Security and Access Control

by

(Redrafted for Alignment with Data Operations Plan)

Key Takeaways

  • Role-Based Access Control (RBAC): Access to sensitive data is restricted based on roles, geography, and organisational requirements.
  • Secure-by-Design Principles: All systems and reports are developed with confidentiality, integrity, and availability in mind.
  • PII Protection: Steps are taken to obfuscate, pseudonymise, or anonymise personally identifiable information (PII) to ensure privacy and compliance.
  • National Data Restrictions: The Global Data Warehouse will not access or store nationally protected data or data with residency/sovereignty conditions.
  • Row-Level Security (RLS): Geographic and role-based filters ensure users only see data relevant to their responsibilities.

9.1 Security and Access Control Requirements

  • Role-Based Access Control (RBAC): Implement controls to restrict access to sensitive data. Ensure secure data transmission and storage.
  • Collaboration and Sharing: Enable users to share reports and insights securely, with options for exporting data in approved formats.
  • User Accessibility: Ensure users can easily access relevant reports through a user-friendly interface tailored to their roles.

9.2 Security and Controlling Access

All of our systems, data sources, data warehouses, data marts and reports are developed considering confidentiality, integrity and availability (CIA Triad).  The CIA Triad is an important concept in Information Security including ISO27001 and data protection such as EU GDPR.

Application-Level Security

Security is managed individually for each application. Wherever possible, segregation of duties and access controls are implemented to maintain data integrity and validity.

Global Data Warehouse Security

The Global Data Warehouse will not store or process nationally protected data or data subject to residency/sovereignty conditions.

Security and Access Principle 1:

For the avoidance of doubt, BMT will not share any nationally protected data or data with specific residency or sovereignty requirements. The Data Warehouse will focus on holding BMT Management Information, along with employee and customer data necessary for legitimate business purposes.

The Global Data Warehouse will employ secure-by-design principles to ensure:

  • Access to the Data Warehouse is restricted to a core team in GBS IT.
  • Changes to Data Models and Data Mart views are limited to the Data Engineering Team.
  • All data transfers are secured using Secure File Transfers, protected APIs, or Secure Gateways.

Data Marts Security

Access to Data Marts is designed to:

  • Promote broader use of reports while protecting sensitive data such as PII.
  • Data Mart views will obfuscate, anonymise, or pseudonymise data as required.

Examples:

  1. A utilisation report shows employee absences but obfuscates specific reasons (e.g., stress, injury), summarising data into general categories such as “Sick Leave.”
  2. Regional management packs summarise employee trends without revealing individual details.

Security and Access Principle 2:

Data Mart views will obfuscate, anonymise, or pseudonymise data as required.

Business Reports Security

Business Report Security has been developed using Secure-by-Design principles, reports use geography and role to determine access.

All Business Reports whether in Power BI, In-System Reports or In-System Lobbies will use Role Based Access.  Some reports will be available to all employees.

Row Level Security is used is used to filter the content within a Business Report.  Typically this is used to limit regional data to a particular region enabling a single Business Report to be both Global and Regional concurrently.

Microsoft Entra identities are used to:

  • Synchronise access with the Global Tenant.
  • Enable Row Level Security (RLS) for geographic or departmental restrictions.

Security and Access Principle 3 – Role Based Access and Row Level Security on Business Reports

Role-based access ensures permanent BMT employees only see reports aligned with their job functions. Data may be filtered further by region, country, or legal entity.

9.3 Personally Identifiable Information

To meet national Data Protection requirements and maintain compliance with data privacy regulations, only the minimum necessary Personally Identifiable Information (PII) should be shared into the Data Warehouse. Where there is a legitimate business need to consolidate and process PII, we will ensure that PII is processed and accessed only when absolutely necessary and with appropriate safeguards by:

  1. Data Segregation: Creating dedicated pipelines, Data Marts, Workspaces, and Reporting structures for handling PII, ensuring tighter access controls.
  2. Access Controls: Implementing separate security groups with restricted access to reports and datasets containing PII. Only authorised individuals with a clear business requirement will have access to this information.
  3. Row-Level Security (RLS): Providing global datasets with identifiable region, legal entity, or team, to ensure report content designers can restrict users by policy, so users can only access data relevant to their role, effectively hiding unrelated PII.
  4. Data Protection Impact Assessment (DPIA): For reports or processes involving PII, conducting a DPIA to assess and mitigate risks, ensuring that privacy concerns are identified and addressed proactively.

Security and Access Principle 4 – Restricted Access to Personally Identifiable Information (PII)

PII is shared only when absolutely necessary. For reports requiring PII, dedicated pipelines, Data Marts, workspaces, and access controls are implemented.

Leave a Comment