You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
Data privacy … right about now, some of you will roll with their eyes. Because data privacy has been a constant topic in business operation for a few years now. And for some, it’s like a red flag. But we believe: It does not have to be this way!
We’re sure that you’ve heard from big players like Google, British Airways and Marriott, which received multi-million fines in the recent years due to data protection violation in their respective country.
Every company wants to protect the data of employees and customers, but oftentimes they find themselves in front of hurdles, legal no-man’s land and supposedly complex tasks to become GDPR-compliant. Many organizations do not even know what data protection should look like for them and if data breaches already exist. This is especially the case, when modern tools like Jira and Confluence are being used by thousands of users with millions of data records.
Different countries decided on extensive rules for data protection. In Europe, it’s known under GDPR, in Germany under DSGVO, in the U.S. it’s called CCPA, in Brazil LGPD, to only mention a few. Explicitly for healthcare, the U.S. has passed a law called HIPAA. Companies working in healthcare, therefore, should check of their Jira and Confluence instance is HIPAA-compliant.
HIPAA (Health Insurance Portability and Accountability) was passed in 1996. It regulates the protection of patient data, also called PHI (Protected Health Information). They are comparable to PII (Personally identifiable information), but are related to health claims. They are the most sensitive data out there.
Credit card numbers
Social security card numbers
Health insurance numbers
Bank account details
Fingerprints, voice recordings and retinal prints
Medical record numbers
And many more
PHIs are related to past, current or future medical information, treatments or payments in healthcare.
Atlassian’s tools Jira and Confluence are being used by companies worldwide with many use cases. Some use it for internal purposes only, to plan projects, process campaigns and create content, other use it for customer requests, bookings etc.
While being used internally as well as externally, personal data is being stored at all times. Either from employees or customers.
A practical example in healthcare:
A customer has a request concerning his health insurance. He sends in an e-mail. In this e-mail he mentions his birthday, his insurance number and attaches a medical record by a doctor. This e-mail is used inside the insurance, to create a Jira ticket, which customer service is taking care of. The employee is able to access the database with all medical records and payments from this customer.
As you can see, a simple e-mail in healthcare can contain sensitive data from a patient. Breaches could lead to immense damage. This is why acts like HIPAA were passed.
Quick answer: no, Jira and Confluence never could be data privacy compliant, not for HIPAA or any other law. Atlassian is no subject to the HIPAA data protection act (Atlassian is not defined as a “covered entity”). But even if: You’re individual, company-wide Jira could be full of data breaches, for which only you’re responsible for. Every company also has its own data privacy rules, which are linked to lawful data privacy acts of the respective country. Tools like Jira and Confluence could never cover all of them. This is where data protection officers or administrators are being requested, who take care of ensuring data privacy for their instances.
To make sure that extensive tools like Jira and Confluence are data privacy compliant, you need experts in this field (DPOs or administrators). And even they should take advantage of data privacy tools, which make looking for and anonymizing personal data easier. This is where Actonic’s apps GDPR (DSGVO) and Security for Jira and Confluence come in handy.
Our apps support your DPOs and administrators in defining and finding PHI and anonymizing it. They could do so by using one of the many built-in templates and defining individual rules.
To avoid PHI being inserted again, you can set up alerts as well, which will notify you once PHI is being created in Jira tickets or on Confluence pages (currently available in Cloud, coming soon for Server / Data Center). This saves you the hassle of looking manually for sensitive data and makes the anonymization process much quicker.
If you have any open questions, please feel free to contact me!
Andreas Springer _Actonic_
Head of Marketing
2 accepted answers