GDPR - Right to be forgotten

As an application development platform for enterprises, a top priority of Casewhere is to ensure that Casewhere applications developed for or by our customers comply with GDPR. Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the "right to be forgotten". This article will introduce you to how Casewhere helps developers handle this requirement by configuring anonymization rules. But first, you will need to understand how the anonymization process works in Casewhere.

Anonymization process

Data anonymization is the process of protecting private or sensitive information by removing identifiers that connect an individual to stored data. For example, you can erase Personally Identifiable Information (PII) such as names, social security numbers, and addresses through a data anonymization process that retains the data but keeps the source anonymous. The anonymization process in Casewhere will ensure that after anonymized, it's impossible to identify the person in all Casewhere databases:

  • Event source
  • Snapshot database
  • Audit log
  • System log
  • Encrypted data: It's possible to protect sensitive data in Casewhere by enabling encryption on some specific fields. What's great is that the anonymization process will also anonymize these encrypted data, so even when the attacker somehow gets the encryption key of Casewhere, he still cannot identify the person.

The Casewhere anonymization process will ensure that the application can still function properly on the anonymized data. That is, the caseworker can still view and even edit the case or part of it though he can no longer identify to who the case is related.

Casewhere does not offer any built-in method for anonymizing data. Instead, the platform allows you to define rules to anonymize data. That is, how data is anonymized is really up to your business, and you have the full freedom to decide what and how data is anonymized. There are a few techniques you can consider for your project:

  • Data masking: You can configure a rule to hide data with altered values. For example, you can replace phone number digits with the symbol "*". Data masking makes reverse engineering or detection impossible.
  • Pseudonymization: You can configure a rule to replace real names with fake names defined from a given dataset. Pseudonymization preserves statistical accuracy and data integrity, allowing the modified data to be used for training, development, testing, and analytics while protecting data privacy.
  • Generalization: You can configure a rule to remove some of the data to make it less identifiable. For example, john@globeteam.com can be transformed to anonymous19001570@globeteam.com, which is still a valid, unique email. We still know the user comes from Globeteam, but it's impossible to identify who he is.

Anonymization rules can be packaged as standard products for reuse. Casewhere provides APIs so you can easily customize the process of anonymization to fulfill your business requirements. In this article, we will guide you through configuring a simple anonymization process, but you can totally find and install similar applications in the Casewhere standard package library to save effort. In reality, the business requirement can be a bit more complex. You might want to create a data class to keep track of all anonymization requests. You might also want to employ an approval process here as your business demands. Anonymizing data could be a heavy task if your system has a large database; you might need to schedule the jobs to run in the background at midnight.

Configuration

In Casewhere Admin, navigate to PII Data Protection Rules, here you can start create and manage anonymization rules for your applications.

image-20220428145645454

When defining a new rule, you need to specify the followings:

  • Data Class: Specify the data class to which the rule will apply

  • Attribute: Specify the attribute to which the rule will apply

  • Is Identified: When individuals request to be forgotten, they need to provide their identity (CPR, Email, etc.) for matching and verification. This identity information will later be searched against the Casewhere database. This data collection step is a part of the anonymization process, and as a developer, you need to tell Casewhere which fields it can use to search.

  • Anonymization Rule: Select or create a new server rule to transform data. You can also learn more about rule development here. Below are some examples:

    • Generalize email, e.g., convert "john@domain.com" to "Anonymous190014570@domain.com"

      #predicate
var parts = @parameters.OriginalValue.Split(new char[]{ '@' }, StringSplitOptions.RemoveEmptyEntries);
var id = Guid.NewGuid().ToString().Replace("-", "");
parts[0] = $"Anonymous{id}@";
return String.Join("", parts);

    • Mask phone number, e.g., convert "50-12-34-56" to "50-xx-xx-xx"

      #predicate
return @parameters.OriginalValue.Substring(0, 2) + "-xx-xx-xx";

After defining rules, the next step is making a workflow to anonymize data for your application. It's up to your business how the workflow should be but typically, there should be 2 activities:

  1. Form activity: to collect the user identity

    • image-20220428164813386

  2. Scripted activity: Anonymize data using Casewhere API.

    • var pIIDataAnonymizationApi = ctx.Use<IPIIDataAnonymizationApi>(); 
var dataApi = ctx.Use<IDataApi>(); 
var task = pIIDataAnonymizationApi.CreateAndAnonymizeTask(ctx.Ref("CwUatAnonymizationRequest").Identifier);

You can learn more about IPIIDataAnonymizationApi by visiting this in-app document.

image-20220428210800976