The Problem

Jira is used to report and store data about projects, plans, bugs and incidents. This data is reported by human beings and can contain personally identifiable information (PII) or other types of sensitive (confidential, restricted) information. In many systems, e.g. healthcare industry, finances, government, etc., there exist regulations and policies that demand that access to sensitive data should be restricted and data loss should be prevented. Due to that and other privacy reasons, it's not desirable to allow storing sensitive data in widely accessible places like Jira issues.

In simple words, if somebody reports an issue and includes their credit card number or social security number in issue description, which is then stored and available to every employee who browses the issue, this is bad and would be nice to report/prevent.

The Solution

PII Protector for Jira is a one-stop complete solution to the problem of proper PII management inside Atlassian Jira.

It is an easily installable Jira add-on that monitors Jira and tracks PII, notifies admins, allows them to take actions on each detected PII manually or set up automatic actions. PII Protector for Jira also maintains complete audit track of all access to hidden PII through Jira and all modifications made to detected PII, both manually by admins and automatically by the automatic actions.

This puts PII in your Jira completely under administrators' control.

Monitored Locations

At the moment PII is detected by default in issue summary, description and comments. Users can enable monitoring for other fields of their choice. We are planning to expand coverage in any case, but please let us know if there is a specific field you'd want us to support.

PII Types Supported

The following types of personally identifiable information are currently detected.

  • Credit card numbers
  • US social security numbers (SSN)
  • US phone numbers
  • International phone numbers
  • US, Canadian, British and Irish postal addresses
  • Email addresses
  • IP addresses
  • IBAN numbers
  • VAT numbers
  • National Provider Identifier (NPI)
  • Medical Record Number (MRN)
  • Vehicle identification number (VIN)
  • Swiss social security numbers
  • Canadian social insurance numbers (SIN)
  • French INSEE codes
  • British national insurance numbers (NINO)
  • Finnish personal identity codes (HETU)
  • Swedish personal identity numbers
  • Norwegian birth numbers
  • Czechian birth numbers
  • Polish identification numbers (PESEL)
  • Danish personal identification numbers (CPR)
  • Spanish national identification number (DNI)
  • Netherlands identification number (BSN / Sofi)
  • Israeli ID number (Mispar Zehut)

Please feel absolutely free to reach out to us if you'd like us to add support for a new PII type. This is something we are very much willing to do.

PII Browsing And Management

All found PII is displayed in PII Manager page that can be accessed via Administration / System / Security / PII Manager. This is the UI for browsing, searching and filtering PII (note the Filter button at the top right). This is also a place where administrators can perform manual actions on different PII items (using small gear buttons on the right of each line).

Protector Configuration

Every organization is different when it comes to PII treatment. That's why PII Protector is highly configurable and is able to adjust to your specific needs.

Here are a few things you can do:

  • Select which PII types you care about (e.g. you may be OK with email addresses being globally visible but not credit card numbers)
  • Choose the detection threshold for each PII type (you can err on the side of caution, which is the default, or be more lenient)
  • Choose what to do with PII of each type automatically (just report, erase completely, or our favorite - hide and audit all read access)
  • Select whom to notify when new PII is discovered (please choose wisely)
  • Decide how exactly to substitute the sensitive data
  • Decide how up-to-date you want your PII scans to be (a trade-off between recency and load)
  • Choose for how long to keep records of PII after it got deleted from the source (retention period)
  • Choose for how long to keep audit logs of PII-specific manual and automatic changes
  • Choose how many results to show per page in reports
  • Configure monitoring scope
  • Configure PII access and management
  • Configure encryption
  • Tune resource consumption

We are always open to adding more flexibility, so any suggestions are welcome.

PII Access Log

PII Protector is not just about detection of PII. We want to make it super-easy for you to act upon newly discovered PII. As briefly mentioned above, one thing you can do with PII is hide it from everybody and only make it available upon explicit request. That way only people who really need to see the sensitive data will see it. Moreover, every access to PII will be audited and logged, and you will be able to see this log in Administration / System / Security / PII Access Log page. This is an awesome way for you to have a perfect record of who exactly viewed the PII and when. Priceless for audit purposes.

Automatic Actions

Dealing with every new introduced PII item may be tedious, especially if you have many Jira users. PII Protector tries to help you here too with a unnique concept of automatic actions. In a nutshell, you are able to configure what to do with the new PII the moment it is discovered. The default is mere reporting, but you can also erase it comlpetely or hide and audit access to it. Of course, every action is reversible from the management UI. To configure automatic actions, go to add-on configuration, edit it, click Configure detection threshold and automatic actions... link to go into advanced configuration mode and set the automatic action for each PII type individually.

PII Action Log

We know that PII stuff is sensitive, and we know you'd want to have full information about who changed what and when. With PII Protector this gets easy. Every time a change to the PII item display state is made, either manually by one of the Jira administrators or automatically by the configured automatic action, a new record in PII action log is added. At any time you can visit Administration / System / Security / PII Action Log page to see full history of these changes.

Compatibility with Jira

We support all Jira versions starting from 8.13.

If you use an older Jira version and still want to install PII Protector for Jira, please tell us, and we will figure something out.

Give It a Try Today

The best way to experience the benefits of PII Protector for Jira is to install it freely and give it a try today.