Jira / Confluence / Bitbucket: what kind of personal data is logged (GPDR)

Alexander, thank you very much for taking so much time, i really appreciate it.

This definiately helps us.

Mirek, thank you for your reply,

i did check out the guide and what i am trying to find out:

Why does the guide not mention technical logs?

Eveeryone understand GDPR regulations differently so you need to focus on the articles. In JIRA logs nothing can clearly identify you as you by name, email or phone. This is personal data which GDPR is protecting.

hmmm....

To me this excerpt from our atlassian-jira.log dientifies me pretty clearly

2018-05-29 17:15:57,701 http-nio-8080-exec-8077 WARN j.kisters 1935x1119412x1 191yscl 89.246.xx.xx,127.0.0.1 /browse/ISS-123

Not quite .. It does not say Jens Kisters that live in here and here.. have this email address .. etc. It just say j.kisters which mith be Jeo Kisters, Jurgen Kisters, Jerremy Kristerson.. etc. It does not CLEARLY identify you as you.. If you provide this log to me I cannot directly say that is you. That is main point of GDPR regulations. Username is not a personal data. Overall it is up to the admin of JIRA or AD (LDAP) where this information is stored and this is where GDPR regulations should be checked. Your login might be "j.kist", "jk" or "abc12141", but this is not a personal data like social number of address where you live. In JIRA those information are not stored and you do not need to fill them when you create an account.

This wont help for enough cases, even if the username doesn not contain a link to the identity, as long as the user is not anomized / deleted you can find out who this username belongs to and thus find out what he has been doing and know he was somewhere where he has access to the system.

Hmm.. How you can find out easily to who this username belongs to? :) In JIRA there are not PERSONAL data stored. If this is stored somewhere is it is In AD (LDAP) and administrator of this system is responsible for personal data and count towards GDPR regulations. Let me underline again very important point... In the logs by default there are NO personal data stored that can in 100% clearly identify you as you. Don't assume that you can use some information to check in other system who you are because even you would not be able to spell your name publicly since someone could find you in the Internet or some other system. GDPR counts towards places where the information is stored like a database and you put your personal data there and click that you accept to store it under some policy. If you create an account in JIRA you do not need to fill your address, social number, or anything else.. Your company store this for example in AD and if you want to remove your data it will be removed there and even if someone will have your username found in the logs and will try to find info about you he will not achieve it.

What you two are discussing here right now is the difference between indirect and direct personal data. Login names, display names, screen names and nicknames count toward indirect personal data and so GDPR applies to them, sadly.

Also, it is not correct, that Jira does not save personal data. First of all, not every instance uses an AD or LDAP server and uses Jira as its own user directory. And even if you use AD/LDAP, information is synced between them and Jira.

With the login name, e.g. from the log files, you are able to identify the internal user identifier, which is directly the login name or another key. The user identifier on its own may not have a meaning, but when it is used in a registry (e.g. LDAP/AD/User Directory) to identify a person, the key becomes personal data in all contexts.

And under this perspective, Jira stores a lot of personal data. See alone: 

https://confluence.atlassian.com/adminjiraserver071/monitor-a-user-s-activity-802592329.html

@Alexander KuekenThank you for jumping in however you actually did not catch my point. If you are sure that username or nickname count please provide an article that clearly define that as a personal information and we can refer to it. I did not find anything like that. Maybe I missed it. Thanks!

For me this GDPR only applies to a system where data is actually stored not somewhere else when you can search for it because you know an username.. if you use AD it is stored there and AD system admin is responsible for keeping it safe.. if using only JIRA a local user management system then when you create and account you do not need to provide any personal data. Atlassian itself do not need your personal data to create an account.

The ability to search in other systems information that you know is not a same as having a database with many personal information and being an data administrator of a specific system.

@Mirek Sure, the main definition comes from the GDPR itself, see Article 4(1) and Recital 26:

• http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm
• http://www.privacy-regulation.eu/en/recital-26-GDPR.htm

Especially Recital 26 is interesting in combination with Article 4(5). Even if you see the username or user identifier as pseudonymisation, it should be considered as personal data.

The problem is, the definitions in the GDPR are very broad and open, and there is a lot of legal uncertainty. For that reason, most organizations refer to the PII and SPI definition of NIST: "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"

Overall I would be with you if Jira would use only online access to the AD or LDAP. But instead Jira "caches" the user information like username and e-mail addresses. But "cache" is misleading in this context, as Jira synchronizes the user information from the AD/LDAP and persist it in its own database:

https://confluence.atlassian.com/adminjiraserver/synchronizing-data-from-external-directories-938847064.html

But, from my point of view, you would be right, if you do not store any direct personal data, like the full name or the e-mail address in the internal or external directory. And yes, you are correct, you are not forced to provide this information in order to use Jira. At least if you are OK with it, that certain functionalities are not working, e.g. e-mail notifications or a lot of add-ons.

Overall do not get me wrong, from my point of view all this usage of personal data in Jira is legal. The GDPR is about minimization of the personal data you store and process, or Datensparsamkeit as we say here. It is not about getting rid of any personal data. And a lot of people seem to forget, that the GDPR lives beside and not prior other laws and regulations.

That also applies to Jens original questions about the log files. They are needed for multiple reasons. The GDPR just postulate you have to document the existence of this data, how you process it and what it is used for. And having processes in place to delete the data if needed and providing the user the data, if he asks for, and so on.

Exactly! "The problem is, the definitions in the GDPR are very broad and open, and there is a lot of legal uncertainty". And we both agree with this. That is why I mentioned that everyone understand GDPR regulations differently. It is like with other law and regulations. If there is a problem you meet at court :)

Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. From JIRA is it hard to simply click on username and get info from AD about specific person, since AD is protected and even if you do not know where is located you cannot get directly this info..

On the other hand.. overall article says "This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes." You simply say it is for information or statistical (like logs might be) and you are done.. 

Either way .. GDPR have one big advantage.. People start discussing about protecting data. Data privicy started to become more crucial than before. People provide data everywhere without even thinking how are those used and later are shocked that someone could use it in a way that they did not wanted to or share with others without approval.

Thank you for a good discussion! :)