User Tools

Site Tools

:: Version 2.6.0 ::



This shows you the differences between two versions of the page.

Link to this comparison view

2_6_0:admin:rgpd [2019/01/09 16:40] (current)
Line 1: Line 1:
 +====== Managing Personal data in iTop ======
 +If you have to comply with RGPD, here are some tips to help you...
 +===== Inventory of personal data in iTop =====
 +==== Personal data in the Person object ====
 +Most of the personal information in iTop is stored in the Person object. In the standard iTop datamodel, these data consist of:
 +^ Field code ^ Label ^ Description of the field ^ 
 +| email | Email | Email address of the person|
 +| employee_number | Employee number | Employee number or any identifier used within the company |
 +| first_name | First Name | First name of the person|
 +| function | Function | Function / job title of the person|
 +| location_id | Location | Location of the person (link to a Location object)|
 +| manager_id | Manager | Manager of the person (link to a Person object)|
 +| mobile_phone | Mobile Phone | Mobile phone number|
 +| phone | Phone | Fixed phone number|
 +| picture | Picture | Picture of the person|
 +Due to the relational nature of iTop, the information stored in the Person object is not supposed to be duplicated elsewhere. The few exceptions to this principle are listed below:
 +==== Personal data in the History ====
 +All modification to the Person object are recorded in the history of this Person object, thus storing some personal information. You can list all the changes made to a given Person object using the following OQL query:
 +<code SQL>
 +SELECT CMDBChangeOp WHERE objclass='​Person'​ AND objkey=:​person_id
 +Where //:​person_id//​ is the identifier of the Person object.
 +All the modifications performed by the user account associated with the contact also keep track of the name (i.e. friendlyname) of the contact who made the changes.
 +<code SQL>​SELECT CMDBChange WHERE userinfo=:​person_name</​code>​
 +Where //:​person_name//​ is the complete name (i.e. friendlyname) of the Person, for example “Claude Monet”.
 +==== Personal data in the case logs ====
 +Each ''​Case Log''​ field in iTop stores information about the person who created each entry in the case log (in the current version of iTop it is not possible to modify a case log entry). The information recorded in the case log (for each entry) contains:
 +  * The date and time of the modification
 +  * The full name (at the time of the modification) of the Person who made the modification
 +  * The identifier of the Person object who made the modification
 +For example, if the user associated with the Person “Claude Monet” (id=3) created two case log entries, the content of the case log will be stored in the database as follows:
 +========== 2018-05-09 11:38:45 : Claude Monet (3) ============
 +<​p>​This is the second entry of the case log</​p>​
 +========== 2018-05-09 11:38:27 : Claude Monet (3) ============
 +<​p>​This is the first entry of the case log</​p>​
 +==== Personal data in Email notifications ====
 +Whenever a notification is sent by iTop as an eMail, the information is recorded in the ''​EventNotificationEmail''​ object. This object records the email sent to the mail server. This object contains the email addresses of the person it was addressed (in TO, CC or BCC) and the content of the message sent.
 +The EmailNotification object also stores the date at which it was emitted.
 +===== Data flows =====
 +One of the important topics when dealing with personal data is to document the flow of personal data within your organization. This document (and iTop itself) cannot document this flow for you since each use case is specific and depends on the processes and integrations put in place when operating iTop.
 +However, iTop provides several features which can help you document and control this flow of information.
 +==== log of REST/JSON web services ====
 +You can audit the operations performed via the REST/JSON services by setting the configuration parameter ‘log_rest_service’ to true in the iTop configuration file.
 +Once this parameter is set, every REST/JSON operation will create an EventRestService object in the iTop database. This object records:
 +  * The date/time of the operation
 +  * The user account used to perform the operation
 +  * The JSON input parameters
 +  * The output of the operation (code, message and – a trimmed version of the - JSON output)
 +Using all the information you can determine the flow of personal information via REST/JSON webservices (if any).
 +<note tip>​Enabling ‘log_rest_service’ can have a significant impact on the performance of Web services and increase the iTop database space use. Therefore it is recommended to turn on this feature for auditing purposes only during a limited period of time.
 +<note tip>​Starting with iTop 2.5 only the user accounts with the profile “REST Services User” can execute REST/JSON operations.</​note>​
 +==== List of Synchronization Data Sources ====
 +You can easily list all Synchro Data Sources which import of update Persons by search searching for Synchronization Data Sources which “Target Class” is “Person”. This search can be performed through the “Admin tools / Synchronization Data Sources” or by running the following OQL query:
 +<code SQL> SELECT SynchroDataSource WHERE scope_class='​Person'​ </​code>​
 +Each data source keeps track of a complete log of its operations, including the date/time it was run and the summary of the operations executed for each run (creations/​updates/​deletions). \\
 +Note that if a “User” is specified for a Synchronization Data Source, then only the specified user account can execute this synchronization.
 +==== Restriction of Bulk Exports (and Bulk Imports) ====
 +  * Only the user accounts having the capability “Bulk Read” on Persons can perform exports of a list of persons.
 +  * Similarly, only the user accounts with the capability “Bulk Modify” on Persons can perform a CSV import of Persons.
 +  * These capabilities can be viewed using the “Grant matrix” tab on the details of each user account.
 +===== Cleanup of personal data =====
 +To completely cleanup the data related to a person, one has to:
 +  - Delete the Person object corresponding to this person, this will also remove the history information about this Person.
 +  - Delete the case log entries created by this person
 +  - Delete the EmailNotification objects corresponding to emails sent to this person
 +But there are limitations to those actions:
 +  * Depending on the relations between the targeted Person object and other objects in the iTop Database, the deletion of the Person object may not be possible without specifying a replacement Person on some other objects in order to respect the database integrity constraints. \\
 +  * Deleting the case log entries is currently not implemented in iTop, and is non-trivial to achieve with SQL queries since the case log text must be kept consistent with another field called the case log index. \\
 +  * Updating the CMDBChange objects to replace the references to the contact name can be done in one single SQL query, since there is only one field ‘userinfo’ to anonymize in the table. Since this field is only displayed to the end-user and not user for any reference in iTop, there is no integrity constraint and any value can be put in the field. \\
 +  * Since one email notifications may be addressed to several persons (in TO, CC and BCC), deleting one such notification will affect other users than just the targeted person.
 +Due to the limitations mentioned above the “pseudonymization” approach seem more realistic to implement than a complete wipe of the personal data.
 +===== Pseudonymisation of personal data =====
 +  * Anonymize the Person object by replacing the values in all its mandatory fields by anonymous values (constant or random)
 +  * Empty all non-mandatory fields (like Location, Manager, Phone number, n:n relations)
 +  * Pseudonymisation of the case log entries, by removing all references to the person, without altering the length of the text, to preserve the consistency with the case log “index” field.
 +  * Deletion of the Person’s history (CMDBChange / CMDBChangeOp) to delete the “previous values” of the fields, which would help recover the values.
 +  * Anonymization of the CMDBChange “userinfo” fields containing the name of the Person.
 +  * Deletion of all EmailNotification objects past a (short) retention period (3 months ??)
 +===== Export of personal data =====
 +  * Person details can be exported using the standard export feature of iTop.
 +  * Case log entries can be exported by searching each class of object containing a Case Log (i.e. each class of tickets and searching for “Public Log” contains “Name of the contact”.
 +This can be achieved using the “Run Query” menu and an OQL like:
 +<code sql> SELECT UserRequest WHERE (public_log LIKE :name OR private_log LIKE :name) </​code>​
 +specifiying the value of the //:name// parameters as %contact_friendlyname%.
 +For example to export all the User requests with an entry by Claude Monet in a case log, the OQL query would be:
 +<code sql> SELECT UserRequest WHERE (public_log LIKE '​%Claude Monet%'​ OR private_log LIKE '​%Claude Monet%'​) </​code>​
 +Notification emails can be listed and exported using the OQL query:
 +<code sql>
 +SELECT EventNotificationEmail WHERE 
 +      to = '​email_address' ​
 +   OR cc LIKE '​%email_address%' ​
 +   OR bcc LIKE '​%email_address%'​
2_6_0/admin/rgpd.txt · Last modified: 2019/01/09 16:40 (external edit)