Privacy Architecture

SanteDB's Policy Access Control components can be used to enable basic data privacy controls on data stored within the SanteDB solution. SanteDB allows objects such as Entities, Acts and identifiers to be tagged with one or more policies which apply to that particular object. 
Privacy Enforcement Service
Whenever an Entity, Act or Assigning Authority (identity domain) is tagged with an access policy (such as provided in the Adding Security Policy based on Occupation) the configured Privacy Enforcement Service is called and validate access to the record and to apply any actions to the outgoing (or incoming) data.
Entity/Act Disclosure
The disclosure validation on the enforcement compares the current security principals effective permission policy set and takes appropriate action (based on configuration) for the disclosure of the record. The actions which may be taken on objects like Entities (Person, Patient, Organization, Place, etc.) or Acts (Substance Administrations, Tests, etc.) are:
Enforcement Action
Description
Audit
The data is disclosed to the caller, however a high priority audit is created and
persisted (and shipped to the central audit repository) indicating the record was
disclosed.
Hide
The data is removed from the result set. There is no indication to the caller that
the data exists. For example: If a search for everyone named John were to return
10 results, however one was protected, then only 9 results would be returned in 
the result set.
Redact
Only the data's primary UUID, the status, applicable policies are disclosed to the
caller. This means the caller can *see* there is data present, however the caller
cannot determine *what* the data is (note: if the caller determines, based on
the policies listed in the object it can BTG then it can take appropriate action to
elevate)
Nullify
Only the data's primary UUID is disclosed. No policy, or status is disclosed.
Error
The CDR will throw a privacy violation error, indicating to the caller that they
have attempted to access information which they do not have appropriate
access permission to.
None
No Action is taken
Identity Disclosure
In addition to entire objects like patients, immunizations, procedures, etc. carrying privacy policies, it is possible to flag identity domains with access/disclosure policies. These policies are enforced on both disclosure and on write, meaning that reading and editing/inserting identities in protected domains is restricted to only principals with appropriate access permissions.
Action
Description
Hide or Nullify
The identifier is removed from the object and is never disclosed to the caller. 
The caller is unaware that the identifier exists.
Hash
The identifier is disclosed in a hashed form to the caller. The caller is aware of the
authority and is presented with a hash which can be used for matching with identifiers 
in its own data store.
Redact
The identifier is disclosed in a redacted form. The caller is aware the identifier exists
in the identity domain, and is aware of the length of the identifier, however all
characters within the identifier are replaced with X. (example: HIV-30493 becomes
XXXXXXXXX)
Audit
The identifier is disclosed to the caller in plain form, the caller can see the specific
identifier assigned to the patient. The CDR will dispatch an audit to its internal audit
repository and will ship an audit to the central audit repository for follow up.

Last modified 2yr ago

Enforcement Action	Description
Audit	The data is disclosed to the caller, however a high priority audit is created and persisted (and shipped to the central audit repository) indicating the record was disclosed.
Hide	The data is removed from the result set. There is no indication to the caller that the data exists. For example: If a search for everyone named John were to return 10 results, however one was protected, then only 9 results would be returned in the result set.
Redact	Only the data's primary UUID, the status, applicable policies are disclosed to the caller. This means the caller can see there is data present, however the caller cannot determine what the data is (note: if the caller determines, based on the policies listed in the object it can BTG then it can take appropriate action to elevate)
Nullify	Only the data's primary UUID is disclosed. No policy, or status is disclosed.
Error	The CDR will throw a privacy violation error, indicating to the caller that they have attempted to access information which they do not have appropriate access permission to.
None	No Action is taken

Action	Description
Hide or Nullify	The identifier is removed from the object and is never disclosed to the caller. The caller is unaware that the identifier exists.
Hash	The identifier is disclosed in a hashed form to the caller. The caller is aware of the authority and is presented with a hash which can be used for matching with identifiers in its own data store.
Redact	The identifier is disclosed in a redacted form. The caller is aware the identifier exists in the identity domain, and is aware of the length of the identifier, however all characters within the identifier are replaced with X. (example: HIV-30493 becomes XXXXXXXXX)
Audit	The identifier is disclosed to the caller in plain form, the caller can see the specific identifier assigned to the patient. The CDR will dispatch an audit to its internal audit repository and will ship an audit to the central audit repository for follow up.