JIRA: Right of access by the data subject

Jira Core、Jira Software、Jira Service Desk の Server および Data Center 向け GDPR サポート ガイド

このページの内容

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

GDPR 第 15 条において、個人は自身に関連するどの個人データが処理されているか、およびその処理の正当性を把握する権利を有します。GDPR では、要求に応じ、この情報を個人に提供するするための正当な手順を踏む必要があります。製品内に保存されている個人データへのアクセス権を個人に提供する必要があるかどうか、およびその処理の妥当性はケースバイケースで異なり、判断を行う際には弁護士に意見を求めることをおすすめします。製品を通じて処理された個人データへのアクセス権を個人に提供する義務があると判断された場合、特定のアトラシアン製品でこれを行う方法について、以降の手順をご確認ください。

説明

Personal Data (PD) for a specific user can be spread across multiple components of JIRA. In this article, we'll detail how to locate and access this data, and we'll also provide workarounds for you, to ensure that you can access all personal data for a specific user if required.

JIRA Core and JIRA Software

Below is a list of key data held by JIRA Software and/or JIRA Core versions 7.0 and above, in a default configuration:


Where JIRA can store PDStorage
location		Accessible Via目的
1Issue Assignee and Reporter Fieldsデータベース
  • UI
  • REST API
  • データベース
  • Tracks the initial reporter of an issue and the current assignee.
  • These fields contain the username, display name and email address of users.
2

Issue Summaries, Descriptions, and Comments


データベース
  • UI
  • REST API
  • データベース
  • These are free-text fields that users can populate with any arbitrary information, including personal data.
  • Users can '@mention' other users in the system to notify them, which will reveal the display names for those users.
3Issue Worklogsデータベース
  • UI
  • REST API
  • データベース
  • Worklog descriptions are free-text fields intended for users to annotate their work.
  • Users can populate the worklog description field with any arbitrary information, including personal data.
  • More information in Logging work on issues
4Issue Historyデータベース
  • UI
  • REST API
  • データベース
  • Tracks changes to fields and who made them.
5Issue Activityデータベース
  • UI
  • データベース
  • Tracks changes to fields and who made them.
  • Includes comments, which may contain further personal data.
6カスタム フィールドデータベース
  • UI
  • REST API
  • データベース
  • Text fields and third-party fields can contain any arbitrary information, including personal data.
  • User picker fields can contain usernames and full names.
  • Custom field data can be included in Jira's index.
7Saved JQL Filtersデータベース
  • UI
  • REST API
  • データベース
8Lucene Documentsファイルシステム
  • ファイル システム
  • When an issue is created or modified in JIRA, a Lucene document is created that contains the contents from the fields from that issue.
  • Lucene documents are added to Jira's index on a per-issue basis during a reindexing operating.
  • More information in Understand the index process in Jira server
9添付ファイルファイルシステム
  • UI
  • REST API
  • ファイル システム
  • Attachments are documents, images, or screenshots that are attached to issues.
  • Attachments may contain any arbitrary information, including personal data.
  • More information in Attaching files and screenshots to issues.
10

アプリケーション ログ

  • atlassian-jira.log
  • atlassian-jira-security.log
  • access_log
  • catalina.out
ファイルシステム
  • ファイル システム
  • Logs various aspects of JIRA operations for troubleshooting purposes.
  • May contain any arbitrary information, including user information.
  • More information in Logging and profiling
11監査ログデータベース
  • UI
  • REST API
  • データベース
  • Provides an audit trail of configuration changes, including user information.
  • More information in Auditing in Jira.
12バックアップファイルシステム
  • ファイル システム
  • Contains the entire contents of the JIRA database for archival purposes.
  • Backups contain entire suite of personal data provided to Jira.
13Support Zipsファイルシステム
  • ファイルシステム
  • Collects configuration information from JIRA and various logs for transmission to Atlassian Support.
  • Logs may contain personal data.
  • More information in Create a Support Zip.
14Emails

データベース

Mail Server

Client Systems

  • データベース
  • External Systems
  • Notifications to users about changes to issues, including comment and status changes.
  • Comments are free text fields and may include any arbitrary information, including personal data.
  • Emails are stored internally in Jira, and contents will be stored on email server and/or email clients.
15Webhook

データベース

External Systems

  • データベース
  • HTTP POSTs to external URLs containing details of issue changes, depending on configuration.
  • More Information in Webhooks.
16アバター

ファイルシステム

External Systems (Gravatar)

  • ファイル システム
  • External Systems
  • Images selected by users to represent themselves in Jira.
  • In the case of Gravatars, these images may be stored in external systems.
17User Profileデータベース
  • データベース
  • Stores user details including username, full name, email address, and avatar.
  • User accounts can be created by mail handlers when "Create User" checkbox is checked during incoming mail handler configuration Creating issues and comments from email
18Application Cache

メモリ

ファイルシステム

  • ファイル システム
  • メモリ
  • Store data in memory to speed-up lookups (no expensive DB access needed)
19メンション

データベース

メール

  • データベース
  • Effective collaboration between users (sending emails to mentioned users)
20Plugins / integrationsDatabase / file system / Other
  • UI
  • REST API
  • Different type of plugins - any functionality can be implemented in plugin.
21Group namesDatabase / External directory
  • UI
  • REST API
  • Used for categorizing users. There is possibility to store PD in group names if eg. group name contains reference to religion/race/gender and there are some uses assigned to that group.
22ダッシュボードデータベース
  • UI
  • Could contain personal data e.g. report grouped by some user field in issue eg. assignee
23JIRA reportsデータベース
  • UI
  • Could contain persoanl data e.g. report grouped by some user field in issue eg. assignee
24User keyデータベース
  • REST API
  • Could contain personal data
  • System entry with a unique value representing the user, and is based on their original login details. The user key is only accessible in the system and through APIs, and cannot be altered.
25Data pipeline exportsファイル システム
  • ファイル システム

  • Provides current state data from the Jira database in CSV format for analysis in an external business intelligence tool

  • More information in Data pipeline.

Jira Service Desk

In a default JIRA Service Desk configuration, the following data is stored in database listed below: 


Where JSD can store personal dataバージョンの互換性Accessible via目的
1定形返信3.7.x and above
  • UI
  • データベース
  • Provide a free-text field that agents can populate with any arbitrary information, including personal data.
  • Stores:
    • users that have created/updated canned response
    • canned response title and text
    • canned response usage (e.g. which user have used canned response)
    • audit trace
    • when variables are used in canned responses (e.g. mentioning a reporter), these are stored as free-text in our database

No personal data is logged in the file system for canned responses.

You can view this page for more details on canned responses.

2組織3.3.x and above
  • UI
  • データベース
  • REST API
  • A way to group users into organizations.
  • We store the members of an organization and the name of the organization.
3承認3.2.x and above
  • UI
  • データベース
  • REST API
  • Tracks and explicitly provides the approvers required for incoming requests.

If a specific request type has the approval process enabled, requestors can:

  • Select one or multiple members in the organisation through a drop-down menu. This will reveal their display names and emails.
4自動化3.0.0 and above
  • UI
  • データベース
  • Tracks who made the rule, and if the THEN handler involves alerting another user, we also store who this automation rule applies to (e.g. alert a user on THEN handler).
  • Stores:
    • executor user key
    • user keys and emails of users part of a rule (e.g. alerting a user on THEN handler)
    • name and description on free textfield that may contain personal information
    • JQL and other matchers used in querying and executing automation
5Customer portal request view
  • UI
  • データベース
  • Allow users to subscribe request via customer portal, which store the user key (e.g. this user has subscribed to this request).

No sensitive data is logged as part of adding/removing/fetching subscription information.

6Customer satisfaction feedback
  • UI
  • データベース
  • REST API
  • Allow help seekers to evaluate the quality of the service via a 5 star rating system.
  • We store a token that is later sent via email to the requester, and we also store comments made by the requestor. The comment is free text and may contain PD if the requestor adds it.
7Customer notifications and invite emails
  • UI
  • データベース
  • Email content and data is stored for email batching and sending emails to customers. Sent emails are purged after 30 days.
  • There are free text fields that may contain PD in notification templates and emails stored.
  • When a user is invited, we store the email address of the invitee and the username of the inviter.
  • We store the username of the user that changed the supported languages for translated customer notifications.
8ナレッジベースとの連携
  • UI
  • データベース
  • A way to integrate JIRA Service Desk with Confluence to give help seekers access to knowledge base articles.
  • We store the application link name, space URLs, labels of Confluence pages, statistics about knowledge base search and usage (e.g. how many times being viewed), and whether it's helpful or not.
9キュー
  • UI
  • データベース
  • REST API
  • Store queue name and this may contain PD.
10JIRA Service Desk Reports
  • UI
  • データベース
  • Store name of report, or the label of series.
11Request channels
  • UI
  • データベース
  • When your customers send a request through your support email, we automatically create an account for that customer.
12リクエスト タイプ
  • UI
  • データベース
  • REST API
  • Similar to issue type in JIRA, but conceptually different.
  • Store configurations about the request type - name, descriptions, general configurations.
13サービス レベル アグリーメント (SLA)
  • UI
  • データベース
  • REST API
  • Service level agreement (SLAs)
  • Store configurations about SLAs, description, calendar name, holiday names, audit SLA data, SLA breaches, SLA goals (JQL queries that define goals). This could all contain PD.

回避策

Handling "structured" PD

Obtain PD from a User profile


はじめる前に

You must have the JIRA Administrator or JIRA System Administrator global permission to be able to manage users in JIRA applications.

  1. Select User Management.
  2. ページの一番上にあるフィルターを使用してユーザー一覧からユーザーを探します。
  3. Click on user Full name in the "Full name" column.
  4. Store data from "Account information" section for later usage:
    1. ユーザ名
    2. 氏名
    3. メール
  5. Obtain user "user_key"

    1. Using REST API https://docs.atlassian.com/software/jira/docs/api/REST/latest/#api/2/user-getUser and obtain "key" from the response

      curl -u admin:admin http: //localhost:2990/jira/rest/api/latest/user?username=example_username
      {
      "self" : "http://localhost:2990/jira/rest/api/2/user?username=example_username" ,
      "key" : "user_key" ,
      "name" : "example_username" ,
      "emailAddress" : "johndoe@example.com" ,
      "avatarUrls" :{ "48x48" : "" , "16x16" : "" },
      "displayName" : "John Doe" ,
      "active" : true ,
      "timeZone" : "Australia/Sydney" ,
      "locale" : "en_AU" ,
      "groups" :{ "size" : 2 , "items" :[]},
      "applicationRoles" :{ "size" : 2 , "items" :[]},
      "expand" : "groups,applicationRoles"
      }

      In  this example user key has value  "user_key"

    2. Using an SQL query

      SELECT user_key FROM app_user WHERE lower_user_name = LOWER( '[username]' )

  6. Check data in user properties:

    1. Choose Actions > Edit Properties. The Edit User Properties screen will be displayed. Check if any PD is defined there.

Handling "free-text" PD

Handling PD in JIRA issues

You'll only get search results for entities you have the right to view. Make sure you have full admin rights is you want to scan for all instances of PD.

There may be some fields that you don't have access to. If "none" is selected for custom field Search Templates, then JQL searching will omit this field. Such fields have limited processing and nobody will be able to perform the search by this field's value.

  1. Go to issue search and search for sensitive data. From top menu, choose Issues > Search for issues.
  2. Click Advanced.
  3. Type JQL: "text ~ 'clause to search'" and click the search icon. It should search in: comments, description, summary, environment, worklogs + text searchable custom fields.
  4. Check or update the required data.

Handling PD in the audit log

Go to the audit log page, and search for PD.

For more information, please view Auditing in Jira.

Handling PD in other entries

Dealing with free-text:

  1. You have to modify the provided SQL file - replace <OLD_VALUE> with the PD that you are searching for.

  2. Execute the "Select" script from the SQL file manually table by table, each table description should contain additional information on the purpose of the table. We recommend (if possible) to view and amend data using the UI.

    1. Use these SQL scripts for JIRA Core and JIRA Software:

      スクリプト

      SELECT oracle • mysql • postgresql • mssql

    2. If you have JIRA Service Desk, you'll need to run the JIRA Core scripts above, and then run these JIRA Service Desk specific SQL scripts:

      スクリプト

      SELECT oracle • mysql • postgresql • mssql

Handling PD in Logs

As an administrator, you would need to manually search each log as detailed on the JIRA Server: Right to erasure page for PD.

Handling PD in backups

JIRA can generate backups of it's data, and this is performed by the administrator. How these backups and the data they contain is governed is up to each administrator and their respective organizations to decide.

制限事項

  • If you have stored PD inside attachments, this article will not help surface that PD as we have no way of reading what is stored in each attachment.
  • Access to the database is required to run any SQL scripts.

その他の注意事項

お使いの製品バージョンに応じた制約がある可能性があります

上記に関連する GDPR 回避策は、本製品の最新バージョン用に最適化されていることにご注意ください。製品のレガシー バージョンを実行している場合、回避策の効果は限定的である可能性があります。この記事で案内されている回避策を最適化するには、最新の製品バージョンにアップグレードすることを検討してください。

サードパーティ製アドオンは、独自のデータベース テーブルまたはファイルシステム内に個人データを保存する可能性があります。

GDPR コンプライアンスへの取り組みに関する上記の記事は、アトラシアンのサーバーおよびデータセンター製品内に保存されている個人データのみを対象としています。サーバーまたはデータセンター環境にサードパーティ製アドオンをインストールしている場合、お客様のサーバーまたはデータセンター環境でアクセス、転送、または処理する可能性がある個人データと GDPR コンプライアンスへの取り組みについて、サードパーティのアドオン プロバイダにお問い合わせください。

サーバーまたはデータ センターのお客様の場合、アトラシアンはお客様が製品内で保存するように選択した個人データへのアクセス、保管、または処理は行いません。アトラシアンが処理する個人データの詳細については、プライバシー ポリシーを参照してください。

最終更新日 2018 年 11 月 19 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.