Determine appropriate retention for database backups

cds-snc / covid-alert-server

Exposure Notification: Diagnosis Server implementation / Notification d’exposition : Mise en œuvre du serveur de diagnostic

Apache License 2.0

297 stars 31 forks source link

Determine appropriate retention for database backups #198

Open maxneuvians opened 4 years ago

maxneuvians commented 4 years ago

According to https://blog.google/documents/72/Exposure_Notifications_Service_Additional_Terms.pdf:

"Diagnosis Keys may only be retained for 30 days from the time of collection."

Based on that information we can set our database retention to 15 days maximum, as we store 15 days of data in the database. (15 + 15 = 30).

However, this is the upper bound, we can also lower it based on operational requirements.

AC:

[ ] Amendment to the 3 already-signed provincial and territorial agreements.
[ ] Change retention to 7 days (from 1 day).

obrien-j commented 4 years ago

I would just note that while it appears we have a nice and clean 15 day retention limits for both encryption keys table and diagnosis_keys table, that the former should actually be retained for until a sliding day window up to and including day0+14, so really, day13 plus 14. A whiteboard would make this easier.

Let's leave this open, for the time being, and potentially raise another issue for ensuring correctness on the pruning of the encryption keys table accordingly.

sboots commented 4 years ago

Raised this with HC colleagues on August 31; discussed it with HC Privacy and OPC representatives on Sept. 16. No major red-flags raised.

Making this change is dependent on amending the 3 already-signed provincial and territorial agreements; timelines for making these amendments are still TBD, based on HC discussions.

stephenyates-gc commented 4 years ago

Still waiting to hear back from HC with regards to ON and NL, which may involve re-signing agreements.