Do I have to implement Personal Data Reporting in my OAuth2 app?

I’m working on a OAuth2 (3LO) app for jira. We don’t save any user data except ther accountId of the user along with refresh token & access token.

In my console the below is said under “Distribution => Personal data declaration

Select “Yes” if you copy and store personal data associated with user references (e.g. AccountID) in your own systems or if you cache data for longer than 24 hours.

Since I store AccountID does it mean that I have to choose “Yes” even though I don’t store anything else?

Following answer is incorrect and has been superceded by: Do I have to implement Personal Data Reporting in my OAuth2 app? - #9 by ibuchanan


Yes. I confirm your interpretation of the privacy policy. You should choose “yes” because Atlassian considers the Account ID to be personal data. When I last consulted our privacy team, refresh and access tokens alone are not considered personal data.

This seems to be a change in policy? Has that been communicated?


@remie, which part is the change? Account IDs? Is there a doc where they were communicated as something other than personal data?

If you look back at all the GDPR threads, the gist is: remove personal data and replace it with account ID and you’re good.


It’s PII for Atlassian because you store it alongside other information. If I’m only storing the account ID, then there has to be a breach in both systems to identify the user. And if Atlassian deletes the account, then my copy of the account ID is meaningless.


Thanks for clarifying and I see your point clearly now. I will discuss with our privacy team to see if I’m missing some important context, or if we have changed policy and should make a policy notification.


What I don’t understand is how AccountID is considered personal data and the access token that contains AccountID in sub claim is not considered as personal data…?


I reverse my previous answer. After reconsulting with our privacy team, you should choose “no”. Consistent with prior posts from Atlassians during GDPR roll-out, Atlassian does not consider the Account ID alone to be personal data.

For your benefit and that of concern parties like @remie and @james.dellow, my prior answer was the result of a procedural problem that we have resolved internally. Thanks to your engagement here, we are keeping established policy.