JIRA: Right to rectification
Under Article 16 of the GDPR, you have the right to have inaccurate personal data rectified. The GDPR requires that you take reasonable steps to rectify the individual's personal data where requested. An example of such a request may be an individual requesting their display name be updated to reflect a name change. Whether or not modifying personal data stored within the product is within the scope of reasonable steps required to honor the individual's request will vary on a case-by-case basis, and is determination you should always make with the assistance of legal counsel. Once you have determined you have an obligation to rectify personal data, we have provided the following instructions on how to do so within certain Atlassian products.
Personal data stored within the product can be divided into one of two areas: 1) account-level personal data; and 2) free-form text. Account-level personal data are data fields that exist within the product for the sole purpose of identifying an individual throughout the product. Examples of account-level personal data include the user's display name, profile picture or avatar and email address. These data elements are generally visible from the user's profile and are used throughout the product to point back to the user's profile when the user is @mentioned or tagged on in certain spaces or content. Changing account-level personal data elements will automatically populate that change throughout the product where the relevant account-level data elements appear.
If you have included personal data in free-form text, either typed into content spaces or as a custom field label, you will need to use the product's global search feature to surface this personal data and recitfy it on a case-by-case basis.
Every user has the right to view and edit their personal data and JIRA provides the appropriate user interface to do that. However, depending on how your company incorporates your user details, that experience might differ.
JIRA Core and JIRA Software 7.0 and later, and JIRA Service Desk 3.0 and later.
Personal data in "structured" data
User profile data in an Internal Directory
Where JIRA users are managed and stored within an Internal Directory, each individual can view and edit their own personal data.
- Please read Managing your user profile for information on how to do this.
User profiles can also be edited by JIRA administrators.
- Please read Create, edit, or remove a user for information on how to do this.
User profile data in an External Directory
JIRA can be integrated with an external directory (LDAP/Crowd/Active directory) and users and their profile data can be fetched from there. If that integration is in read-only mode, JIRA users can only view their personal data from their user profile page. To modify this information, a user will need to reach out to their administrator.
- Please read Synchronizing data from external directories for more information.
If the external directory integration is in read/write mode, then JIRA users are able to view and edit this information from their user profile page. Those changes will be propagated to the external directory.
- Usernames can only be changed by administrators
- User_key is used internally by JIRA and is not visible nor modifiable in the UI.
If a change to the user_key is essential, an administrator can manually update this in the database. Please see the "Modifying user_key" section in JIRA Server: Right to erasure.
Personal data in free-text data
Personal data can appear in a structured, unstructured and incidental data in JIRA. Please see the JIRA: Right to erasure page for more information on how to modify this data.
There is personal data stored in places within JIRA that can't be modified independent of the context in which it appears.
Jira stores information in log files, which is useful in case of an error or a problem occurs at the application level.
Any personal data stored in the logs cannot be modified. You can read more about this in the following articles:
- Where are the application server logs?
- Jira application installation directory
- Logging and profiling
JIRA's audit log tracks modifications to user profiles. Audit log records are non-modifiable in the UI and can only be accessed by an administrator.
- To learn more, please read Auditing in JIRA applications.
Issue history change
JIRA stores records of changes made to issues. If personal data is stored in an issue and modified, both the old and new values will display in the History tab. The issue history cannot be modified in the UI.
Administrators can create backups of all data stored in JIRA (including personal data), and this can be used to restore JIRA on another instance, with the same dataset. This data cannot be modified because significant effort would be needed to unpack the archive and update/remove all data in the exported XML files. How these backups and the data they contain is governed is up to each administrator and their respective organizations to decide.
- To learn more, please read Backing up data.
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.