Data Privacy Filtering

The Data Privacy Filtering panel controls the configuration of the data privacy services in SanteDB. Data privacy services allow administrators to:

  • Control how sensitive data is handled in SanteDB iCDR

  • Control which resources have specific privacy sensitivity in SanteDB iCDR

  • Control how sensitive records are disclosed or updated

  • Control which properties on which resources are forbidden (and will result in a privacy violation exception when collected, or queried).


Default Action

The action which should be applied to all resources which have been flagged as sensitive, where no specific policy has been assigned.


The resources which are to be protected with specialized policy enforcement.

Resource Controls

Expanding the resources input allows administrators to specify resources in the RIM which are subject to special protections. Clicking the ellipsis on the resources property will open a collection editor change the settings for resource controls:



The action to be applied on resources which have privacy policies applied to them, when the requesting user does not have a grant for the policy.

Resource Type

The type of resource that the policy applies to.

Patient, Person, etc.


The properties which are forbidden or have specialized sub-policy enforcement instructions.

You can set policies on identifiers (on entities and acts) by controlling the policy on AssigningAuthority.

Property Policies

The property policies allow implementing jurisdictions to control which properties in which resources are forbidden. Examples of this functionality are:

  • Restricting the collection, disclosure, or querying of Patient religion or ethnicity to all users

  • Restricting the disclosure, collection or querying of Patient VIP status to only users which have "Access to Taboo Information" policy.



The action to apply when the caller attempts to access, query, or write data to the field.


The policy OIDs which the user must posses in order for the Action not to result in an error.



The HDSI property path (root paths only) on the resource, where this policy applies.

Policy Actions

Resources, properties and the default policy actions dictate how the privacy filtering engine will handle data whenever:

  • The requesting principal lacks appropriate policy permissions to view data (when flagged), or

  • The requesting principal is querying, updating, or being disclosed data from a forbidden property.



No action is taken on the resource or data element.


The disclosure or update is permitted to continue, however a specialized security alert audit created indicating the property was disclosed or updated.


  • On Resources with data policies, the resource is stripped of all information (identifiers, addresses, telecoms, etc.) and data is replaced with XXXXXX

  • On AssigningAuthority resource the value of the identifier is replaced with XXXXXXX

  • On forbidden properties, the value of the property is replaced with XXXXXX on disclosure. Query is not permitted, recordation is not permitted.

Note: The $pep.masked tag is appended to the resource.


Replaces the value of the property with null , if the action is applied to a resource then the status is set to Nullify and no data is disclosed. Note: The $pep.masked tag is appended to the resource.


  • On Resources with data policies, the resource is removed from result sets. Direct fetching of the resource by UUID results in a NotFound and updates result in errors.

  • On AssigningAuthority resource, the identifier is removed from the object being disclosed. Updates or addition of the identity domain result in a privacy error.

  • On forbidden properties, the property is removed from the resource. Querying, recordation, and disclosure are forbidden.

Note: The $pep.masked tag is appended to the resource.


Whenever a principal attempts to read, query, or update the resource, the policy enforcement service will raise an error.


  • On Resources with data policies, the resource has its properties replaced with the SHA256 hash of the value

  • On AssigningAuthority resource, the identifier is replaced with a hash of the identifier value.

  • On forbidden properties, this setting has no effect.

Note: The $pep.masked tag is appended to the resource.

Last updated