IBM Support

IBM Connections GDPR documentation

Technote (FAQ)


Question

How does IBM Connections support removing personal information when requested by users?

Cause

The following Q&A provides information on commonly asked questions about how IBM Connections supports compliance with the European Union's GDPR ruling.

Note: Links point to Connections V6 documentation; however, those instructions also apply to Connections V5.0 and V5.5 on-premises deployments.


Answer

IBM Connections provides the following capabilities to support GDPR by enabling you to remove personal information from data repositories.

Attention: To support GDPR capabilities, your deployment must use one of the following versions of IBM Connections, and you must apply the corresponding fix to ensure that all capabilities are enabled. The fix for each version is available on IBM Fix Central:


In addition, the following script is available from Fix Central for removing user data from Connections Surveys: IC_Surveys-IFLO93917. For information on using the script, see Pseudonymising user PI contained in Surveys.

Access Controls

What access controls capabilities does the product provide to limit access to Personal Data to support the Client in meeting its compliance obligations?

Application-level access controls are available on the collaboration data in every Connections component. These controls use the customer organization as a fundamental unit of sharing, while also allowing users to share at the individual, group, or public level. Public access is restricted to registered users, each of whom has proven they control access to their registered email address.

For more information on access controls in Connections, see the following topics in IBM Knowledge Center:



Data Retention minimization
Where does the product store data, and how the client can delete data about an individual to support client in meeting its compliance obligations?

Files content (including attachments in other components) is written to the file system. In addition, each application requires its own database for storing content, except Moderation, News, and Search. The Moderation application does not have an associated database or content store, while the News and Search applications share the Homepage database. Databases are provided by enterprise-level DBMS products; customers can choose among DB2, Oracle, or SQL Server as explained in the Creating databases topic in the Connections documentation on IBM Knowledge Center.

For information on making sure users are forgotten, see Managing personal data in accordance with GDPR.

Data Subject Access
What capabilities does the product provide to correct an individual's data in all its instances to support client in meeting its compliance obligations?

Individuals can search for their own data, or ask an administrator to conduct the search; both methods are described in the Connections documentation on IBM Knowledge Center:

  • An individual can easily find data they created or contributed to by using the global search capability in the product. See "Assisting a current user who wants to search for their own PI" in the topic, Managing user requests to erase PI.
  • An individual can ask an organization administrator to find and correct all instances of specific data in blogs, wikis, and other apps. For more information, see Deleting or correcting user PI.


How does the product support the ability to extract individual data in a machine readable format for an individual data subject?

Connections Administrators can use APIs to search the repository for content that contains an individual's data. Results are returned in HTML format, which is machine readable; an individual can also view the information in a browser. For information on the Search API, see Searching for information programmatically in the IBM Connections wiki.


How does the product support the capability to provide individuals with a report on their personal data that is being processed?

Connections Administrators can use APIs to search the repository for content that contains an individual's data. Results are returned in HTML format, which is machine readable; an individual can also view the information in a browser. For information on the Search API, see Searching for information programmatically in the IBM Connections wiki.

Encryption
How does the product provide encryption for data in transit capabilities to support Client in meeting its compliance obligations?

Connections supports the use of enforced encryption such as TLSv1.2 to ensure the secure transmission of data.

For more information, see Forcing traffic to be sent over an encrypted connection and Forcing traffic to use TLS 1.2.

How does provide encryption capabilities for data "at rest” to support Client in meeting its compliance obligations?

DB2, Oracle, and SQL Server all support encryption for stored data. For more information, see the following articles:



Information Security
Where can the client find information about the security and privacy capabilities of the product to support them in meeting their compliance obligations?

Securing data and communications is discussed in the Security section of the Connections documentation on IBM Knowledge Center.

Where can the client find information about the security of the product (e.g. ISO certifications, technical security capabilities) available to support the Client in meeting their compliance obligations?

IBM conducts development, maintenance, and support activities under the guiding principles described in the article, IBM Connections Trust and Security.

Specifically, administering Connections on-premises security capabilities is discussed in the Security section of the Connections documentation on IBM Knowledge Center.

Logging & Monitoring

What logging / monitoring capabilities does the product provide in order to support the client in meeting its compliance obligations?

IBM Connections provides extensive monitoring and logging capabilities, including the following features:

  • The Connections components run as WebSphere Application Server applications, and use WebSphere logging features. See the WebSphere documentation on IBM Knowledge Center for information.
  • Additional monitoring information on monitoring Connections is available in the Connections topic Managing Users > User Life Cycle Details, on IBM Knowledge Center.
  • Connections also provides an extensive collection of APIs, which can be used to monitor user states, activity, and content. For information on Connections APIs, see the API Documentation section of the Connections wiki.
  • Connections customers are free to implement third-party monitoring and compliance offerings to work in conjunction with a Connections deployment..


Pseudonymisation
Does the product provide pseudonymisation capabilities to support the client in meeting its compliance obligations?

An administrator can pseudonymise any user who still has a profile in the system (for example, someone about to leave the company or is inactive) by editing the profile. For users who have already been deleted from the system, Connections supports the use of the "Update Profiles" Administration API to pseudonymise the details of a user’s profile. For more information, see the Connections topic, Managing personal information in accordance with GDPR, in IBM Knowledge Center.

Right to Restrict / Object Service
How does the product allow the client to stop processing data of a particular individual to support the client in meeting its compliance obligations?

Administrators can manage user accounts, including deleting or suspending them, as explained in the Connections topic, Managing users, on IBM Knowledge Center.

Secure Deletion
What information is available regarding the capability of the product to delete Personal Data to support the Client in meeting its compliance obligations?

Connections administrators can delete personal data in some Connections contexts as explained in Deleting or correcting user PI and Deleting Cognos reports that contain PI in the Connections documentation in IBM Knowledge Center.

Administrator deletion of personal data (including how to delete or deactivate user accounts) is also covered in the Connections topic, Managing users, on IBM Knowledge Center.

Separation of duties
Explain how the product provides specific suggested roles and accesses that customers can use to compartmentalize and restrict access in order to meet their compliance obligations regarding "Separation of Duties"?

Connections allows the use of roles to govern the set of permissions assigned to each user (person, everyone, reader, and admin). See the Connections topic, Roles, on IBM Knowledge Center.

Standards
Please provide statements regarding the standards that the product meets (e.g. ISO certifications, etc.) and assurances that the product development process follows the "Privacy by Design" principles in order to support the Client in meeting their compliance obligations?

IBM maintains a set of internal security policies, standards, and processes consistent with the International Standards Organization (ISO) 27001 framework and control areas. We also maintain many industry-related certifications such as ISO 9001, ISO 20000, and Capability Maturity Model Integration (CMMI).

Our comprehensive Service Organization Controls (SOC) reporting program is undergoing several Statement on Standards for Attestation Engagements (SSAE) 16 or equivalent audits covering many IT services and associated controls, from managed services delivery through to managed security services.

Privacy reviews align IBM Connections with comprehensive, regularly updated IBM policies on privacy and client data protection, which can be found in the IBM Online Privacy Statement.

Technical & Configuration Guidance
Please provide references to technical and configuration guides that allow the Client to understand how to change settings within the offering to minimize access to Personal Data?

The following sections of the Connections documentation on IBM Knowledge Center discuss ways to minimize access to Personal Data through the use of roles, permissions, and encrypted communications:

Document information

More support for: IBM Connections

Software version: 5.0, 5.5, 6.0

Operating system(s): AIX, Android, IBM i, Linux, OS X, Windows, iOS

Reference #: 2016061

Modified date: 25 May 2018


Translate this page: