Managing Personal data in iTop
If you have to comply with RGPD, here are some tips to help you…
Inventory of personal data in iTop
Personal data in the Person object
Most of the personal information in iTop is stored in the Person object. In the standard iTop datamodel, these data consist of:
Field code | Label | Description of the field |
---|---|---|
Email address of the person | ||
employee_number | Employee number | Employee number or any identifier used within the company |
first_name | First Name | First name of the person |
function | Function | Function / job title of the person |
location_id | Location | Location of the person (link to a Location object) |
manager_id | Manager | Manager of the person (link to a Person object) |
mobile_phone | Mobile Phone | Mobile phone number |
phone | Phone | Fixed phone number |
picture | Picture | Picture of the person |
Due to the relational nature of iTop, the information stored in the Person object is not supposed to be duplicated elsewhere. The few exceptions to this principle are listed below:
Personal data in the History
All modification to the Person object are recorded in the history of this Person object, thus storing some personal information. You can list all the changes made to a given Person object using the following OQL query:
SELECT CMDBChangeOp WHERE objclass='Person' AND objkey=:person_id
Where :person_id is the identifier of the Person object. All the modifications performed by the user account associated with the contact also keep track of the name (i.e. friendlyname) of the contact who made the changes.
SELECT CMDBChange WHERE userinfo=:person_name
Where :person_name is the complete name (i.e. friendlyname) of the Person, for example “Claude Monet”.
Personal data in the case logs
Each Case Log
field in iTop stores information
about the person who created each entry in the case log (in the
current version of iTop it is not possible to modify a case log
entry). The information recorded in the case log (for each entry)
contains:
-
The date and time of the modification
-
The full name (at the time of the modification) of the Person who made the modification
-
The identifier of the Person object who made the modification
For example, if the user associated with the Person “Claude Monet” (id=3) created two case log entries, the content of the case log will be stored in the database as follows:
========== 2018-05-09 11:38:45 : Claude Monet (3) ============ <p>This is the second entry of the case log</p> ========== 2018-05-09 11:38:27 : Claude Monet (3) ============ <p>This is the first entry of the case log</p>
Personal data in Email notifications
Whenever a notification is sent by iTop as an eMail, the
information is recorded in the EventNotificationEmail
object. This object records the email sent to the mail server. This
object contains the email addresses of the person it was addressed
(in TO, CC or BCC) and the content of the message sent. The
EmailNotification object also stores the date at which it was
emitted.
Data flows
One of the important topics when dealing with personal data is to document the flow of personal data within your organization. This document (and iTop itself) cannot document this flow for you since each use case is specific and depends on the processes and integrations put in place when operating iTop. However, iTop provides several features which can help you document and control this flow of information.
log of REST/JSON web services
You can audit the operations performed via the REST/JSON services by setting the configuration parameter ‘log_rest_service’ to true in the iTop configuration file. Once this parameter is set, every REST/JSON operation will create an EventRestService object in the iTop database. This object records:
-
The date/time of the operation
-
The user account used to perform the operation
-
The JSON input parameters
-
The output of the operation (code, message and – a trimmed version of the - JSON output)
Using all the information you can determine the flow of personal information via REST/JSON webservices (if any).
List of Synchronization Data Sources
You can easily list all Synchro Data Sources which import of update Persons by search searching for Synchronization Data Sources which “Target Class” is “Person”. This search can be performed through the “Admin tools / Synchronization Data Sources” or by running the following OQL query:
SELECT SynchroDataSource WHERE scope_class='Person'
Each data source keeps track of a complete log of its
operations, including the date/time it was run and the summary of
the operations executed for each run
(creations/updates/deletions).
Note that if a “User” is specified for a Synchronization Data
Source, then only the specified user account can execute this
synchronization.
Restriction of Bulk Exports (and Bulk Imports)
-
Only the user accounts having the capability “Bulk Read” on Persons can perform exports of a list of persons.
-
Similarly, only the user accounts with the capability “Bulk Modify” on Persons can perform a CSV import of Persons.
-
These capabilities can be viewed using the “Grant matrix” tab on the details of each user account.
Cleanup of personal data
To completely cleanup the data related to a person, one has to:
-
Delete the Person object corresponding to this person, this will also remove the history information about this Person.
-
Delete the case log entries created by this person
-
Delete the EmailNotification objects corresponding to emails sent to this person
But there are limitations to those actions:
-
Depending on the relations between the targeted Person object and other objects in the iTop Database, the deletion of the Person object may not be possible without specifying a replacement Person on some other objects in order to respect the database integrity constraints.
-
Deleting the case log entries is currently not implemented in iTop, and is non-trivial to achieve with SQL queries since the case log text must be kept consistent with another field called the case log index.
-
Updating the CMDBChange objects to replace the references to the contact name can be done in one single SQL query, since there is only one field ‘userinfo’ to anonymize in the table. Since this field is only displayed to the end-user and not user for any reference in iTop, there is no integrity constraint and any value can be put in the field.
-
Since one email notifications may be addressed to several persons (in TO, CC and BCC), deleting one such notification will affect other users than just the targeted person.
Due to the limitations mentioned above the “pseudonymization” approach seem more realistic to implement than a complete wipe of the personal data.
Pseudonymisation of personal data
-
Anonymize the Person object by replacing the values in all its mandatory fields by anonymous values (constant or random)
-
Empty all non-mandatory fields (like Location, Manager, Phone number, n:n relations)
-
Pseudonymisation of the case log entries, by removing all references to the person, without altering the length of the text, to preserve the consistency with the case log “index” field.
-
Deletion of the Person’s history (CMDBChange / CMDBChangeOp) to delete the “previous values” of the fields, which would help recover the values.
-
Anonymization of the CMDBChange “userinfo” fields containing the name of the Person.
-
Deletion of all EmailNotification objects past a (short) retention period (3 months ??)
Export of personal data
-
Person details can be exported using the standard export feature of iTop.
-
Case log entries can be exported by searching each class of object containing a Case Log (i.e. each class of tickets and searching for “Public Log” contains “Name of the contact”.
This can be achieved using the “Run Query” menu and an OQL like:
SELECT UserRequest WHERE (public_log LIKE :name OR private_log LIKE :name)
specifiying the value of the :name parameters as %contact_friendlyname%.
For example to export all the User requests with an entry by Claude Monet in a case log, the OQL query would be:
SELECT UserRequest WHERE (public_log LIKE '%Claude Monet%' OR private_log LIKE '%Claude Monet%')
Notification emails can be listed and exported using the OQL query:
SELECT EventNotificationEmail WHERE TO = 'email_address' OR cc LIKE '%email_address%' OR bcc LIKE '%email_address%'