Storing private data on a blockchain does not comply with Spanish legislation. The report highlights that a blockchain depends on other mechanisms to achieve its optimal security.
The Spanish Agency for Data Protection, an official government body, does not recommend using a blockchain or distributed databases to record sensitive personal data. Sensitive data must remain away from blockchain.
The comments on blockchain and the handling of personal data appear in a report on how different technologies serve as tools in public administration for the protection of data of the civilian population.
Even if the agency considers that blockchain could adapt well to the appropriate provisions and protocols, “It is neccesary to avoid the publication of personal data on the blockchain, it should be hosted off-chain, in traditional databases or other information systems of the person in charge “.
In case there is no possibility to avoid the registration of personal data on a blockchain, the appropriate cryptography must serve as a tool to encrypt the data and guarantee the confidentiality of the information.
However, it is recommended to limit the information inserted in to the blockchain as much as possible so that the data remains protected by default in the data insertion protocol but not entirely supported by the technology that should store it.
This observation points out the consideration of the fact that a distributed network requires constant configuration and evaluation. Both, the consensus mechanisms, the cryptography, and the interaction parameters between participants, must be clear to reduce the risk of data manipulation.
The report also indicates that a distributed database does not necessarily work on its own in terms of protecting embedded data. Blockchain must fuse with other technological implementations to be completely secure, they claim.
Legal Regulations, a Great Question
According to the report, blockchain compatibility with the provisions of the General Data Protection Regulation, which governs this activity, should receive constant testings.
The AEPD suggests paying attention to the legal section “Responsibility for treatment”, where the responsibility of those who coordinate the insertion of data in a registry is determined.
The organization notes that blockchain makes it difficult to identify its participants; this is an issue that would not be desirable since, in the case of personal data, one must know who handles the information inserted there.
Another relevant aspect that AEPD asks to be clear about is that personal data should not be visible longer than necessary.
The immutability of some blockchains and their transparency makes it difficult for these data to remain hidden once they are definitively registered by whoever operates them.
They also talk about confidentiality as a crucial factor in making it possible to record personal data on the blockchain. The reason is implicit since the information would arrive at several network participants.
However, for this same reason, the availability of the nodes will determine how accessible the information is at times since there is usually no guarantee that the nodes will remain connected and with this information available to those who need it when they need it.
Finally, they point out that the connectivity between the nodes of the network can lead to an international transfer of data, which conflicts with the legislation. The agency recommends establishing the principles of privacy and confidentiality of the initial design of the network, as well as the governance model.
By: Jenson Nuñez.
