[ Procedures ]

Anonymizing Old Accounts #

Description #

To overwrite the personally identifiable information for old accounts which no longer contain information of use to the club in order to comply with the data protection principle that data should not be stored longer than necessary. Typically, accounts closed more than three years ago might be considered for anonymization.

This procedure should be performed once a year or so. Normally it would be done at a quiet time of year, just after a backup has been taken.

The general process is to scan a number of months looking for account deletion transactions. As these are scanned the date of the earliest applicable account creation transaction is noted. Then start-of-month files for all of the months from that of the last deletion transaction back to the first account creation transaction are processed. In this process the transactions are copied to a processed start-of-month file except that personally identifiable information in Account Creation and Account Modification transactions for the accounts referenced by the deletion transactions mentioned above are overwritten with asterisks and/or spaces.

The account fields which are considered to be personally identifiable information are:

In addition, the telephone numbers are marked as private and the account is marked as 'to be collected' to reduce the risk of this non-data being used.

When looking for account deletion transactions, those transactions which are marked as deleted are ignored for the purposes of this operation. However, when dealing with account creation and modification transactions, deleted transactions are modified to ensure that all personally identifiable information is deleted.

Once the start-of-month transactions for a month have been completely processed the start-of-month file is replaced by the processed file.

Once all of the months have been dealt with, the state files from the first affected month through to the current month will need to be rebuilt.

Conditions #

Write access.

Operator Level #


Usage #

In the Main Window select Manager -> Anonymize Old Accounts.... This causes the Anonymize Old Accounts options dialog box to be displayed:

This window is used to specify the months to be searched for account deletion transactions. The first time that anonymization is done the start month should be the first for which there could be such a transaction (e.g., 1993 August for Booker). Subsequent runs should normally start from the month after the one in which the last anonymization operation finished. However, apart from a little wasted time, there is no harm in running the operation more than once on a month.

Typically a single year is done at a time but it's quite OK to do longer runs. E.g., on the first run it would be sensible to do all the very old accounts: for Booker perhaps from 1993 September to 2005 June or so.

Once OK is pressed Max2 scans the specified months making a list of the accounts to be anonymized. If no account deletion transactions are found then a message box is displayed and the operation is terminated but in the normal case a confirmation message box is displayed:

Note that the months displayed in this dialog box are those of first account creation and last account deletion for the accounts whose deletion transaction were found. They will typically be earlier than the last month selected in the options dialog box above.

Pressing Cancel here results in the operation being terminated with no changes to the database.

Pressing OK results in Max2 stepping through each of the months for which there might be an account creation or modification transaction for one of the accounts whose deletion was found in the first phase overwriting the personally identifiable information in the start-of-month transaction files.

This operation is done in reverse order of months. This is because the operation for each month results in that month's and all subsequent month's state files being deleted. If the operation was done in forward order it would be awkward to avoid rebuilding the state files as each month was reached only to delete them again as the start-of-month file was updated.

Once this operation has completed the following message box is displayed:

Select OK then do a state file rebuild. Note that when the anonymization operation completes it leaves the first affected month as the current month so the rebuild can be started in that month.

