Anonymisation through the editing of submissions

[elbill]

This feature request refers to GDPR compliance as well as many organisational code of conducts require the absence of sensitive personal information from submissions, or the anonymisation after e.g. 2 months. Confidential submissions could be edited to remove personal data or sensitive personal data (of reporter or reported person) that may not be relevant or could be a liability for the organisation. Anonymisation of submissions could also allow to keep submissions in the system for statistical purposes.

I see the point that editing submissions may be risky. There could be an indication that the submission has been edited/anonymised. Or the submission could be anonymised after the expiration date. There could be 2 options, delete or anonymise.

The other less invasive alternative is to delete all the submission information but still keep an "empty" entry (or a receiver note) and keeping labels to use for statistical purposes.

[evilaliv3]

Thank you for this great analysis @elbill.

This is actually a good feature related to https://github.com/globaleaks/GlobaLeaks/issues/2540 and https://github.com/globaleaks/GlobaLeaks/issues/2541.

I also consider important that on deletion of a tip some metadata is always preserved.

[elbill]

Indeed @evilaliv3 preserving some metadata and an additional entry/note from the receiver would cover most of the requirements with less programming time. Editing the entries would be quite handy, however it could create some operational risks and I assume would be more complicated to implement.

[fpietrosanti]

Reference to Data Retention based on Submission Status #2523