Overview of data destruction
Important note
Data destruction terminology
Data destruction is the process of requesting that data be destroyed, making the data impossible to retrieve. Data destruction is typically initiated with a request that specifies a contact or user whose data is to be destroyed. In the base configuration, ContactManager provides a web service that is intended to be called by an external application. You use the external application to manage the destruction of the data across Guidewire applications.
Data destruction can be implemented as either purging or obfuscation of data, depending on the data to be destroyed.
Purging is a form of data destruction that completely removes contact data from ContactManager. There can be multiple objects associated with the contact that are also removed as they are detected by traversing the entity domain graph.
Obfuscation is a form of data destruction that permanently overwrites fields, such as user contact fields, with data that replaces the original data. Some actual removal of data can also be involved, such as deletion of an address referenced only by one user.
Obfuscation might be required if destroying the data affects contacts that cannot be destroyed. For example, purging user data for a former employee could affect hundreds or even thousands of contacts. Therefore it makes more sense to obfuscate the data for the user and leave the other data alone.
Encapsulation of business logic for retention and destruction
Regulations, codes of conduct, and other generally accepted business practices vary from jurisdiction to jurisdiction. Additionally, business policies and interpretation of conflicting legal requirements vary from insurer to insurer. Therefore no single approach meets the needs of all insurers. To accommodate varying needs, ContactManager provides a configurable solution that captures business logic for retention and destruction in one place.
There is a configurable plugin that has access to the business objects to be removed through the ABContact root object. The examination of objects to be removed starts with the root object and traverses a graph of objects, enabling detailed examination of the business objects. You can mark requests requiring user review—manual intervention—for those data destruction requests that require special handling, prior to the destruction actually occurring.
See also
Notification of data protection officer on errors or conflicts
Requirements for destruction and for retention can conflict with each other. While the plugin class might be able to resolve conflicts in a generic way, situations can arise when the two sets of requirements are not reconcilable. Additionally, the data destruction process can encounter errors. In these situations, notification is done through a configurable plugin.
The default behavior of this plugin is that a message is logged that describes the situation.
After the situation has been resolved, the destruction request can be queued again for reprocessing.
See also
Wide-swath data destruction
In many situations, there is a need to destroy the personal data related to a specific business object, a contact. Specifically, the ABContact entity and its subentities can require this kind of destruction.
This object can affect many individual data objects. A single call allows the entirety of related data to be removed. In the case where these business objects are nested, a best-effort destruction is performed.
ContactManager components provide the ability to purge rows from the database for business objects such as ABContact and related data. This approach is suitable for high-volume data destruction.
See also
Individual-entity data destruction
While wide-swath data destruction meets the needs of the insurer in most cases, there are special cases in which specific personal data cannot be deleted. For example, there might be database integrity concerns, or the data to be deleted, such as data for previous employee, might be related to a large number of contacts.
In such cases, where individual instances of data cannot be deleted, ContactManager provides the ability to obfuscate data. Obfuscation can include wiping a field completely, replacing it with a neutral value, or replacing it with a unique, irreversible value. Additionally, some actual removal of data can also be involved, such as deletion of an address referenced only by one user.
The entities and fields to which obfuscation can applied, as well as the method for determining the replacement value, are configurable.
See also
Integration with Guidewire core applications
ContactManager coordinates with Guidewire core applications on any request to destroy an ABContact object or a subobject of ABContact. This coordination is the same as with any contact removal. ContactManager cannot purge an ABContact until it receives permission from any core applications that are installed.
However, User objects are local to ContactManager, so obfuscation of a user can proceed without consulting core applications.
See also
Integration with other systems
ContactManager needs to be able to respond to data destruction requests from external systems, as well as have the ability to notify data consumers of data destruction.
ContactManager provides a web service that:
- Takes a reference to an individual contact.
- Takes application-specific action to destroy the data related to that contact.
- Reports back to the caller on the level of success of the request. Callers can query the status of a given request.
See also
Notification of downstream systems
ContactManager provides a messaging system to assist you in ensuring that the destruction of personal data flows into systems connected with components. Additionally, you might need to notify outside organizations that process data on your behalf. The messaging system supports broadcasting personal data destruction response messages.
These messages are delivered by using the existing ContactManager guaranteed-delivery messaging system.
See also