PII Protection & Privacy
PII identification, crypto-shredding, and data subject rights per Canon Doctrine 5.
CANON DOCTRINE 5: PII MUTABILITY
PII envelope is immutable. Payload MUST support crypto-shredding or externalization. "Forget" renders PII unreadable while preserving audit narrative.
PII Field Classification
| Entity | PII Fields | Protection |
|---|---|---|
| Person | first_name, last_name, email, phone, address, ssn_last4 | Per-record encryption key |
| Donor | All person fields + payment_method_token | Per-record encryption key |
| Staff | All person fields + employee_id | Per-record encryption key |
| Medical | treatment_notes (if contains person info) | Associated animal key |
Crypto-Shredding Flow
STEP 1: Erasure Request
pii.erasure.requested{ person_id, reason, requestor, legal_basis }
โ
STEP 2: Key Destruction
DELETE FROM pii_keys WHERE person_id = ?(Encryption key permanently destroyed)
โ
STEP 3: Verification
pii.erasure.completed{ person_id, erased_at, verified_by_audit }
โ
RESULT: Audit trail preserved, PII unrecoverable
"Adoption completed by [REDACTED] on 2025-03-15"
"Donation of $100 received from [REDACTED] on 2025-06-20"
Data Subject Rights
| Right | Implementation | Response Time |
|---|---|---|
| Access | Export personal data as JSON/PDF | 30 days |
| Rectification | Correction event with audit trail | 30 days |
| Erasure | Crypto-shredding (key destruction) | 30 days |
| Portability | Standard export format | 30 days |
| Restriction | Processing hold flag | Immediate |
| Object | Marketing opt-out | Immediate |
Privacy by Design (Canon ยง10)
Prohibited
- Behavioral ad targeting
- Donor data resale or enrichment
- Audience profiling beyond consent
- Marketing surveillance features
- Retargeting
Required
- Anonymous donations supported
- Campaign โ consent for messaging
- Explicit consent for marketing
- Data minimization
- Purpose limitation