Privacy Architecture
Last updated
Last updated
SanteDB's Policy Access Control components can be used to enable basic data privacy controls on data stored within the SanteDB solution. SanteDB allows objects such as Entities, Acts and identifiers to be tagged with one or more policies which apply to that particular object.
Whenever an Entity, Act or Assigning Authority (identity domain) is tagged with an access policy (such as provided in the Adding Security Policy based on Occupation) the configured Privacy Enforcement Service is called and validate access to the record and to apply any actions to the outgoing (or incoming) data.
The disclosure validation on the enforcement compares the current security principals effective permission policy set and takes appropriate action (based on configuration) for the disclosure of the record. The actions which may be taken on objects like Entities (Person, Patient, Organization, Place, etc.) or Acts (Substance Administrations, Tests, etc.) are:
In addition to entire objects like patients, immunizations, procedures, etc. carrying privacy policies, it is possible to flag identity domains with access/disclosure policies. These policies are enforced on both disclosure and on write, meaning that reading and editing/inserting identities in protected domains is restricted to only principals with appropriate access permissions.
Enforcement Action
Description
Audit
The data is disclosed to the caller, however a high priority audit is created and
persisted (and shipped to the central audit repository) indicating the record was
disclosed.
Hide
The data is removed from the result set. There is no indication to the caller that
the data exists. For example: If a search for everyone named John were to return
10 results, however one was protected, then only 9 results would be returned in
the result set.
Redact
Only the data's primary UUID, the status, applicable policies are disclosed to the caller. This means the caller can *see* there is data present, however the caller
cannot determine *what* the data is (note: if the caller determines, based on the policies listed in the object it can BTG then it can take appropriate action to
elevate)
Nullify
Only the data's primary UUID is disclosed. No policy, or status is disclosed.
Error
The CDR will throw a privacy violation error, indicating to the caller that they
have attempted to access information which they do not have appropriate
access permission to.
None
No Action is taken
Action
Description
Hide or Nullify
The identifier is removed from the object and is never disclosed to the caller. The caller is unaware that the identifier exists.
Hash
The identifier is disclosed in a hashed form to the caller. The caller is aware of the authority and is presented with a hash which can be used for matching with identifiers in its own data store.
Redact
The identifier is disclosed in a redacted form. The caller is aware the identifier exists
in the identity domain, and is aware of the length of the identifier, however all characters within the identifier are replaced with X. (example: HIV-30493 becomes XXXXXXXXX)
Audit
The identifier is disclosed to the caller in plain form, the caller can see the specific
identifier assigned to the patient. The CDR will dispatch an audit to its internal audit
repository and will ship an audit to the central audit repository for follow up.