Privacy Architecture

SanteDB's Policy Access Control components can be used to enable basic data privacy controls on data stored within the SanteDB solution. SanteDB allows objects such as Entities, Acts and identifiers to be tagged with one or more policies which apply to that particular object.

Privacy Enforcement Service

Whenever an Entity, Act or Assigning Authority (identity domain) is tagged with an access policy (such as provided in the Adding Security Policy based on Occupation) the configured Privacy Enforcement Service is called and validate access to the record and to apply any actions to the outgoing (or incoming) data.

Entity/Act Disclosure

The disclosure validation on the enforcement compares the current security principals effective permission policy set and takes appropriate action (based on configuration) for the disclosure of the record. The actions which may be taken on objects like Entities (Person, Patient, Organization, Place, etc.) or Acts (Substance Administrations, Tests, etc.) are:

Enforcement Action



The data is disclosed to the caller, however a high priority audit is created and

persisted (and shipped to the central audit repository) indicating the record was



The data is removed from the result set. There is no indication to the caller that

the data exists. For example: If a search for everyone named John were to return

10 results, however one was protected, then only 9 results would be returned in

the result set.


Only the data's primary UUID, the status, applicable policies are disclosed to the caller. This means the caller can *see* there is data present, however the caller

cannot determine *what* the data is (note: if the caller determines, based on the policies listed in the object it can BTG then it can take appropriate action to



Only the data's primary UUID is disclosed. No policy, or status is disclosed.


The CDR will throw a privacy violation error, indicating to the caller that they

have attempted to access information which they do not have appropriate

access permission to.


No Action is taken

Identity Disclosure

In addition to entire objects like patients, immunizations, procedures, etc. carrying privacy policies, it is possible to flag identity domains with access/disclosure policies. These policies are enforced on both disclosure and on write, meaning that reading and editing/inserting identities in protected domains is restricted to only principals with appropriate access permissions.



Hide or Nullify

The identifier is removed from the object and is never disclosed to the caller. The caller is unaware that the identifier exists.


The identifier is disclosed in a hashed form to the caller. The caller is aware of the authority and is presented with a hash which can be used for matching with identifiers in its own data store.


The identifier is disclosed in a redacted form. The caller is aware the identifier exists

in the identity domain, and is aware of the length of the identifier, however all characters within the identifier are replaced with X. (example: HIV-30493 becomes XXXXXXXXX)


The identifier is disclosed to the caller in plain form, the caller can see the specific

identifier assigned to the patient. The CDR will dispatch an audit to its internal audit

repository and will ship an audit to the central audit repository for follow up.

Last updated