IBM Workload Scheduler 10.2.0, IBM Z Workload Scheduler 10.1.0, IBM Workload Scheduler distributed - Agent for z/OS 9.4 considerations for GDPR readiness

Last updated 2023-03-29

---

For PID(s): 5698-WSH

5698-WSH
5698-T08
5698-AAR

Notice:

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Workload Scheduler that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws
and regulations, including the European Union General Data Protection Regulation.
Clients are solely responsible for obtaining advice of competent legal counsel as to
the identification and interpretation of any relevant laws and regulations that may
affect the clients’ business and any actions the clients may need to take to comply
with such laws and regulations.

The products, services, and other capabilities
described herein are not suitable for all client situations and may have restricted
availability. IBM does not provide legal, accounting, or auditing advice or represent or
warrant that its services or products will ensure that clients are in compliance with
any law or regulation.

---

Table of Contents

1. GDPR
2. Product Configuration for GDPR
3. Data Life Cycle
4. Data Storage
5. Data Access
6. Data Processing
7. Data Deletion
8. Data Monitoring
9. Responding to Data Subject Rights

---

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union (“EU”) and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:

• New and enhanced rights for individuals
• Widened definition of personal data
• New obligations for processors
• Potential for significant financial penalties for non-compliance
• Compulsory data breach notification

Read more about GDPR

• (EU GDPR Information Portal)[https://ec.europa.eu/info/law/law-topic/data-protection_en]
• (ibm.com/GDPR website)[http://ibm.com/GDPR]

---

Product Configuration - considerations for GDPR Readiness

Offering Configuration

Configuration to support Data Security

1. The product can be configured with custom certificates (the custom certificates are created and managed by the administrator).
2. SSL Comunication among processes is configured by default at installation time. Custom certificates can be provided. If custom certificates are not provided, default certificates will be used. Using custom certificates is strongly recommended.
   The following documentation paragraphs better explain the procedures:
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=cso-scenario-connection-between-dynamic-workload-console-workload-scheduler-components
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=overview-extending-communication-scenarios-other-server-components
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=cso-customizing-certificates-master-domain-manager-dynamic-agent-communication
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=network-using-ssl-netman-conman
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=crclc-configuring-ssl-connection-between-remote-command-line-client-master-domain-manager
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=pic-using-ssl-event-driven-workload-automation-edwa-behind-firewalls

---

Data Life Cycle

1. Workload Definitions contain “description” free text field that can be filled in by the user.
2. The product can be configured to enable Auditing Justification feature.
   In this case, some free text fields are enabled and the users can insert informations like justification for change and ticket number.
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=guide-keeping-track-changes
3. The offering works with the following downstream products:
   - IBM WebSphere Application Server Liberty Base
   - IBM DB2 v11.5 Standard Edition
4. The offering involves “HCL Technologies” IP Partner and non-IBM entity.

Authentication data for physical users (user’s names and Windows passwords) are collected with the purpose:

1. To authenticate users when using Command lines, Web Interfaces and APIs:
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=authentication-where-configure#whereconfldap
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=authentication-entering-passwords
2. To authenticate users when running jobs:
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=guide-changing-user-password-in-plan
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=agents-specifying-local-variables-passwords-in-job-definitions
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=objects-user-definition

Personal data used for online contact with IBM

IBM Workload Scheduler clients can submit online comments/feedback/requests to contact IBM about IBM Workload Scheduler subjects in a variety of ways, primarily:

• Public comments area on pages in the IBM Workload Scheduler community on IBM developerWorks
• Public comments area on pages of IBM Workload Scheduler documentation in IBM Knowledge Center
• Public comments in the IBM Workload Scheduler space of dWAnswers
• Feedback forms in the IBM Workload Scheduler community

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the [IBM Online Privacy Statement] (https://www.ibm.com/privacy/us/en/).

---

Data Storage

• On dynamic agents, job logs are automatically archived in zip files.
• For job log location, user can refer to:
  https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=system-log-files-archived-files
• The product does not have automatic backup creation.

---

Data Access

• The Administrator can access personal data to grant or revoke access to specific users.
• The Administrator can access product logs and job logs.

---

Data Processing

Encryption at rest:

1. A symmetric key to encrypt data is automatically generated when installing the product. A custom generated AES-256 key can also be used.
2. Encryption at rest is performed. The database can also be encrypted for additional security.

Encryption in motion:

1. Customers can specify their personal keys during the deployment. For further information, see the Readme file for IBM Workload Scheduler Version 9.5 Fix Pack 4

---

Data Deletion

• All the jobs containing personal info related to the customer can be deleted.
• If local variables containing user’s credentials have been created, they can be deleted (https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=agents-specifying-local-variables-passwords-in-job-definitions).

---

Data Monitoring

1. Core dumps can contain customer data
2. Passwords are encrypted and never logged.
3. Data and activities monitoring can be performed enabling auditing features:
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=maintenance-maintaining-audit-trails
4. Logs can be enabled and managed using specific tools:
   https://www.ibm.com/docs/workload-scheduler/10.2.0?topic=troubleshooting-logs-traces

---

Responding to Data Subject Rights

• The product does not support the return of end-user data because data are only used internally by the product.
• The personal data are used for authentication purposes.
• Customer provided data in object definitions can be viewed and modified by the customer at any time.