Handling Sensitive Identifiers

Owned by Benn Oshrin
Last updated: Jun 22, 2013Version comment
2 min read
Target release0.9.4
ThemeData Model
Document statusDRAFT
Document owner
Designer
Developers
QA

Goals

  • Provide a mechanism for handling sensitive identifiers

Background and strategic fit

The original data model assumes that sensitive identifiers (such as Social Security Numbers) could be stored in the pr[sc]_identifiers tables as just another identifier. Revisions to the data model introduced an SSN column to prs_sor_persons, although there is no corresponding column in prc_persons.

Assumptions

  • It is desirable to support the ability to encrypt sensitive identifiers.
  • Having a column labeled "SSN" is a US specific concept, and impedes internationalization.
  • A national identifier column should either be in both prs_sor_persons and prc_persons, or in neither table. Having such a column still requires the use of pr[sc]_identifiers to track deprecated values and other metadata.
  • Election of a single identifier value from multiple SORs can be handled in the existing framework of prs_identifiers and prc_identifiers.

Requirements

#TitleDescriptionPriorityNotes
1ElectionThe ability to elect a single identifier when multiple systems of record provide conflicting values.Required

 

2DeprecationThe ability to track multiple values for a given identifier type in the event of an identifier be deprecated.Required 
3EncryptionThe ability to encrypt sensitive identifiers (using database column level encryption).Required 
4InternationalizationThe ability to support multinational identifiers without imposing a US centric design.Required 

Design

There are several options for how to proceed.

Option 1: Drop "ssn" Column From prs_sor_persons

For this approach, all identifiers are stored in pr[sc]_identifiers. Installations requiring encryption of sensitive identifiers can simply encrypt the entire identifier column, including non-sensitive identifiers. This option satisfies all requirements.

Option 2: Rename "ssn" Column To "national_identifier" And Add To prc_persons

For this approach, a single national identifier is placed into prs_sor_persons:national_identifier for each SOR, and then a single national identifier is in turn placed into prc_persons:national_identifier as the result of election. Installations requiring encryption of sensitive identifiers could then encrypt the national_identifier column. This option does not satisfy requirement #2, and further research is needed to determine if it will satisfy requirement #4.

Option 3: Establish pr[sc]_sensitive_identifiers

This approach is similar to Option 1, except that new tables are established for sensitive identifiers so they may be encrypted without requiring encryption of other types of identifiers. This option satisfies all requirements.

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcome
Will having a column labeled “SSN” freak people out?

Not Doing