GDPR Compliance

To comply with the European Union law known as General Data Protection Regulation or [GDPR](http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679) starting on May 25, 2018 there are some extra steps you as an admin need to take to protect information of users in your Galaxy.

Audience

Anyone with users from the EU.

The Galaxy Project cares about privacy preserving regulations and meeting the requirements of law. We have attempted to make compliance as easy as possible so you can continue to serve EU users.

Configuration

The Galaxy GDPR compliance is enabled by switching the gdpr_compliance flag available in the configuration of Galaxy, Reports, and the Tool Shed. If you intend to serve users from anywhere in the EU, you should set this to true. This has some important implications of which you must be aware:

Log Redaction

We attempt to redact all occurrences of username or email in the logs. Instead we opt to log the user ID number which cannot be reversed into personally identifying information (PII) without access to the database. This is to pseudonymise the data and reduce risk of PII being leaked.

We may change this redaction method to use encoded user IDs in the future.

You can configure the location of the compliance log like so:

logging:
      filters:
          stack:
              (): galaxy.web.stack.application_stack_log_filter
      formatters:
          stack:
              (): galaxy.web.stack.application_stack_log_formatter
          brief:
              format: '%(asctime)s %(levelname)-8s %(name)-15s %(message)s'
      handlers:
          console:
              class: logging.StreamHandler
              filters:
              - stack
              formatter: stack
              level: DEBUG
              stream: ext://sys.stderr
          compliance_log:
              class : logging.handlers.RotatingFileHandler
              formatter: brief
              filename: compliance.log
              backupCount: 0
      loggers:
          COMPLIANCE:
              handlers:
              - compliance_log
              level: DEBUG
              qualname: COMPLIANCE
          galaxy:
              handlers:
              - console
              level: DEBUG
              propagate: 0
              qualname: galaxy
          paste.httpserver.ThreadPool:
              level: WARN
              qualname: paste.httpserver.ThreadPool
          routes.middleware:
              level: WARN
              qualname: routes.middleware
      root:
          handlers:
          - console
          level: INFO
      version: 1

Which will produce logging events like this:

2018-05-10 18:32:20,787 INFO     COMPLIANCE      delete-user-event: f597429621d6eb2b

User Deletion

User deletion is always enabled when gdpr_compliance is enabled to comply with the right to erasure. When users are deleted, their PII is obscured. In practice this means:

  • username

  • email

  • user_address (when supplied)

All have their values that constitute PII permanently redacted with a one-way hash function.

This does not automatically remove their histories or datasets or any data they created on the service. It is expected that following deletion the normal Galaxy cleanup scripts will take care of this.

Backups

You are responsible for ensuring that backups are deleted, or re-executing the deletion process for all affected users following a restore.

We have added a “compliance log” which should aid in this by logging the user’s ID number, allowing you to re-delete them following a restoration. There is currently no automation to help enforce this; you are responsible for ensuring that when you restore services from backup, that you re-delete any PII of users which had previously requested deletion.

Tool Shed Specific

If a user has published a tool in your toolshed, when deleting their account their username will be redacted as well.

This will break any future updates for Galaxies consuming the tool and they will be stuck on the old version. Additionally due to how Galaxy builds toolshed repository paths on disk, it will break any access even if you try and install again from this repository owned by a redacted user.