Keeping your data secure and compliant

Client data security is paramount. The following information outlines some of the ways that client data is protected when using IBM Watson apps, IBM Watson Studio, and their component services, such as IBM Watson Machine Learning, and what you are expected to do to help in these efforts.

Client responsibility

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

HIPAA readiness

Watson Studio and Watson Machine Learning meet the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164. HIPAA readiness applies to the following plans:

  • The Watson Studio Enterprise plan in the Dallas (US South) region
  • The Watson Machine Learning Professional plan in the Dallas (US South) region

Watson Knowledge Catalog is not HIPAA ready. For all other services that you use with Watson Studio, you must check the plan page in IBM Cloud for each to determine if it is HIPAA ready and whether you need to reprovision the service after you enable HIPAA support.

HIPAA support from IBM requires that you agree to the terms of the Business Associate Addendum (BAA) agreement with IBM for your IBM Cloud account. The BAA outlines IBM responsibilities, but also your responsibilities to maintain HIPAA compliance. After you enable HIPAA support in your IBM Cloud account, you cannot disable it. See IBM Cloud Docs: Enabling the HIPAA Supported setting.

To enable HIPAA support for your IBM Cloud account:

  1. Log in to your IBM Cloud account.
  2. Click Manage > Account and then Account settings.
  3. In the HIPAA Supported section, click On.
  4. Read the BAA and then select Accept and click Submit.

You do not need to reprovision your Watson Studio or Watson Machine Learning services after you enable HIPAA support. However, you might need to migrate your Watson Studio and other service instances from Cloud Foundry orgs and spaces to resource groups in IBM Cloud. For instructions, see IBM Cloud: Migrating Cloud Foundry service instances to a resource group.

IBM’s commitment to GDPR

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

Content and Data Protection

The Data Processing and Protection data sheet (Data Sheet) provides information specific to the IBM Cloud Service regarding the type of Content enabled to be processed, the processing activities involved, the data protection features, and specifics on retention and return of Content. Any details or clarifications and terms, including Client responsibilities, around use of the Cloud Service and data protection features, if any, are set forth in this section. There may be more than one Data Sheet applicable to Client’s use of the IBM Cloud Service based upon options selected by Client. The Data Sheet may only be available in English and not available in local languages. Despite any practices of local law or custom, the parties agree that they understand English and it is an appropriate language regarding acquisition and use of the IBM Cloud Services. The following Data Sheets apply to the IBM Cloud Service and its available options. Client acknowledges that i) IBM may modify Data Sheets from time to time at IBM’s sole discretion and ii) such modifications will supersede prior versions. The intent of any modification to Data Sheet(s) will be to

  1. improve or clarify existing commitments,
  2. maintain alignment to current adopted standards and applicable laws, or
  3. provide additional commitments. No modification to Data Sheets will materially degrade the data protection of a IBM Cloud Service.

Here are some of the data sheets that you can view:

You, the client, are responsible to take necessary actions to order, enable, or use available data protection features for a IBM Cloud Service and accept responsibility for use of the IBM Cloud Services if you fail to take such actions, including meeting any data protection or other legal requirements regarding Content. IBM’s Data Processing Addendum (DPA) and DPA Exhibits apply and are referenced in as part of the Agreement, if and to the extent the European General Data Protection Regulation (EU/2016/679) (GDPR) applies to personal data contained in Content. The applicable Data Sheets for this IBM Cloud Service will serve as the DPA Exhibits. If the DPA applies, IBM’s obligation to provide notice of changes to Subprocessors and Client’s right to object to such changes will apply as set out in DPA.

GDPR statement that applies to IBM Watson Machine Learning log files

Disclaimer: Client’s use of the deep learning training process includes the ability to write to the training log files. Personal data must not be written to these training log files as they are accessible to other users within Client’s Enterprise as well as to IBM as necessary to support the IBM Cloud Service.

Please pay close attention to data privacy principals when selecting a dataset for training data. Processing of PI is governed by vigorous legal requirements and is only allowed if it is based on an explicit legal basis. These regulations mandate that PI is processed only for the purpose it was collected for. No other processing in a manner that is incompatible with this initial purpose is permissible. For these and other constrains these regulations place on your use of PI, we highly recommend that you do not use “real” PI in your training dataset unless it is allowed or permissible. You may substitute real PI using test data that is available on the public sphere.

Secure deletion from the IBM Watson Machine Learning service

Anyone that has personally identifiable information and data (PII) stored as part of using the IBM Watson Machine Learning service, has the right to obtain from the controller the erasure of that data without undue delay. The controller has the obligation to erase personal data without undue delay where one of the following conditions exist:

  • There is PII data stored in the IBM Watson Machine Learning service
  • User email address and full name are stored as metadata related to the Machine Learning repository assets.
  • User provided service credentials.
  • Repository asset content, which is usually out of Machine Learning service control and potentially can contain any type of PII data in it. In this case, when users want to track PII data stored in assets, such as a model, they must:

    • Get training data reference from the model metadata.
    • Scan training data for occurrence of PII data of particular user.
    • If such data can be found in the training data set, the model should be considered as potentially holding this data in its content.

Repository asset content, such as models, can be securely deleted by performing one of the methods for permanently deleting personal data.

Options for permanently deleting personal data

There are several options that users can choose to delete their personal data permanently:

  • Remove the entire IBM Watson Machine Learning service instance from IBM Cloud. This is possible by sending an un-provisioning request via different channels, such as the IBM Cloud UI, CLI, or REST API.

  • Remove all information related to the particular model published in the IBM Watson Machine Learning repository with the following REST API command:

      DELETE /v3/wml_instances/{instance_id}/published_models/{published_model_id}
    
  • Remove all information related to the selected model deployment by using the following REST API command:

      DELETE /v3/wml_instances/{instance_id}/published_models/{published_model_id}/deployments/{deployment_id}
    

For the IBM Watson Machine Learning service, personally identifiable information and data is removed completely from all data sources, including backups, after 30 days.

Learn more