Privacy concerns with cloud in film production

Privacy is much more important today than a few years ago, but what does this mean for a film production company?

First of all, This is not legal advice to others.

Second, we look at individuals involved in film production, not individuals viewing the films as we so far doesn’t have a business relation with them.

Third, before GDPR went in effect, we wrote a privacy policy on the homepage for the film production company, see http://www.artmann.co.uk/quality/legal/gdpr.

Fourth, this is still a small company and you have to take this into account when reading the article.

Fifth, we have an internal documentation how to manage GDPR and privacy.

On a high level, we have a number of different sets of information that includes personal data.

  • Contact information

  • Order history and invoices

  • Production scheduling and locations

  • Media

  • HR related documentation

  • User information and application usage

We have made a qualified assumption that only media and HR related documentation includes sensitive personal information, unless an individual have a protected identity. (We use portrait images both internally and externally, but does’t treat those images as sensitive information)

We see media as sensitive personal information, as non-fiction can include clips where individuals talks about subjects that are classified as sensitive information.

Bild2.jpeg

Films can also contain a variety of exposed bodies, including nudity, and this is also categorized as sensitive personal information. In both cases we have to design for privacy in order to comply with GDPR, even if we for some type of productions doesn’t need the subjects permission to manage sensitive personal information.

HR related documentation can include sensitive personal information, from financial information to health related information and unions, so this have to be treated separately.

We store information locally in our office and we store information in the cloud. The cloud providers are

  • EU-companies, with cloud physically located in EU

  • US-companies with cloud physically located in EU

  • US-companies with cloud physically located in US

In order to comply with GDPR, cloud providers outside EU have to sign Privacy Shield in order to follow the regulations. However, Cloud Act in US is a challenge, and we have to manage this, somehow.

The picture does not describe all cloud services we use today, but gives a good example of our work so far.

The strategy we have is to limit the amount of sensitive personal information to as little as possible. When we manage sensitive personal information, it should be limited to as few systems as possible. Those systems should be local systems and not in the cloud. If they are in the cloud, it must be encrypted locally, and the keys will not be available to the cloud provider.

One example the last principle is the cloud backup where Backblaze doesn’t have the possibility to un-encrypt the data, another example is documents in iCloud used by individual employees where encryption is done locally and keys not stored at Apple.

Shared storage outside office right now is a mess, with use of OneDrive, Dropbox and Google Drive. It works as we have very few users and as long as we assure that we don’t store sensitive personal information in those folders. We know this is not scalable and that we need a better approach in a near future.

The challenge right now is how to manage if we get sensitive personal information within Office 365, including One Drive, as it’s stored in an EU cloud, by a US provider. This is one of the reasons why we are slow to implement all parts of the package. The other one is the license cost and user management for a huge number of part time project members.