Oracle® Fusion
Applications Security Guide 11g Release 6 (11.1.6) Part Number E16689-06 |
Home |
Contents |
Book List |
Contact Us |
Previous |
Next |
Personally Identifiable Information: How It Is Processed
Privacy Safeguards: Points To Consider
Privacy Breach Prevention and Recovery: Points To Consider
Private data is data about individuals that should not be available to other individuals and organizations without specific business justification, even if it is in the possession of another party.
Individuals must be able to exercise a substantial degree of control over their private data and its use. Private and personal data includes the following.
Personal information, such as date of birth, national identifier (SSN, NI number, and so on), marital status, gender, and passport, visa, or license numbers
Contact details, such as home address, home phone number, and cell phone number
Information about a person's contacts, such as family members and beneficiaries
Lifestyle information or affiliations, such as ethnic origin, race, religion, sexual orientation, political allegiances, or drug testing data
Medical information
Compensation details, such as salary, bonus, or stock
An enterprise protects private and sensitive data against theft and misuse for the following reasons.
Legal regulation
Financial liability
Customer expectation
Brand risk
One aspect of privacy is personally identifiable information (PII).
Oracle Fusion Applications security protects the following levels of data classification for addressing data privacy and protection requirements. The following table shows what protections are in place for which PII classifications.
PII Classification |
Protected in Oracle Fusion Applications |
---|---|
Public |
No |
Public within the enterprise |
User interface |
Confidential |
User interface and database |
Unless otherwise stated, PII data in this discussion is confidential.
Public data is typically not sensitive with generally minimal risk associated with exposure of this information except in some contexts. For example, you may want to protect e-mail addresses from exposure to spammers or the names and titles of employees from access by external recruiters.
Internally public or confidential information is controlled to remain confidential within an entity and protected from access external to the entity such as a corporation.
Confidential data protects information within an entity such as a corporation. Exposure of such information outside the custodial entity is reasonably expected to result in harm, such as loss of business, benefit to a competitor, legal liability, or damaged reputation. Certain roles may require access to some confidential PII data for valid business reasons. For examples, a person's human resources representative probably has access to their home address, while a dispatcher may have access to the home phone numbers of on-call staff. However, this in no way alters the need for extra measures to protect sensitive PII data.
Oracle Fusion Applications uses Virtual Private Database (VPD) to protect PII attributes in the database from unauthorized access by privileged users such as database administrators (DBA). Data that is public or public within the enterprise, such as person name and work phone number, does not need the additional VPD protection.
Some privacy attributes are not PI,I but are sensitive. Oracle Fusion Applications uses Oracle Database Vault to protect all sensitive data from unauthorized access by privileged users such as DBAs, including VPD protections some DBAs may otherwise be powerful enough to override.
The following attributes are considered PII.
PII Attribute |
Public: no additional security |
Public within the enterprise: secure in the user interface |
Confidential: secure in the user interface and database |
---|---|---|---|
Account Name |
|
Yes |
|
Article Number |
|
|
Yes |
Bank Account Number |
|
|
Yes |
Biometrics Data |
|
|
Yes |
Business Address |
|
Yes |
|
Business Email Address |
|
Yes |
|
Business Telephone Number |
|
Yes |
|
Card Number: Credit or Debit |
|
|
Yes |
Citizenship Number |
|
|
Yes |
Civil Identifier Number |
|
|
Yes |
Club Membership ID |
|
Yes |
|
Custom Name |
Yes (Recruiter in HCM Recruiting System) |
Yes |
|
Digital ID |
|
|
Yes |
Drivers License Number |
|
|
Yes |
Electronic Taxpayer Identification Number |
|
|
Yes |
Employee Number |
Yes (Recruiter in HCM Recruiting System) |
Yes |
|
Government Affiliation ID |
|
|
Yes |
GPS Location |
|
Yes |
|
Hafiza Number |
|
|
Yes |
Health Insurance Number |
|
|
Yes |
Identity Card Number |
|
Yes |
|
Instant Messaging Address |
|
Yes |
|
Library Card Number |
|
Yes |
|
Maiden Name |
|
Yes |
|
Mail Stop |
|
Yes |
|
Medical Information |
|
|
Yes |
Military Service ID |
|
|
Yes |
National Identifier |
|
|
Yes |
Party Number or Customer Number |
|
Yes |
|
Passport Number |
|
|
Yes |
Pension ID Number |
|
|
Yes |
Pension Registration Number |
|
|
Yes |
Person Identification Number |
|
|
Yes |
Person Name |
Yes (Name of recruiter in HCM Recruiting System) |
Yes |
|
Personal Address |
|
|
Yes |
Personal Email Address |
|
|
Yes |
Personal Public Service Number |
|
|
Yes |
Residency Number (Green Card) |
|
|
Yes |
Social Insurance Number |
|
|
Yes |
Social Security Number |
|
|
Yes |
Student Examination Hall Ticket Number |
|
Yes |
|
Tax Registration Number or National Taxpayer Identifier |
|
|
Yes |
Trade Union Membership Number |
|
|
Yes |
Unemployment Insurance Number |
|
|
Yes |
User Global Identifier |
|
Yes |
|
Visa Number or Work Permit |
|
|
Yes |
Voter Identification Number |
|
|
Yes |
Web Site |
|
Yes |
|
Welfare Pension Insurance Number |
|
|
Yes |
These attributes participate in data security policies to prevent unauthorized access to the private data attribute values. Users are not always granted access to their own PII data. You provision roles and associated data security policies to grant access to a user's own PII data where it is necessary or cost effective to do so, such as for managing e-mail addresses.
The following data is sensitive, though not PII.
Sensitive Attribute Category |
Public |
Internal Public |
Confidential Restricted |
Confidential Highly Restricted |
Type |
Use |
---|---|---|---|---|---|---|
Unannounced Financial Results |
|
|
|
Yes |
Commercial |
|
Financial Forecasts |
|
|
|
Yes |
Commercial |
|
Competitive Analysis |
|
|
Yes |
|
Commercial |
|
Strategic Business Plans |
|
|
|
Yes |
Commercial |
|
Product design specifications |
|
|
|
Yes |
Commercial |
|
Compensation |
|
|
Yes |
|
Personal |
Salary, bonus, stock, bank and account information, retirement accounts |
Employment details |
|
|
Yes |
|
Personal |
Performance evaluation, grade, ranking, hire date, background checks and security clearances |
Nationality and Citizenship |
|
|
Yes |
|
Personal |
Including work permit information |
Health Information |
|
|
|
Yes |
Personal |
Disability leave, health care providers and plans, medical information |
Personal information |
|
|
|
Yes |
Personal |
Birth date, place of birth, race and ethnicity, medical information, religion, politics, sexual orientation, union membership, offenses, race and ethnicity |
Mother's maiden name |
|
|
|
Yes |
Personal |
|
Passwords |
|
|
|
Yes |
Security |
Including access code or PIN |
Encryption keys |
|
|
|
Yes |
Security |
|
Customer configuration |
|
|
|
Yes |
Security |
|
Security vulnerabilities |
|
|
|
Yes |
Security |
|
Oracle Fusion Applications security protects private data from unnecessary external exposure through role based access controls and tools such as Virtual Private Directory (VPD) for access from remote locations.
Use the function and data security mechanisms of the Oracle Fusion Applications security approach to protect other sensitive data in your enterprise that is not considered PII. such as compensation information, medical information, or ethnicity, especially when associated with data that can identify the person the data belongs to.
Oracle Fusion Applications Payments secures credit card and bank account data using encryption, masking, hashing and compression at the application level, but the protection is enforced across all Oracle Fusion applications.
Business objects relevant to privacy and the data security policies defined to protect them are listed in the Oracle Fusion Applications Security Reference Manual for each offering.
Personally identifiable information (PII) attributes in Oracle Fusion Applications span several product families.
Financials
Procurement
Human Capital Management
Under most of the regulatory schemes (EU, Canada, Japan, and so on), PII includes all information from which the identity of a person could be determined directly or indirectly.
The following attributes are considered PII in Financials.
National Identifier Oracle Fusion Expenses
Bank Account Number in Oracle Fusion Payments
Card Number in Oracle Fusion Payments
Tax Registration Number in Oracle Fusion Tax
Tax Registration Number in Oracle Fusion Expenses
National Taxpayer Identifier in Oracle Fusion Financials for EMEA
National Taxpayer Identifier in Oracle Fusion Expenses
The following attributes are considered PII in Procurement.
Internal Public
Supplier Address (business)
Supplier Telephone Number (business)
Supplier Email Address (business)
Confidential
Supplier National Taxpayer Identifier
Supplier Tax Registration Number
Supplier Bank Account Number
The following attributes are considered PII in Human Capital Management.
PII |
Confidential PII |
---|---|
Address |
Private Address Details |
Drivers License Number |
Drivers License Number |
|
Private Email Details |
Article Number |
Article Number |
Civil Identifier Number |
Civil Identifier Number |
Civil Registration Number |
Civil Registration Number |
GOSI Number |
GOSI Number |
Government Affiliation ID |
Government Affiliation ID |
Hafiza Number |
Hafiza Number |
Military Service ID |
Military Service ID |
National Identifier |
National Identifier |
National Taxpayer Identifier (NIP) |
National Taxpayer Identifier (NIP) |
Nationality Number |
Nationality Number |
Pension ID Number |
Pension ID Number |
Social Insurance Number |
Social Insurance Number |
Social Security Number |
Social Security Number |
|
Personal Public Service Number |
|
RFC ID |
Tax Registration Number or National Taxpayer Identifier |
Tax Registration Number |
Unemployment Insurance Number |
Unemployment Insurance Number |
Passport Number |
Passport Number |
Person Name |
|
Maiden Name |
|
Telephone Number |
Private Phone Details |
Iqama Number |
Iqama Number |
Visa Number |
Visa Number |
Visa Number or Work Permit |
Visa Number or Work Permit |
The following table shows how specific PII attributes correspond to a business object and are processed.
Data Attribute |
Business Object |
Comments |
---|---|---|
National Identifier Oracle Fusion Expenses |
Corporate Card |
Used to match new card not previously matched to employee |
Bank Account Number in Oracle Fusion Payments |
External Bank Account (LE) |
Column subject to PCI/PABP in addition to PII security |
|
Disbursement (LE) |
Masked payee bank account number, denormalized from IBY_EXT_BANK_ACCOUNTS_ALL; column subject to PCI/PABP in addition to PII security |
|
Disbursement (LE) |
Masked payee bank account number, denormalized from IBY_EXT_BANK_ACCOUNTS_ALL; column subject to PCI/PABP in addition to PII security |
Card Number in Oracle Fusion Payments |
Payment Card (LE) |
Column subject to PCI/PABP in addition to PII security |
Tax Registration Number in Oracle Fusion Tax |
Detail Tax Line (LE) |
Tax Registration Number for external parties; may contain personal TRN |
|
Tax Registration (LE) |
Tax Registration Number for external parties; may contain personal TRN. This attribute is indexed and search identifies non-equality. |
|
Party Tax Profile (LE) |
Tax Registration Number for external parties; may contain personal TRN |
Tax Registration Number in Oracle Fusion Expenses |
Expense |
Taxpayer Identifier of the merchant with which employee conducted the transaction |
|
Corporate Card Transaction |
Taxpayer Identifier of the merchant with which employee conducted the transaction |
National Taxpayer Identifier in Oracle Fusion Financials for EMEA |
Spanish Withholding Interface (LE) |
Supplier Taxpayer Identifier, used for Spanish Withholding Tax functionality |
National Taxpayer Identifier in Oracle Fusion Expenses |
Expense |
Taxpayer Identifier of the merchant with which employee conducted the transaction |
|
Corporate Card Transaction |
Taxpayer Identifier of the merchant with which employee conducted the transaction (column name may be sync up with previous entry) |
Several security components protect PII attributes.
The figure shows access controlled by Authorization Policy Manager and the Virtual Private Database protects PII data. Oracle Database Vault protects PII data from administrators. Transparent Data Encryption (TDE) protects PII in files. Oracle Data Masking protects PII data on clones of the production database.
Privacy attributes are listed in the Oracle Fusion Applications Security Reference Manual for each offering.
In Oracle Fusion Applications, private data is accessed through user interfaces and client access tools such as SQL Plus.
Oracle Fusion Applications manages privacy by the following means.
Oracle Virtual Private Database (VPD) protects personally identifiable information (PII) attributes other than the not sensitive public attributes such as name, work e-mail, work telephone, and so on.
Oracle Transparent Data Encryption (TDE) stores private information in encrypted format in the database.
Oracle Network Encryption encrypts private information on transit in the network or to monitor interfaces with outsourced service providers.
Oracle Database Vault protects runtime account data from database administrators (DBA).
Oracle Audit Vault enables auditing of privileged roles or activities.
Oracle Data Masking and Oracle Fusion Data Security mask personal portions of data for non-authorized roles, where appropriate.
The following safeguards apply across Oracle Fusion Applications.
Authentication
Authorization
Oracle Fusion Applications security does not protect private data in onward transfers, or from one recipient to another. Network encryption protects sensitive data in transit.
Oracle Fusion Applications secures personally identifiable information (PII) in the user interface and the database.
PII consists of attributes that are identified in the data model. PII attributes are degrees of sensitive. They can be confidential (such as taxpayer ID and credit card numbers) or not (such as person name and email address).
Role definitions carry authorization to access PII attributes. Data security policies define entitlement for a role to access PII attributes wherever they are stored or displayed. Network encryption provides protections of PII data in transit.
In Human Capital Management (HCM), Financials, and Procurement, Virtual Private Database (VPD) protects PII. Trading Community Architecture and Oracle Fusion Payments uses Oracle Database Encryption APIs to secure confidential PII in their control at the column level, such as credit card and bank account numbers.
Oracle Transparent Data Encryption (TDE) prevents access to personally identifiable information (PII) in the file system or on backups or disk. Oracle Virtual Private Database (VPD) protects PII from users with DBA access, and Oracle Data Vault (ODV), if installed, prevents this protection from being overridden. Oracle Data Masking protects PII and sensitive data in cloned databases.
PII in interface tables used for custom integrations is not secured in the database, so needs to be secured at interfaces that are not in Oracle Fusion.
Information that is not PII but sensitive, such as compensation benefits and employee performance details, is protected through standard function and data security.
As a security guideline, publish the privacy policy for the enterprise. When collecting private or personal data, notify users how the data will be used and who can access it.
Breaches in privacy may occur due to the following issues.
Failures in authentication
Failures in storage
Segregation of duties violations
Customization and extensions
Integrations with services that are not in Oracle Fusion
Privacy breaches could result also when data associated with a person is not masked even though all PII attributes are protected. For example, some combination of information a person's assignment, number of total or direct reports, and user account could allow a person's identity to be deduced.
The most effective measures preventing a breach of private data include the following.
Oracle Fusion Applications security authentication and authorization
Least privilege role definitions and provisioning
Virtual Private Database (VPD) exclusion of private data from client access tools
Oracle Database Vault exclusion of runtime account data from database administrator (DBA) access
Encryption of PII attribute values
Data masking
VPD security policies control database access at the row level. Only a SYS user or users can bypass VPD security policies with the EXEMPT ACCESS POLICY system privilege. Oracle Database Vault additionally prevents DBAs from accessing VPD protected data.
You can set up function security or row and column level data security using Oracle Fusion Data Security to secure private data, or set up Oracle Database Vault to restrict access through specified Internet Protocol (IP) addresses.
Recovery from unauthorized access to private data depends on auditing and logging that identifies the privacy attributes breached without writing the private data to the log files or audit reports.
Private information is confidential in some contexts.
Personally identifiable information (PII) identifies or can be used to identify, contact, or locate the person to whom the information pertains.
Some PII information is sensitive.
A person's name is not private. It is PII but not sensitive in most contexts. The names and work phone numbers of employees may be public knowledge within an enterprise, so not sensitive but PII. Under some circumstances it is reasonable to protect such information.
Some data is not PII but is sensitive, such as medical data, or information about a person's race, religion or sexual orientation. This information cannot generally be used to identify a person, but is considered sensitive.
Some data is not private or personal, but is sensitive. Salary ranges for grades or jobs may need to be protected from view by users in those ranges and only available to senior management.
Some data is not private or sensitive except when associated with other data the is not private or sensitive. For example, date or place of birth is not a PII attribute because by itself it cannot be used to uniquely identify an individual, but it is confidential and sensitive in conjunction with a person's name.