Every company wants to protect the data of employees and customers, but oftentimes they find themselves in front of hurdles, legal no-man’s land and supposedly complex tasks to become GDPR-compliant. Many organizations do not even know what data protection should look like for them and if data breaches already exist. This is especially the case, when modern tools like Jira and Confluence are being used by thousands of users with millions of data records.

Different countries decided on extensive rules for data protection. In Europe, it’s known under GDPR, in Germany under DSGVO, in the U.S. it’s called CCPA, in Brazil LGPD, to only mention a few. Explicitly for healthcare, the U.S. has passed a law called HIPAA. Companies working in healthcare, therefore, should check of their Jira and Confluence instance is HIPAA-compliant.

HIPAA (Health Insurance Portability and Accountability) was passed in 1996. It regulates the protection of patient data, also called PHI (Protected Health Information). They are comparable to PII (Personally identifiable information), but are related to health claims. They are the most sensitive data out there.

PHIs are:

• Credit card numbers

• Social security card numbers

• Health insurance numbers

• Bank account details

• Fingerprints, voice recordings and retinal prints

• Medical record numbers

• And many more

PHIs are related to past, current or future medical information, treatments or payments in healthcare.

Atlassian’s tools Jira and Confluence are being used by companies worldwide with many use cases. Some use it for internal purposes only, to plan projects, process campaigns and create content, other use it for customer requests, bookings etc.

While being used internally as well as externally, personal data is being stored at all times. Either from employees or customers.

A practical example in healthcare:

A customer has a request concerning his health insurance. He sends in an e-mail. In this e-mail he mentions his birthday, his insurance number and attaches a medical record by a doctor. This e-mail is used inside the insurance, to create a Jira ticket, which customer service is taking care of. The employee is able to access the database with all medical records and payments from this customer.

As you can see, a simple e-mail in healthcare can contain sensitive data from a patient. Breaches could lead to immense damage. This is why acts like HIPAA were passed.

Quick answer: no, Jira and Confluence never could be data privacy compliant, not for HIPAA or any other law. Atlassian is no subject to the HIPAA data protection act (Atlassian is not defined as a “covered entity”). But even if: You’re individual, company-wide Jira could be full of data breaches, for which only you’re responsible for. Every company also has its own data privacy rules, which are linked to lawful data privacy acts of the respective country. Tools like Jira and Confluence could never cover all of them. This is where data protection officers or administrators are being requested, who take care of ensuring data privacy for their instances.

To make sure that extensive tools like Jira and Confluence are data privacy compliant, you need experts in this field (DPOs or administrators). And even they should take advantage of data privacy tools, which make looking for and anonymizing personal data easier. This is where Actonic’s apps Data Protection and Security Toolkit for Jira and Confluenc come in handy.

Our apps support your DPOs and administrators in defining and finding PHI and anonymizing it. They could do so by using one of the many built-in templates and defining individual rules.

To avoid PHI being inserted again, you can set up alerts as well, which will notify you once PHI is being created in Jira tickets or on Confluence pages (currently available in Cloud, coming soon for Server / Data Center). This saves you the hassle of looking manually for sensitive data and makes the anonymization process much quicker.

This is part of our Actonic full-service package for data privacy to help you to avoid fines:

• Analysis of your data privacy infrastructure by an expert

• Set up of a roadmap and implementation of new processes for closing data protection gaps

• Demo of our app Data Protection and Security Toolkit for Jira and Confluence

• Support for your running Jira and Confluence instance

• Training of your users

• Audit with a DPO

Is your Jira GDPR compliant? Download our free checklist now and find out your status quo!