De-identification of personal information for use in software testing to ensure compliance with the Protection of Personal Information Act

Mark, Stephen John

Title: De-identification of personal information for use in software testing to ensure compliance with the Protection of Personal Information Act
Creator: Mark, Stephen John
Subject: Data processing
Subject: Information technology -- Security measures
Subject: Computer security -- South Africa
Subject: Data protection -- Law and legislation -- South Africa
Subject: Data encryption (Computer science)
Subject: Python (Computer program language)
Subject: SQL (Computer program language)
Subject: Protection of Personal Information Act (POPI)
Date Issued: 2018
Date: 2018
Type: text
Type: Thesis
Type: Masters
Type: MSc
Identifier: http://hdl.handle.net/10962/63888
Identifier: vital:28503
Description: Encryption of Personally Identifiable Information stored in a Structured Query Language Database has been difficult for a long time. This is owing to block-cipher encryption algorithms changing the length and type of the input data when encrypted, which cannot subsequently be stored in the database without altering its structure. As the enactment of the South African Protection of Personal Information Act, No 4 of 2013 (POPI), was set in motion with the appointment of the Information Regulators Office in December 2016, South African companies are intensely focused on implementing compliance strategies and processes. The legislation, promulgated in 2013, encompasses the processing and storage of personally identifiable information (PII), ensuring that corporations act responsibly when collecting, storing and using individuals’ personal data. The Act comprises eight broad conditions that will become legislation once the new Information Regulator’s office is fully equipped to carry out their duties. POPI requires that individuals’ data should be kept confidential from all but those who specifically have permission to access the data. This means that not all members of IT teams should have access to the data unless it has been de-identified. This study tests an implementation of the Fixed Feistel 1 algorithm from the National Institute of Standards and Technology (NIST) “Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation : Methods for Format-Preserving Encryption” using the LibFFX Python library. The Python scripting language was used for the experiments. The research shows that it is indeed possible to encrypt data in a Structured Query Language Database without changing the database schema using the new Format-Preserving encryption technique from NIST800-38G. Quality Assurance software testers can then run their full set of tests on the encrypted database. There is no reduction of encryption strength when using the FF1 encryption technique, compared to the underlying AES-128 encryption algorithm. It further shows that the utility of the data is not lost once it is encrypted.
Format: 110 pages
Format: pdf
Publisher: Rhodes University
Publisher: Faculty of Science, Computer Science
Language: English
Rights: Mark, Stephen John

Hits: 3200
Visitors: 3428
Downloads: 483

Collections

RU Department of Computer Science

		Thumbnail	File	Description	Size	Format
View Details Download			SOURCE1	Adobe Acrobat PDF	3 MB	Adobe Acrobat PDF	View Details Download