Article version: GitHub.com
GitHub Insights and data protection for your organization
GitHub Insights analyzes your GitHub Enterprise Server data. This data could include personal data of individuals in your organization who may have the right to understand how such personal data is being used.
GitHub Insights is available with GitHub One. For more information, see "GitHub's products."
For more information about the terms that govern GitHub Insights, see your GitHub One subscription agreement.
For the avoidance of doubt, none of the foregoing information should be considered legal advice provided by GitHub. You are responsible for securing your own legal analysis of the information provided herein and for your compliance with privacy and data protection laws. It is up to you whether to use GitHub Insights to process your employees’ and users’ data, and if you do so, you are solely responsible for conducting such processing in compliance with applicable law.
When using GitHub Insights, your organization is the data controller because your organization determines whether, how, and why GitHub Insights will process any individual’s personal data. Your organization is solely responsible for ensuring that you are complying with all applicable laws in processing data with GitHub Insights.
You have full control over which metrics, reports, repositories, and contributors to include before beginning use of GitHub Insights. The data you process with GitHub Insights can only be pulled from your installation of GitHub Enterprise Server. Consider balancing the risks versus the benefits of analyzing personal data.
Develop a clear analysis plan: You must understand clearly what you want to analyze and why, and then consider how GitHub Insights may help you find those answers.
Consider a data protection impact assessment: If your proposed use of GitHub Insights involves processing personal data, consider completing a data protection impact assessment or otherwise completing formal legal analysis of your planned use.
Decide which repositories to include: Before you start an analysis in GitHub Insights, consider which repositories to include. Administrators can include repositories when adding organizations and can enable and disable repositories at any time. For more information on adding organizations to GitHub Insights, see "Managing organizations." For more information on enabling and disabling repositories, see "Managing repositories."
Decide which metrics and reports to include: Administrators can enable and disable metrics and reports available for all users at any time. Administrators control the GitHub Insights data that users have access to in your installation of GitHub Enterprise Server. For more information, see "Managing available metrics and reports."
Decide which contributors to include: Administrators can disable a specific contributor’s data from being processed in the metrics and reports. For more information on managing contributor data, see "Managing contributors and teams."
Under various data protection regulations, such as the General Data Protection Regulation (GDPR), users may have the right to request exclusion from processing, access, and correction, or to request deletion of their personal data. As the data controller, your organization should evaluate whether a particular user request is valid and, if appropriate, take action to fulfill the request.
Exclusion of processing: Users may have the right to have their personal data excluded from being processed. Administrators have the ability to remove a contributor’s data from being processed in GitHub Insights, and the resulting reports and metrics will exclude the contributor’s data accordingly. For more information, see "Managing contributors and teams."
Access: Users may have the right to demand to see what personal data is being processed. Each metric and report has a detailed description of what personal data is being processed. For more information, see "Metrics available with GitHub Insights." Raw data is available through the GitHub Enterprise API. Your organization is responsible for any decisions to process personal data and for fulfilling any such requests.
Correction and deletion: Users may have the right to rectify or delete their personal data. The data used in GitHub Insights is derived from the existing data you add to or generate from your GitHub Enterprise Server installation. Correction and deletion should follow your organization's existing process to correct and delete data from GitHub Enterprise Server.
Transparency regarding processing: Each metric and report has a detailed description of what personal data is being processed. For more information, see "Metrics available with GitHub Insights."