Automated Deletion of Personal Information After Order Fulfillment

[mekkim]

In order to protect the privacy of requestors, and comply with privacy law, once private information is no longer required, it should be deleted and the remaining data anonymized. I suggest some sort of automated trigger that happens X amount of time after the requestFulfilled field gets set to true (7/10/15/30 days maybe? Leeway to account for shipment tracking inquiries) that deletes the following information for that request:

• Name
• Address
• Email address What's left would then be postal code, date stamp, the request details, and demographic data. The only risky data there is the postal code, which is can narrow down to just a few houses/units etc. If we deem that still insufficiently anonymized, we could keep just province (which is already its own field because I had this in mind). In this manner, we can maintain useful anonymized statistics while deleting personal information that is no longer required.

[mekkim]

Upon chatting with @humphd, given we now store demographics in a separate catalogue so that it's not associated with requests, we can simply put the mask and test amounts in the demographics catalogue and it becomes the stand-alone-de-anonymized "statistics" catalogue. So we can simply delete whole requests from the requests catalogue at, say, 30 days after "requestFulfilled" is set to "true". No need to just delete some elements. This also gets rid of the time stamp that could otherwise be used to link the demographics entries, so it's win for privacy and simplicity.

[mekkim]

Is there a way to set a cronjob-like trigger where "requestFulfilled" flipping to "true" starts a 30-day timer to deletion of the whole entry?

[humphd]

Yes, we'll do a cron-style repeating function that runs regularly to do the cleanup.