Is there any personal information held in Directory Manager?
As an Identity Management platform, Directory Manager is naturally dependent on Personally Identifiable Information (PII). It is therefore essential to consider all reasonable steps to mitigate any risks, while still providing a valuable service.
Here are some commonly asked questions about PII data held in Directory Manager:
Why is PII data held in Directory Manager? – Without PII data, it would be problematic to accurately match records from different data sources as there would be no way to uniquely identify a person.
Where is the data stored? – Directory Manager operates entirely within the customer infrastructure. It is not recommended to expose the portal externally without a secure VPN. BDS does not capture or hold any customer data.
Is PII data encrypted? – PII data at rest can be securely encrypted within the underlying database infrastructure, protecting unauthorized access. The solution fully supports SSL encryption for the web portal, safeguarding data in transit as it moves to and from the portal. Directory Manager accesses the entire decrypted dataset within the processing environment for effective and efficient matching and processing operations. This approach balances security measures with the operational needs of real-time data handling and processing.
What PII data is held in Directory Manager? – There are 2 types of PII data that Directory Manager holds;
- Critical data – This is anything that can be used for the purposes of matching 2 records together such as first name, last name, NI Number, Date of Birth, Smartcard Number, NHS Unique ID, and Email Address.
- Non-critical data –Â This is usually things like the user’s address, telephone number and personal email address but could include other custom data.
Is any PII data removed from Directory Manager? – Yes, by default all non-critical PII data is removed as it is not required for matching purposes.
How often is PII data scanned for removal? – Directory Manager scans for non-critical PII data that can be removed on a daily basis at midnight.
Can non-critical PII data be kept instead of being removed? – Yes, there are 2 options here:
- Never delete non-critical PII data.
- Delete non-critical PII data only once a new AD account has been created. This is useful because it allows for an email to be sent to the users personal email when their account is created. If we delete this daily by default, and any pending transactions are not approved until after that time, then the email could not be sent. This is assuming you have Directory Manager set up to send notifications to the users personal email address.
What would happen if critical PII data was not imported? – This would make matching more difficult, but not impossible. Without critical PII data, the only information you would have to link existing AD and ESR records (or other sources) would likely be the user’s name, department and job title. This would only be enough if you can guarantee that no user with the same name exists in the same department or has the same job title, which in most instances is unlikely. There are options to remove certain data such as the NI Number and DoB, but leave the email address to help with matching. We do not recommend this approach as it will potentially significantly increase the workload of those managing Directory Manager on a daily basis, as the automated matching process does not have the critical data it needs to guarantee a match therefore leading to more manual matching reviews.
If you wish to discuss what personal data Directory Manager holds, the options available and it’s implications for your trust, please contact the BDS Service Desk.