Hi Vishal
To date the Open API specifications have not made prescriptions regarding transmission of personal data (I prefer that term rather than Sensitive data, since GDPR covers all data owned by a data subject, not just sensitive data).
My personal view is that this is beyond the scope of an API specification. For example you raise the issue of logging, that's surely an issue that needs to be addressed in the implementation of an API (for logging from within the business layer), or in the API gateway (for logging of API payloads).
It might be possible to "decorate" the Open API data model (the schema) with additional metadata indicating which data is considered personal, PII, sensitive, etc. But I don't know how this could be done technically within the current format (JSON Schema and Swagger), maybe other forum members have ideas.
Hope it helps
------------------------------
Jonathan Goldberg
Amdocs Management Limited
Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
------------------------------
Original Message:
Sent: Feb 13, 2020 16:50
From: Vishal Thakur
Subject: Cleint sensitive data in request URL's
Hi All
I was wondering if there are any standard guidelines available on this portal to pass the client sensitive data like MSISDN's or Directory numbers in the Product qualification request API. I presume that this would be a common concern for all the companies operating under GDPR regulations and since most of the API gateways have logging enabled for the requests that pass through, I was wondering if there have been any guidelines or standard procedures established to pass such information in the API request securely.
Appreciate your thoughts on this.
Cheers!
------------------------------
Vishal Thakur
BT Group plc
------------------------------