Handling Sensitive Identifiers
Goals
- Provide a mechanism for handling sensitive identifiers
Background and strategic fit
The original data model assumes that sensitive identifiers (such as Social Security Numbers) could be stored in the pr[sc]_identifiers tables as just another identifier. Revisions to the data model introduced an SSN column to prs_sor_persons, although there is no corresponding column in prc_persons.
Assumptions
- It is desirable to support the ability to encrypt sensitive identifiers.
- Having a column labeled "SSN" is a US specific concept, and impedes internationalization.
- A national identifier column should either be in both prs_sor_persons and prc_persons, or in neither table. Having such a column still requires the use of pr[sc]_identifiers to track deprecated values and other metadata.
- Election of a single identifier value from multiple SORs can be handled in the existing framework of prs_identifiers and prc_identifiers.
Requirements
# | Title | Description | Priority | Notes |
---|---|---|---|---|
1 | Election | The ability to elect a single identifier when multiple systems of record provide conflicting values. | Required |
|
2 | Deprecation | The ability to track multiple values for a given identifier type in the event of an identifier be deprecated. | Required | |
3 | Encryption | The ability to encrypt sensitive identifiers (using database column level encryption). | Required | |
4 | Internationalization | The ability to support multinational identifiers without imposing a US centric design. | Required |
Design
There are several options for how to proceed.
Option 1: Drop "ssn" Column From prs_sor_persons
For this approach, all identifiers are stored in pr[sc]_identifiers. Installations requiring encryption of sensitive identifiers can simply encrypt the entire identifier column, including non-sensitive identifiers. This option satisfies all requirements.
Option 2: Rename "ssn" Column To "national_identifier" And Add To prc_persons
For this approach, a single national identifier is placed into prs_sor_persons:national_identifier for each SOR, and then a single national identifier is in turn placed into prc_persons:national_identifier as the result of election. Installations requiring encryption of sensitive identifiers could then encrypt the national_identifier column. This option does not satisfy requirement #2, and further research is needed to determine if it will satisfy requirement #4.
Option 3: Establish pr[sc]_sensitive_identifiers
This approach is similar to Option 1, except that new tables are established for sensitive identifiers so they may be encrypted without requiring encryption of other types of identifiers. This option satisfies all requirements.
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome |
---|---|
Will having a column labeled “SSN” freak people out? |