allow to anonymize user PII

[noerw]

storing PII is a liability. also, #11

we might want to keep non-PII for archiving purposes, so instead of deleting each users row, we could replace name, date of birth, phone with placeholders, after the event was conducted

[SpeckiJ]

I don't see any merit in keeping the specific user rows after anonymization.

For archiving purposes it would suffice to save completely anonymized general statistics (e.g. no. of participants, distribution of studies, etc.) and completely delete the user information.

For sake of simplicity this data could even be stored outside of the Database in a File storage as it is not needed inside the application itself.

[SpeckiJ]

When "destroying" the row-based data structure there is "true" anonymization as specific property can not be associated with each other anymore (e.g. age with food choice).

I propose the following statistics to be stored for archival purposes:

• Total number of attendees
• Total number of people on waiting list
• Total number of people that opted out
• Total number of people that registered via waiting list
• Number of People per study
• Number of People per food choice
• Number of People per gender
• Date of Weekend
• [TDB if useful] List of Ages

[christophfriedrich]

I'd keep the anonymized, row-based data - who knows whether the aggregated statistics will always be good enough? Maybe, one day, we want to investigate e.g. how age and food choice correlate? I don't see any merit in destroying information when anonymizing does the job just as well.

[noerw]

I don't see any merit in collecting PII in the first place :^) :crossed_swords: `f i g h t !`