Data Privacy Enforcement Provider
Last updated
Last updated
IPrivacyEnforcementService in assembly SanteDB.Core.Api version 3.0.1980.0
Contract for services which enforce privacy directives
Implementers of this service contract are expected to provide support for the SanteDB Privacy Enforcement architecture. The responsibilities for implementers are:
Ensure that data privacy directives are adhered to prior to updating data in the CDR
Ensure that fields which are sensitive or forbidden are not being used in queries
This service is used by the IRepositoryService layer. ValidateWrite is used prior to executing a write operation should ensure that the data being provided/written does not violate local privacy laws (i.e. if Race is forbidden, and the request contains Race the request should be aborted or scrubbed)
Additionally, the ValidateQuery method is invoked prior to querying to ensure that the query parameters don't violate local privacy laws (i.e. don't permit query on MaritalStatus) and that patient privacy policies would not be violated by the query. For example, if the jurisdiction has a policy which protects or hides HIV_PROGRAM identifiers, and a principal which lacks that policy attempts a query such as identifier[HIV_PROGRAM].value=!null, then patient privacy could be compromised just by the nature of a a result being returned (even it if the HIV_PROGRAM identifier is scrubbed). The ValidateQuery method should protect in these cases (note: the default implementation does not protect against this, however the capability is present for third party implementers of this service to produce such behavior)
| Operation | Response/Return | Input/Parameter | Description |
|---|---|---|---|
Privacy enforcement service that uses the local IPolicyInformationService and takes default behaviors (as described in the SanteDB Privacy Architecture
This privacy enforcement service provides a baseline implementation of a privacy filter in SanteDB. The service supports:
Hiding, Masking, Hashing, Redacting data which is about to be disclosed according to the DataPolicyFilterConfigurationSection
Removing any forbidden / restricted fields from disclosure based on policy (or global removal)
Ensuring that inbound messages do not contain masked or partial data
Validating that queries are not performed against forbidden fields
Ensuring that inbound data does not contain forbidden field data
A data privacy filter service which supports exemption based on configuration
This class is an extension of the DataPolicyFilterService which adds support for exempting certain types of principals from the enforcement action. This is useful for scenarios where, for example, a IDeviceIdentity may be a node that is synchronizing data.
Apply
TData
TData data IPrincipal principal
Applies the privacy policies attached to the provided data such that a disclosure to the provided principal would not compromise patient privacy.
Apply
IQueryResultSet<TData>
IQueryResultSet<TData> data IPrincipal principal
Applies the privacy policies attached to the provided data such that a disclosure to the provided principal would not compromise patient privacy.
ValidateWrite
Boolean
TData data IPrincipal principal
Determine if the record provided contains data that the user shouldn't be sending.
ValidateQuery
Boolean
Expression<Func<TModel,Boolean>> query IPrincipal principal
Validate that a query can be performed by user and does not contain forbidden or compromising fields