EPIC Goal

What are we trying to solve here?

Backstage is logging IP addresses in their application log.  It remains to be seen if these IPs are coming from users or devices.  We need to conduct a spike investigation to determine what the level of exposure is and go from there. 

Background/Feature Origin

June 11 Framework SIG discussion:  Maintainers mentioned they were logging IP addresses and did not realize it would be a GDPR concern. 

Why is this important?

Employee data is in scope under GDPR.  Employer would be considered a "controller" in this case, meaning they have defined how the data will be processed. 

This is a risk because if they are unaware that PII is being leaked into application logs which can then be forwarded to third party processing services (Splunk, ElasticSearch, etc), they will not be handling the data according to their policies wrt to data retention and addressing their data subjects' rights to be forgotten.

User Scenarios

Dependencies (internal and external)

Acceptance Criteria

If investigation determines there is PII, we will need to follow up with our PIA contact and issue transparency statement while waiting to fix this

If PII is present, work on redacting this info