Closed noerw closed 6 years ago
I don't see any merit in keeping the specific user rows after anonymization.
For archiving purposes it would suffice to save completely anonymized general statistics (e.g. no. of participants, distribution of studies, etc.) and completely delete the user information.
For sake of simplicity this data could even be stored outside of the Database in a File storage as it is not needed inside the application itself.
When "destroying" the row-based data structure there is "true" anonymization as specific property can not be associated with each other anymore (e.g. age with food choice).
I propose the following statistics to be stored for archival purposes:
I'd keep the anonymized, row-based data - who knows whether the aggregated statistics will always be good enough? Maybe, one day, we want to investigate e.g. how age and food choice correlate? I don't see any merit in destroying information when anonymizing does the job just as well.
storing PII is a liability. also, #11
we might want to keep non-PII for archiving purposes, so instead of deleting each users row, we could replace name, date of birth, phone with placeholders, after the event was conducted