What is PII?

What is PII?

PII stands for Personal Identifiable Information. This is any information that enables the identity of an individual to be inferred, including information that is linked or linkable.

→ WHAT IS PII | WIKIPEDIA

The US also has a concept of Sensitive PII - this is PII that has an increased risk if leaked, such as financial or health records, Social Security numbers and so forth.

→ WHAT IS PII | DEPARTMENT OF HOMELAND SECURITY

What is Personal Data?

This is a legal term from the European General Data Protection Regulation (GDPR). The GDPR defines Personal Data (Article 4 (1)) as follows:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);"

→ DEFINITIONS (Article 4 (1)) | GENERAL DATA PROTECTION REGULATION (GDPR)

What is an Identifiable Natural Person?

This is a legal term from the European General Data Protection Regulation (GDPR). The GDPR defines an Identifiable Natural Person (Article 4 (1)) as follows:

"an 'identifiable natural person' is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

→ DEFINITIONS (Article 4 (1)) | GENERAL DATA PROTECTION REGULATION (GDPR)

What is HIPAA?

HIPAA stands for The Health Insurance Portability and Accountability Act, which was passed by Congress in 1996. It lays out best practices for the privacy and security of data in the healthcare industries. Two key concepts are the Privacy Rule and the Security Rule.

• These rules define how an individual’s Personal Health Information, or PHI should be handled. PHI can comprise of any information that include personal identifying information (PII). This might be names, addresses, health issues etc. If you handle PHI, you probably need to be HIPAA compliant.

• Additional acts have been passed since 1996, such as the HITECH act, and the HIPAA Omnibus Rule, which strengthen the original protections.

• A “Covered Entity” is a healthcare organisation that stores or transmits PHI. These rules are strict, and organisations must take great care with PHI. Provision 164.308(a)(8) of the HIPAA Security Rule requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of these systems.

→ Health Insurance Portability and Accountability Act of 1996 (HIPAA) | US Department of Health & Human Services

Is Atlassian/Jira/Confluence HIPAA compliant?

At the time of writing, in terms of Cloud services, only Jira Enterprise, and Confluence Enterprise are HIPAA compliant, and a signed Business Associate Agreement (BAA) with Atlassian will be required. Apps are not currently HIPAA compliant.

For more information, visit Atlassian's HIPAA resource page, or get in contact with us to discuss your requirements.

→ HIPAA | Atlassian

What is GDPR?

The GDPR applies to personal data on residents and citizens of the European Economic Area, which are the 27 Member States of the EU plus Iceland, Liechtenstein, and Norway usually known as EU residents. However, the GDPR impacts not only EU-based entities, but virtually every business dealing with the data of EU residents.

The GDPR is the European General Data Protection Regulation.

→ GDPR | intersoft consulting

What is a Data Controller/Data Processor?

Data Controllers can be a company or other legal entity or an individual that make decisions regarding processing activities. They are responsible for the overall control of the personal data being processed and are ultimately responsible for the processing.

Data Processors act on behalf of a Controller, under their authority. To this end, they must serve the controller's interests, and not their own. Processor's have a more limited compliance responsibility. However, a Data Processor acts outside of the Controller's instructions, in such a way that determines the means and purpose of the processing, the Processor will become a Controller in respect of the processing, and can face the same liability as a controller.

"'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

→ A guide to Data Protection | Information Commissioner's Office (ICO)

Is Atlassian/Jira/Confluence PII compliant?

It is Atlassian’s customers who store data in Atlassian’s services, and it is therefore customers who must make sure that they abide by PII rules, and do not store inappropriate data.

Atlassian do take security extremely seriously, to ensure that customer data is protected.

→ COMPLIANCE | ATLASSIAN

Helpful Links:

BDQ Blog | How to find sensitive data in your Jira, Confluence & attachments

BDQ PII Services | We can help you make sure you only have the sensitive data you're supposed to have

BDQ Cloud Migrations | Painless, professional migrations to Atlassian's Cloud

Is Atlassian/Jira/Confluence GDPR compliant?

The GDPR is really about protecting the data of EU residents. It is Atlassian’s customers who store data in Atlassian’s services, and it is therefore customers who must make sure that they abide by the GDPR’s rules, and do not store inappropriate data.

Atlassian do take security extremely seriously, to ensure that customer data is protected.

For more information on Atlassian’s commitment to the GDPR, click the link below.

→ GDPR COMMITMENT | ATLASSIAN

Where does Atlassian/Jira/Confluence store its data?

Atlassian determine where your data is hosted with an eye to reducing latency. This way, they optimise access to your data around the world. They do not guarantee that your data will be hosted in a specific location by default, however, with the correct subscription level, you can request that specific data is pinned to a location when it is at rest.

→ Atlassian's GDPR Commitment | Atlassian

The Cloud edition stores data in the United States, Germany, Ireland, Singapore, and Australia, with the location optimised based on the location of sign-up. It supports Single Sign-On (SSO) including via Microsoft Office 365 or Google, and can integrate with Azure AD via Atlassian Access.

→ Cloud Hosting Infrastructure | Atlassian

Atlassian Data Center/Server vs Cloud?

With Cloud, Atlassian’s dedicated security team manages security for you. Cloud offers built-in security features to help safeguard your data, with minimal admin effort required. With Data Center, securing your environment is managed by your organization.

For more detailed information please see the link below:

→ Compare Cloud and Data Canter | Atlassian

Atlassian Apps - where is the data stored?

• Server/DC: Your data is held locally within your Jira or Confluence instance.

• Forge: within Atlassian's Cloud infrastructure.

• Connect: Atlassian/app vendor.

How can I find out where my data is being stored?

You can view where your in-scope product data is hosted from your organization administration. You must have organization admin permissions to do this.

To view where your product data is hosted:

1. Go to admin.atlassian.com. Select your organization if you have more than one.

2. Select Security > Data residency.

This will open the data residency page for your organization. This page lists the products in your organization, the location of each product, and the AWS regions the location corresponds with. If a product is PINNED to a location, its in-scope data is held in place there.

→ Understand data residency | ATLASSIAN Support

Security considerations when migrating to Atlassian Cloud?

Atlassian take data security, privacy, and compliance very seriously. Instead of the onus being on admins, Atlassian take responsibility to stay on top of the changing regulatory and compliance needs across the globe, so no matter where you're located, your data is safe.

Security - Atlassian protect your data with encryption in transit and at rest and provide administrative controls to enforce organization-wide protection such as SAML SSO, enforced 2FA, and SCIM.

Compliance - Atlassian's compliance program is here to help meet your organization’s compliance needs. They undergo independent third-party audits and certify our products against FedRAMP, SOC2, ISO 27001, and more.

→ Atlassian Trust Center | Atlassian

If you have further concerns regarding an Atlassian Cloud migration, BDQ can help. As Atlassian Solution Partners, we have certified Atlassian experts on staff to answer any and all questions you might have and can provide you with a quote for performing the Migration for you.

→ BDQ Cloud Migration Services | Painless, professional migrations to Atlassian's Cloud

How do I find if I have any PII/HIPAA/GDPR in Jira/Confluence?

We have a solution for that!

There are currently ZERO services publicly available that can not only dive into your Jira and Confluence instances but their associated attachment files to locate that lost, forgotten or hidden sensitive data.

That's why we at BDQ created a proprietary technology that can not only help you identify and locate the PII in Jira and Confluence, including attachments, but it also prioritizes the results so that you can process the most critical items first.

For more information, please read through our blog post or take a look at our PII Services page.

→ How to find sensitive data in your Jira, Confluence & attachments | BDQ Blog

→ PII Services | Detect Personal Identifiable Information (PII) in text and attachments | BDQ Services

I'm concerned about completing Security Assessment Questionnaires

It has become more important than ever to make sure that the vendors and service providers that you engage with are compliant with your data security processes. This is, in most cases, represented in the form of a Security Assessment Questionnaire.

When you buy Atlassian products through us, you can send us the Security Assessment Questionnaire and not only will we find the correct details to fill it in for you, but because we fill these questionnaires out from multiple customers, we can often complete them in a fraction of the time.

→ Wanting to move to Atlassian Cloud but getting bogged down with internal security red tape? | BDQ Blog

Helpful Links:

BDQ Blog | Wanting to move to Atlassian's Cloud but getting bogged down with internal security red tape?

BDQ PII Services | We can help you make sure you only have the sensitive data you're supposed to have

BDQ Resources | The place to find all our free resources