Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide guidance for data retention #2

Closed
StefanKelm opened this issue Dec 18, 2017 · 2 comments
Closed

Provide guidance for data retention #2

StefanKelm opened this issue Dec 18, 2017 · 2 comments

Comments

@StefanKelm
Copy link

Irrespective of collecting, storing, and sharing data using MISP there is one more GDPR related question which is of particular interest to CSIRTs: how long may (personal) data be stored? The current version of the documents states:

However, in the light of the purpose limitation principle, CSIRTs do not have a lawful basis for [...] retaining data for longer than is necessary for the purposes for which the personal data are processed.

This is especially relevant wrt MISP since events/attributes usually aren't deleted at all, or are they? Is this in line with the GDPR?

Please provide some guidance on this matter.

@adulau
Copy link
Member

adulau commented Dec 18, 2017

Good point, we will update it. We have even some privacy-by-default in MISP regarding the soft-delete.

When you delete an attribute in MISP, it's first a soft-delete (a flag set on the attribute) then a hard-delete when the soft-deleted attribute is finally deleted.

In the MISP instance configuration, there is also an option to sanitise the value of the soft-deleted attribute.

The option is called Security.sanitise_attribute_on_delete.

This allows to have a two-steps validation for final hard delete and the sanitise allow to ensure that the value is sanitised. To keep a trace of the deleted data without keeping the value of the data by itself.

We will add a second document/table with all the functionalities in MISP which could help to support GDPR and especially the "privacy-by-default" functionalities.

Regarding the retention period, a series of exception allow to keep personal data to fit with the purpose such as criminal cases or to be used by law-enforcement. So the retention period might be very different depending of the use-case of a sharing community.

If you have any other feedback, let us know. Thank you very much for your contribution.

circlsupportuser added a commit to circlsupportuser/misp-compliance that referenced this issue Jan 6, 2018
adulau added a commit that referenced this issue Jan 7, 2018
Additional thoughts related to issues #2 and #4
@adulau
Copy link
Member

adulau commented Jan 15, 2018

We updated the document with a section about data retention. I'll close the issue. If you feel something needs to be added, feel free to reopen this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants