Add support for sensitive data #187
Comments
|
As discussed, this is far more complex at the level of rosters. @rocketboy76 Will any of the sensitive data be in rosters for the initial release? |
|
Yes definitely! Rosters most often used for household member.
… On May 5, 2017, at 1:33 PM, grassick ***@***.***> wrote:
As discussed, this is far more complex at the level of rosters. @rocketboy76 Will any of the sensitive data be in rosters for the initial release?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@broncha So, it will have to include rosters too. Here's how I think: rosters store data as an array. e.g. for roster "r1" with questions q1, q2, it is stored: We can't keep sensitive data inside there, so we move it also to The only really painful part is line 100 of the MWaterSchemaMap where we make a synthetic table out of the roster values. Not quite sure how to code that yet, but it's possible. |
|
We also need to start thinking about how to tackle: mWater/mwater-visualization#389 |
|
@broncha Ok, some modifications to plans after talking with the (generally very happy) client: In the user interface, rename "sensitive" to "confidential":
|
|
Dies horribly right away when saving draft: Dies again when submitting: |
|
Redaction and unredaction should only happen on state transitions. If submitted directly as final, should redact. If draft is started, do not attempt to unredact. |
|
To reproduce, create a simple survey in the portal with confidential question. Run the survey using the app. |
|
Ok, so there are some issues with rosters. I've added failing tests. Trying it now with simpler non-roster test. |
|
Still crashing bad: |
|
I added: the if. Why are we restoring and redacting at all unless confidentialMode is on? Would really simplify if we didn't do anything unless it was on, but then I guess would need to have safeguards about turning off confidentialMode that is not allowed unless no quesiton has confidential = true. What do you think? |
|
Can a form's confidentialMode be changed to false when there are responses already? If yes, then we will need to check that transition as well and restore confidential data. |
|
@broncha confidentialMode can no longer be turned off once deployed. That being said, let's keep the complete code for now as long as it's stable. |
In order for mWater to be used in academic environments, we must be able to protect sensitive data such as the names of people in households and the exact locations.
The new "senstive information" feature would have the following features:
Here is the detailed list of what needs to be created:
Add sensitiveData field to responses table
Add boolean flag to questions in mwater-forms "sensitive" (+ UI in form designer)
Add optional sensitiveRadius, which is the distance in meters to scramble coordinates by (+ UI in form designer)
When a response is received by the server, if it has transitioned from draft/rejected to any other state, sensitive information should be moved from "data" to "sensitiveData" and a redacted version left in "data". Also, the flag "sensitive" should be set to true within the response-> data -> questionid structure.
Locations should either be scrambled within a radius or removed when they are copied out to the sensitiveData
When a response is received by the server, if it has transitioned the other way (to draft/rejected), the reverse procedure should happen, copying data from sensitiveData back to data
MWaterSchemaMap should block access to the sensitiveData field completely unless the user is an administrator of the form, not just the response
ResponseCollectionModel should block access to the sensitiveData field completely unless the user is an administrator of the form, not just the response
Add sensitiveData to the pgSchema
Add a section called "Sensitive Information" to the schema that gets generated by the FormSchemaBuilder that contains the unredacted sensitive information. It should only contain the questions that have been marked as sensitive. This should only be included in the schema if the person creating the schema is an administrator of the form. It should obtain its data from sensitiveData field and the column ids should generally be of the format sensitiveData:SOMEQUESTIONID:value
All columns added that are sensitive columns to the above schema should have sensitive: true property set (the original questions do not have it set, only the ones that point into sensitiveData)
Don't include any columns with the sensitive: true set by default in datagrids or in response exporting (both of which uses similar code to select all the columns to include)
Only display the sensitive option for questions in forms if the overall form has a special option set called sensitiveMode (stored at root of form design). Add an option in the form level options to turn it on
Only display the sensitive option for questions in forms if the overall form has a special option set called sensitiveMode (stored at root of form design). Add an option in the form level options to turn it on
This needs to be tested really thoroughly as it will protect people's privacy.
Let me know what questions you have, and please start each of the changes in a branch named "sensitive-data" in forms, forms-designer, portal and server.
The text was updated successfully, but these errors were encountered: