Scenario

You are the principal consultant for a community based Charity. The Charity is involved in locating and providing accommodation, mental health services, training and support services to disadvantaged people in the community.

The Charity has joined a community cloud provided by a public cloud vendor in order to access a number of applications for their 500 support staff and administrative users. A small number of the Charity's applications are mission critical and the data that those applications use is both confidential and time sensitive.

The community cloud would also be used to store the Charity's 200TB of data. The data would be held in a SaaS database run by the public cloud vendor. The Charity's data contains a considerable amount of confidential information about the people to whom the Charity provides services.

The Charity collects PII data on the clients who use its services so that it can assist them to manage their different service requirements. This PII data also includes holding some digital identity data for some of the more disadvantaged clients, particularly if they also have mental health issues.

The charity has now started its move to the Cloud and is in the process of implementing the following services:
- A SaaS HR and Personnel management suite,
- A COTS Payroll solution that is implemented in the AWS Cloud,
- A PaaS SharePoint platform that forms the basis of the charity's Intranet platform.

You team has workshopped and researched the Threat and Risk analysis for these projects and has developed the policy strategies and controls for Privacy and Data Protection which are required.

The charity has been approached by the Australian Government to trial the centralisation of support services to clients of the charity. This would include such services as income support for clients who are disadvantaged, homeless, or in need of mental health support. Normally, this would require the client interacting with at least three separate government agencies as well as with the charity.

The Government has now decided that they want to centralise the application and continued administration of these services from a number of different agencies into one single portal run by the charity. The Government's strategy is that the process of support applications and administration for virtually all support services follows an almost identical workflow, even though some of the data may differ for different types of services. Their aim is to have a single workflow for all support services, with some additional steps in case of special requirements for a particular type of service. Ultimately, if this trial is successful, the Government will roll out this program to all citizens.

The Government also sees the opportunity to gain a better view of what support services these citizens need, and wants to link that data to other data that they hold about each citizen. In order to achieve this, the Government plans to make the charity's clients register on the MySupport portal and create their own informal digital identity. This will allow all the support services, applications, supporting data, documents, renewal dates, and other associated information for each individual digital identity to be available for viewing on a single page. This data, particularly when linked to a citizen's digital identity, can then be used for more effective planning and decision making by Government and other public agencies.

The plan also has the advantage of simplifying the process of applying for support services and ensuring that they have timely administration for the charity's clients so that they only need to go to a single web portal to acquire the support that they require.

Tasks
After the successful engagement of your team to develop privacy and personal data protection strategies for the charity, the team has now been engaged to develop a Personally Identifiable Information (PII) privacy and personal data protection strategy for the charity.

Team Setup
This assignment is the last of the team assignments for this subject. The rationale for using a team approach is that most IT policy formulations are normally conducted by teams of between 2-5 Architects, Information Security experts, Operations and Business leaders for each problem. You are already assigned to a team and the team, as a whole, will be responsible for the development of the policies.

The task:

Your team is to:

1. Develop a strategy to protect the informal Digital Identity that a user may create in the MySupport portal. You should consider both the privacy and data protection aspects for a digital identity as well as possible controls to mitigate the identified risks. (20 marks)
Create a PowerPoint slide deck that gives a comprehensive overview of the above tasks. This slide deck is not to exceed 7 slides. (10 marks)
Presentation
The team is to submit the following documents to complete this assessment:
- A PowerPoint presentation that gives a comprehensive overview of the four (4) tasks.
o The presentation should be a maximum of 7 slides, including introduction, conclusions and recommendations.
o Each slide should have speaking notes in the Notes section which expand on the information in the slide.
o The slides should give refer to the additional information contained in the appendices.
o Images and quotations used in slides must be referenced on that slide.
o The slide deck does not require a reference list.
- The Digital Identity is to be attached in a separate Word document marked as Appendix C. This document should be fully referenced in APA 6th edition format, and should not exceed 5 pages.