Information about features of IBM® Content Manager OnDemand that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness.
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Content Manager OnDemand that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR requirements. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
GDPR stands for General Data Protection Regulation.
GDPR has been adopted by the European Union and will apply from May 25, 2018.
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
The following sections provide considerations for configuring Content Manager OnDemand to help your organization with GDPR requirements.
Configuring Product: GDPR readiness considerations
Content Manager OnDemand for i: http://www-01.ibm.com/support/docview.wss?uid=swg27041973
Setting up SSL for OnDemand Client: https://www.ibm.com/support/knowledgecenter/en/SSEPCD_10.1.0/com.ibm.ondemand.installmp.doc/dodnl027.htm
Also see "Securing access with ARSSTASH and the stashfile" in Content Manager OnDemand redbook.
For Content Manager OnDemand for z/OS consider using Unified Login mechanism instead of stashfile. See section 6.5.5 Securing access with ARSSTASH and the stash file in Content Manager OnDemand Redbook http://www.redbooks.ibm.com/redbooks/pdfs/sg246915.pdf
What are the lawful bases for processing?
Product considerations:
Personal data used by Product
However, except for Username, and Password rest of the information is optional and need not be specified for account creation. User account information is stored in relational database configured with the Product. For GDPR readiness, it is highly recommended to use native encryption of the relational database to safeguard the account information. Once user account is setup, Product uses UserID, password, and permissions to authenticate the user and to determine the type of data user has access to and to determine which operations user is authorized to perform on the data. In the process of defining individual UserIDs, Product administrator may organize various users by grouping them with other userIDs with similar access needs or similar job requirements. See "Users and Groups" in Content Manager OnDemand Administration Guide. https://www.ibm.com/support/knowledgecenter/en/SSEPCD_10.1.0/com.ibm.ondemand.planningmp.doc/dodip109.htm
To avoid storing user's passwords in the Product for GDPR readiness, it is recommended to configure Product with LDAP enterprise directory server and setup user accounts using directory server. With such configuration, Product does not store the password and any of the personal information mentioned above except for UserName. For users that are setup using LDAP directory server, credentials of users logging into the product are authenticated using LDAP. See "Content Manager OnDemand LDAP authentication process". http://www-01.ibm.com/support/docview.wss?uid=swg21597246
It is also recommended to set up SSL between Product and LDAP server by setting ARS_LDAP_USE_SSL to true. This is described in LDAP authentication process document.
User and Group definitions may be imported from LDAP directory server, see http://www-01.ibm.com/support/docview.wss?uid=swg27050629
At runtime, whenever any user logs in, loads data into Product or retrieves data, the user's activity is logged in System Log. For certain types of activity, the logged message may contain Username and or UserID of the person performing the activity. See IBM Content Manager OnDemand Messages and Codes: http://publibfp.dhe.ibm.com/epubs/pdf/c2713791.pdf
Personal data used for online contact with IBM
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.
The Product collects system log and trace files for service purposes and are persisted to disk as described in "Data Storage" section. Considerations for managing this data are given in following sections.
Data Storage: Controlling storage of personal data
Where personal data is kept (long term use):
User account data (userID, passwords, permissions) are kept in the library server which uses underlying supported database server (Db2 or Oracle, SQL Server) to store the information. When LDAP directory server is integrated, highly recommended for GDPR readiness, Product does not store passwords as it uses LDAP to authenticate the users. User account data is maintained by the Product as long as user is authorized to access the Product. When user no longer has a business need to access the Product, the administrator can delete the user account. Additionally, with LDAP directory server integration, if user information is deleted from LDAP directory server or user information is moved to different organization, the LDAP sync utility will automatically delete the user account information in the product on next synchronization with LDAP directory server. See "Importing and synchronizing LDAP users and groups with the LDAP user import utility". http://www-01.ibm.com/support/docview.wss?uid=swg27050629
Other long-term use of personal data:
Whenever user logs on, stores any content or retrieves any content, or performs any activity, Product logs the user activity as a message in System Log and in library server database table. The logged message or the entry in database table may contain User name and or UserId. This allows organization to monitor operations performed by the users. Even if user's account information is deleted and is no longer an authorized user of the Product, the System Log would continue to have log of past activities performed by that user. Only when system logs are deleted or retention period is over the UserID in System logs will be removed. It is recommended to set up system log retention period to a finite time that is determined based on business, audit or legal requirements. System Log is managed in the product as an Application Group. Following document even though is for IBM i platform provides conceptual understanding about managing System Log: http://www-01.ibm.com/support/docview.wss?uid=swg21987870
For list of different types messages and messages codes that Product logs, see IBM Content Manager OnDemand Messages and Codes: http://publibfp.dhe.ibm.com/epubs/pdf/c2713791.pdf
Temporary use of personal data: use of personal data in trace files
To diagnose technical problems that may arise in functioning of the Product, trace facility of the Product is enabled when instructed by IBM support personnel. With trace facility enabled, Product generates trace files in a filesystem directory. Trace file contains messages helpful in debugging a problem in technical functioning of the Product. See "How to enable trace facility in Content Manager OnDemand Server" https://www.ibm.com/developerworks/community/blogs/e8206aad-10e2-4c49-b00c-fee572815374/entry/cmod_trace?lang=en
https://www-01.ibm.com/support/docview.wss?uid=swg21330810
The Trace files may contain UserID of the person performing the operation. Trace files can be deleted once the diagnostics needs are no longer there. In addition, tracing should be disabled when diagnostic needs are no longer there. Further, to safeguard access to personal data (UserID) in trace files, it is recommended to set up adequate control access for the file system in which trace files are stored. You may also consider use of whole disk encryption.
Use of personal data in backups:
Product Administrator is responsible for making backups of the Product using off the shelf commercial backup-restore products. Anytime Product backup is made, you are making copy personal data stored in the Product. Enterprise needs to define policies that govern how long backups should be kept, who has access to backups, controlling access to backup, process for logging access to backups, restoration from backups, deletion of backup copies. For instance, if you have daily backup or periodic daily backup practice with 30-day backup policy meaning backups are kept for 30 days, thereafter storage is reused/recycled for new backups or backups are deleted after 30 days, then that can be used to define 30-day personal data deletion policy in which data from the Product as well as the backup is removed in 30 days.
Controlling processing of personal data
Encrypting personal data in motion when user account information is created
Once user account is created you need to protect user information in motion when user is being authenticated by the Product using LDAP server. You should configure SSL for LDAP user authentication. See Content Manager OnDemand LDAP authentication process https://www-01.ibm.com/support/docview.wss?uid=swg21597246
Encrypting personal data at rest
As described above, personal data of Product user is kept in the database server configured with the Product. It is recommended to use native database encryption capabilities of the database server. If you are using DB2 database, see Db2 native encryption. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0061758.html. If you are using database other than DB2, refer to manuals of your database vendor for instructions for setting up encryption.
Additionally, as described in Data Storage section above, if tracing is turned on, UserID portion of the personal data is optionally stored in trace files. Library Server generates these trace files in file system. To protect data in these file, it is recommended to set up adequate file system access control and to use disk encryption technology such as IBM Guardium Encryption.
If content stored by users in the Product includes personal information, it is highly recommended to encrypt the content at rest. See Content Manager OnDemand Native Encryption for enabling encryption of physical documents at rest. http://www-01.ibm.com/support/docview.wss?uid=swg27049568 . Alternatively, you may use whole disk encryption technology such as IBM Guardium Encryption. Note: use of Content encryption at rest capability of the Product, does not encrypt the content that is already loaded into the Product, it will encrypt only the data loaded on go forward basis. To encrypt pre-existing content, you will need to unload the data and reload the data or if that is not practical, it is recommended to use whole disk encryption technology such as IBM Guardium Encryption.
Encryption Key ownership
For on-premise deployment of the Product, encryption key ownership and control of encryption key remains within your enterprise. If you are using native database encryption, refer to database encryption documentation for key management and key ownership. If you are using whole disk encryption solution such as IBM Guardium Encryption, refer to its documentation for key management and key ownership. If you are using Native encryption of the Product, see Content Manager OnDemand Native Encryption. http://www-01.ibm.com/support/docview.wss?uid=swg27049568
Controlling deletion of personal data
See section Data Storage: Controlling storage of personal data
Controlling deletion of data/content created by users
All operations including deletion of content is controlled by the Product. Users of Product need to have sufficient privileges to perform any operation in the Product. See Content Manager OnDemand Permissions in "Content Manager OnDemand Administration Guide". https://www.ibm.com/support/knowledgecenter/en/SSEPCD_10.1.0/com.ibm.ondemand.administeringmp.doc/dodac009.htm
Monitoring processing of personal data
This pertains to monitoring who is accessing personal data and when. For that it is important to know who can access the personal data and where personal data is kept and then set up monitoring process for access to each of the data stores. As described in previous sections, Product stores user account in Library Server data base and UserID portion of the user account data is kept in System log and trace files in filesystem. To monitor access to Library server database, refer to your database server product documentation for setting up database activity monitoring for example for Db2, see Introduction to DB2 Audit facility. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_9.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005483.html . For controlling and monitoring access to file systems, various file systems provide ways for setting up access control and managing access to file systems. Consult documentation of the chosen filesystem in your enterprise.
If your users are storing personal or sensitive information in documents and storing those documents in Product, to monitor activities of user of the Product, the product logs a message in system log whenever user logs on to the system, user logs off the system, user logon fails, documents are queried, retrieved, loaded, updated, deleted. See System Logging in Content Manager OnDemand Redbook http://www.redbooks.ibm.com/redbooks/pdfs/sg246915.pdf
This section deals with rights of users of the Products in terms of personal information, i.e account information maintained by the Product for each user. For any personal information stored by the user of the Product by way of those users ingesting or storing documents containing personal information, it is the enterprise responsibility to establish appropriate procedures to handle data subject rights for any information that enterprise users choose to store in the Product. Note: Product provides functionality where by Product administrator has privileges to modify, delete, or restrict access to any personal information stored in database. For personal information stored by users in the content loaded/stored by them in the Product, it is responsibility of client organization to establish procedures for managing user loaded content. Product provides capability for administrator to use query or full text search to locate all instances of documents containing given search term and then delete such documents or restrict access to those documents.
For custom applications running on Product, it is applications responsibility to application to utilize Products capabilities to manage content created by users of the application.