Skip to content

Pseudonymization

Martin Wahnschaffe edited this page Oct 21, 2022 · 1 revision

Disclaimer: From data protection perspective the term pseudonymization in SORMAS does not refer to a full de-identification of data, since the UUID of the data is not replaced by a pseudonym.

Pseudonymisation in SORMAS means that certain information is hidden based on the users' rights and scope of responsibility, which is most importantly based on the jurisdiction.

There are two types of hidden/obfuscated fields in pseudonymisation:

  • personal data: Name, date of birth, addresses, contact details and the like.
  • sensitive data: User names on the system, responsible institutions, free text fields, etc.

The uuid is still shown. When handing data over to third parties this would need to be replaced with a generated id. The mapping between original uuid and generated id should ideally be stored in a separate trusted system.

The pseudonymisation is implemented directly in the data access in the backend, so that there is no risk of sensitive data becoming known, neither in client applications nor in access via the ReST interface.

The corresponding fields are pseudonymised or cleared. Even when saving, the user has no possibility to overwrite these fields.

There are separate user rights to manage which user can see what kind of data.

  • SEE_PERSONAL_DATA_IN_JURISDICTION - to allow access to personal data fields within the jurisdiction.
  • SEE_PERSONAL_DATA_OUTSIDE_JURISDICTION - to allow access to personal data fields from outside the jurisdiction.
  • SEE_SENSITIVE_DATA_IN_JURISDICTION - to allow access to sensitive data fields within the jurisdiction.
  • SEE_SENSITIVE_DATA_OUTSIDE_JURISDICTION - to allow access to sensitive fields of data outside the area of responsibility.

For example, Surveillance Officers are allowed to access personal and sensitive data of cases within their jurisdiction.

On the user interface, pseudonymised fields are represented by a read-only field with a special place-holder (greyed out and in italics) so that the user can easily identify these fields and the system prevents them from being edited.