Personal data destruction

Note: The data destruction features described in this topic provide a set of features that help enable insurers to comply with some of their data destruction requirements. These requirements may be driven by insurers’ policies and practices, as well as by their interpretation of various regulatory requirements. Such regulatory requirements may come from, for example, the European Union General Data Protection Regulation (GDPR) or the New York State Cybersecurity Requirements for Financial Services Companies law.

PolicyCenter supports destruction of some kinds of data. Destruction can mean either purging the data completely from the database or it can mean obfuscating data, making the original contents permanently unreadable.

Obfuscation might be required if destroying the data affects contacts that cannot be destroyed. For example, purging user data for a former employee could affect hundreds or even thousands of contacts. Therefore it makes more sense to obfuscate the data for the user and leave the other data alone.

Guidewire provides several Cloud API endpoints that obfuscate or purge personally identifiable information (PII). Note that while the terms destruction and destroy encompass both obfuscating and purging, in Cloud API the destroy endpoints perform a purge.

PolicyCenter provides the following endpoints for data destruction:

  • POST /admin/v1/users/{userId}/obfuscate
  • POST /common/v1/contacts/{contactId}/destroy
  • POST /account/v1/accounts/{accountId}/destroy
  • POST /policy/v1/policies/{policyId}/destroy

The following supporting endpoints are also discussed in this topic:

  • POST /common/v1/contacts/{contactId}/do-not-destroy
  • POST /common/v1/search/contacts
Note: For detailed information on data destruction, refer to the following resources:
  • Application Guide
  • Configuration Guide

API entity destruction overview

The type of data destruction available varies based on the entity. The following table describes the entities that can be destroyed through Cloud API.

Entity Destruction Type Immediacy

User

Obfuscate

Immediate

Contact

Purge

Work queue process

Account

Purge

Immediate

Policy

Purge

Immediate

System configuration

In the PolicyCenter base configuration, data destruction is not enabled by default. If you attempt to run the obfuscate or destroy endpoints you’ll receive one or both of the following errors:

Cannot purge 'Node = [C000000001 NotPurgeable]' because the DoNotDestroy flag is set

Cannot purge 'Node = [C000000001 NotPurgeable]' because PersonalDataDestruction plugin disposition for node is MUST_NOT_DESTROY"

To enable data destruction, you must update certain configuration parameters. For complete details on these settings, refer to the Configuration Guide

Obfuscating user data

Obfuscation is a form of data destruction that permanently overwrites data in certain fields with randomized data (such as GUIDs). These actions cannot be undone.

Note: This process differs from Obfuscating response data. Obfuscating response data leaves the data intact in the database and obfuscates only the data displayed in the response. The endpoints described here obfuscate at the database level, permanently overwriting the data in the database.

PolicyCenter provides an endpoint to obfuscate user data. The user must be inactive (the active attribute must be set to false) for the user to be obfuscated.

The following endpoint obfuscates a user’s data:

  • POST /admin/v1/users/{userId}/obfuscate

This example demonstrates obfuscating PII for user pc:120.

Before obfuscating, if you retrieve information for user pc:120 you’ll see something like this:

{
    "data": {
        "attributes": {
            "active": false,
            "displayName": "Ronald Rutherford",
            "externalUser": false,
            "firstName": "Ronald",
            "id": "pc:120",
            "lastName": "Rutherford",
            "username": "rrutherford",
            …
        },

You can then use the following endpoint to obfuscate the record for user pc:120:

POST/admin/v1/users/pc:120/obfuscate

No request body is required for this POST action.

The response shows that fields with PII, such as displayName and userName, have all been overwritten:

{
    "data": {
        "attributes": {
            "active": false,
            "displayName": "71633b5ed0dba332f1f4b645682c6d 71633b5ed0dba332f1f4b645682c6d",
            "externalUser": false,
            "firstName": "71633b5ed0dba332f1f4b645682c6d",
            "id": "pc:120",
            "lastName": "71633b5ed0dba332f1f4b645682c6d",
            "username": "80aef0777aa07c8cf79b454bab2df5",
…
        },

After obfuscation, you can still retrieve the user record based on ID, but there is no way to personally identify that user.

Destroying a contact

Destroying, or purging, is a form of data destruction that completely removes contact data and policy or account data from PolicyCenter. There can be multiple objects associated with the contact, account, or policy that are also removed as they are detected by traversing the entity domain graph.

Search for contacts

Before destroying any data, you first need to find the record for the contact whose data you want to destroy. You can do this using the following endpoint:

In the request body, you must include at least one of these fields:

  • For a person:
    • firstName and lastName
    • taxId
  • For a company:
    • companyName
    • phoneNumber

This example retrieves the user named John Smith:

Command

POST /common/v1/search/contacts

Request

{
    "data": {
        "attributes": {
            "lastName": "Smith",
            "firstName": "John"
        }
    }
}

This example retrieves the company named Wright Construction:

Request

{
    "data": {
        "attributes": {
            "companyName": "Wright Construction"
        }
    }
}

Destroy the contact

When you call the endpoint to destroy a contact, the contact is not destroyed immediately. Instead, the contact is placed in the DestroyContactForPersonalData work queue, and continues to exist until a scheduled batch process is run to destroy all data in the queue. See the Administration Guide for information on the DestroyContactForPersonalData work queue.

Use the following endpoint to destroy a contact:

  • POST /common/v1/contacts/{userId}/destroy

The following example destroys the contact with user ID pc:234.

Command

POST /common/v1/contacts/pc:234/destroy

The request contains only the ID of the requester. This requester ID does not have to match the ID of a user in PolicyCenter.

Request

{
    "data": {
        "attributes": {
            "requesterId": "5678"
        }
    }
}

Retrieve contacts scheduled for destruction

You can retrieve a list of contacts that are scheduled to be destroyed but have not yet been run through the batch process. Use the following endpoints to retrieve contacts that are scheduled for destruction:

  • GET /systemtools/v1/personal-data-destruction-requests
  • GET /systemtools/v1/personal-data-destruction-requests/pc:999

For example:

Command

GET /systemtools/v1/personal-data-destruction-requests

Response

{
    "data": [
        {
            "attributes": {
                "allRequestsFulfilled": false,
                "destructionRequestStatus": {
                    "code": "Unprocessed",
                    "name": "Unprocessed"
                },
                "displayName": "PersonalDataDestructionRequest pc:234",
                "id": "pc:234",
                "requesterIds": [
                    "5678"
                ]
            },
        ...

You can also filter based on the ID of the destruction requester:

GET /systemtools/v1/personal-data-destruction-requests?filter=requeterIds:in:5678

Destroying an account

When you run the destroy endpoint on an account, destruction happens immediately. This differs from running the destroy endpoint on a contact, where the actual destruction of data doesn’t happen until a scheduled batch process has run.

Use the following endpoint to destroy an account:

  • POST /account/v1/accounts/{accountId}/destroy

This example immediately removes account pc:987 from the database:

Command

POST /account/v1/accounts/pc:987/destroy

The request contains only the ID of the requester. The requester ID does not have to match the ID of a user in PolicyCenter.

Request

{
    "data": {
        "attributes": {
            "requesterId": "5678"
        }
    }
}

Destroying a policy

When you run the destroy endpoint on a policy, destruction happens immediately. This differs from running the destroy endpoint on a contact, where the actual destruction of data doesn’t happen until a scheduled batch process has run.

Use the following endpoint to destroy a policy:

  • POST /policy/v1/policies/{policyId}/destroy

This example immediately removes policy pc:5454 from the database:

Command

POST /policy/v1/policies/pc:5454/destroy

The request contains only the ID of the requester. The requester ID does not have to match the ID of a user in PolicyCenter.

Request

{
    "data": {
        "attributes": {
            "requesterId": "5678"
        }
    }
}

Preventing data destruction

You can prevent a specific contact, account, or policy from being destroyed by setting its doNotDestroy attribute to true. (This attribute is false by default.) For example, if account pc:500 is set to doNotDestroy: true, and account pc:600 is set to doNotDestroy: false (the default), you can destroy account pc:600 but you cannot destroy account pc:500.

Use the following endpoints to set the doNotDestroy attribute:

  • POST /common/v1/contacts/{contactId}/do-not-destroy
  • POST /account/v1/accounts/{accountId}/do-not-destroy
  • POST /policy/v1/policies/{policyId}/do-not-destroy

Set the doNotDestroy attribute to either true or false in the request body. For example, use the following command and request to specify that contact pc:234 cannot be destroyed:

Command

POST /common/v1/contacts/pc:234/do-not-destroy

Request

{
    "data": {
        "attributes": {
            "doNotDestroy": true
        }
    }
}