Finally, it would be useful to specify access according to role, as well as the reasons for granting or denying access.

“Data classification helped us tremendously! It allowed us to get to know our data better, to know what was unnecessary and what we should keep, and we were able to increase security by having better control over access.” - The LocoMotion team

Conclusion

Data classification and the protection of sensitive personal data are fundamental elements of information security in today's digital environment. By understanding the importance of these processes and implementing appropriate security measures, organizations can strengthen data security and guarantee the confidentiality of their customers' and employees' personal information.

About the Montréal in Common Data Governance Workstream

As the lead of the Data Governance Workstream within Montréal in Common, Open North proposes a data governance journey to the innovation community in order to progressively operationalize the principles of the City of Montreal's Digital Data Charter. The program explicitly focuses on collecting, sharing and leveraging data to inform collective and individual decision-making.

Montréal in Common brings together an innovation community led by the City of Montréal, whose partners are experimenting with solutions in food access, mobility and municipal regulations in a desire to rethink the metropolis. Thirteen projects are being implemented as part of Montréal in Common thanks to the $50 million prize awarded to the city by the Government of Canada as part of the Smart Cities Challenge.

Did you like this blog post? Would you like to know more about data governance? Not sure where to start? Find other resources, free training courses and more on our website: https://opennorth.ca/ 

Author: Open North
Research and editorial contributions: Guillaume Carmel-Archambault (LocoMotion), David Gendron (LocoMotion) and Judith François-Langevin (Open North)
We extend our thanks to all our partners and clients, whose work continuously expands and evolves our understanding of data governance and its best practices.