|
| 1 | +--- |
| 2 | +title: Production Environment Tools & PII Handling |
| 3 | +sidebar_position: 1 |
| 4 | +--- |
| 5 | + |
| 6 | +# Production Environment Tools & PII Handling |
| 7 | +# 1. Purpose |
| 8 | + |
| 9 | +This standard defines minimum security and privacy expectations for developers when using third-party tools (like Postman) to access Hackney’s production environments or interact with Personally Identifiable Information (PII). |
| 10 | + |
| 11 | +The goal is to reduce the risk of exposing sensitive resident data through insecure or inappropriate tooling. |
| 12 | + |
| 13 | +# 2. Scope |
| 14 | + |
| 15 | +Applies to all Hackney Council staff, contractors, and third parties who access production environments or handle production data containing PII. |
| 16 | + |
| 17 | +Covers all development, testing, debugging, or API interaction tools used in production contexts. |
| 18 | + |
| 19 | +# 3. Requirements |
| 20 | + |
| 21 | +## Tool Usage in Production Environments |
| 22 | + |
| 23 | +### Prohibited Use of Unvetted Tools |
| 24 | + |
| 25 | +Developers **must not** use third-party tools to access production environments or handle production PII unless they have a clear and documented understanding of how the tool manages, stores, and transmits data, and are satisfied that its use aligns with Hackney’s security and data protection standards. |
| 26 | + |
| 27 | +Where a new tool is approved for use, supporting evidence of this assessment **must** be recorded in the [Hackney Service Catalogue](https://docs.google.com/spreadsheets/d/1QoinQ9Yvlr4gvUoROYAA8vDWOWyXw7-vokZmPEH296A/edit?gid=1633075159#gid=1633075159) in columns Q to U. |
| 28 | + |
| 29 | +### Approval Process for New Tools |
| 30 | + |
| 31 | +Before using any new tool in a production environment — particularly where it may interact with PII — developers **must** complete the [Developer Tool Assessment Checklist](https://forms.gle/j9fWxAHvHdMrZ8wq8). |
| 32 | + |
| 33 | +Once the checklist is submitted: |
| 34 | + |
| 35 | +- The developer **must** notify the Head of Engineering, who will review the responses for overall suitability. |
| 36 | +- If the tool is approved, the developer **must** add it to the [Hackney Service Catalogue](https://docs.google.com/spreadsheets/d/1QoinQ9Yvlr4gvUoROYAA8vDWOWyXw7-vokZmPEH296A/edit?gid=1633075159#gid=1633075159) along with all supporting evidence, such as privacy policies, configuration screenshots, or network behavior logs. This is so that its use is documented and visible to relevant teams. |
| 37 | + |
| 38 | +### Assessment Criteria for Tool Approval |
| 39 | + |
| 40 | +When assessing a tool for use in production environments with PII, the following minimum requirements apply: |
| 41 | + |
| 42 | +1. The tool **must not** store request or response data in external or cloud environments unless this has been formally reviewed and approved. |
| 43 | +2. If the tool stores data locally, it **must** provide controls to securely manage and delete this data. |
| 44 | +3. The tool **must** encrypt data in transit (e.g. using HTTPS/TLS) when communicating with production systems. |
| 45 | +4. If the tool stores data at rest (locally or remotely), it **must** use encryption for that stored data. |
| 46 | +5. The tool **must not** retain sensitive data longer than necessary for the task being performed. Where the tool is cloud-based or connects to external services, it **must** provide a clear and accessible privacy policy explaining data retention periods, storage locations and third party access. |
| 47 | +6. The tool **must** provide mechanisms to restrict access to sensitive data, such as user authentication and role-based access control, especially for tools used by multiple developers in differing teams. |
| 48 | +7. Where the tool collects telemetry, usage data, or analytics, this functionality **must** be disabled. |
| 49 | + - If this is not possible, the tool **must** be reviewed and approved before use with production systems or data. |
| 50 | +8. Where audit logging exists within a tool, logging of sensitive data (such as request and response bodies) **must** be disabled. |
| 51 | + - If this is not possible, the tool **must** be reviewed and approved before use with production systems or data. |
| 52 | + |
| 53 | +# Communication and Developer Awareness |
| 54 | + |
| 55 | +## Responsibility for Communication |
| 56 | + |
| 57 | +The Head of Engineering **must** ensure this standard is communicated across all development teams, including internal staff, contractors, and third-party developers. |
| 58 | + |
| 59 | +# Appendix A - Example: Postman |
| 60 | + |
| 61 | +## Risk Summary |
| 62 | + |
| 63 | +Postman automatically stores API request and response data locally and in the cloud (depending on settings), including headers, parameters, and body content that may contain PII. |
| 64 | + |
| 65 | +| Tool | Risk Description | Assessment | |
| 66 | +|---------|------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| |
| 67 | +| Postman | Persistent storage of API requests, headers, and bodies by default. Risk of exposing PII locally or to Postman’s cloud infrastructure. | Not approved for use with production PII | |
| 68 | + |
| 69 | +This result would then be recorded in the [Risk Log](https://docs.google.com/spreadsheets/d/1UGbxoImySTqDLUWc1Ifbp61iN3uLjfRBaK4lvyZ55Bo/edit?gid=0#gid=0) |
0 commit comments