====== Privacy sharing and pseudonymization ====== The **List of Contacts** ([[:en:survey:mailing]]) allows different privacy modes, including pseudonymous address entries. With pseudonymous address entries, it is not apparent to the project management which address entry belongs to which interview (CASE), but this assignment is stored internally on the survey server. This function is often used in multi-wave surveys in order to assign the data records of the different survey times to each other ([[:en:create:waves]]) without being able to assign the data directly to a person. However, the function of pseudonymous address entries can also be useful when the anonymity of the respondents is to be removed under certain circumstances. For example, in psychological and medical studies, it is not uncommon for respondents to consent to be contacted should their responses indicate a medical condition. For this field of application, SoSci Survey offers the possibility of automated (systematic) de-pseudonymization of data sets (cases in the data set), which can be linked to conditions using PHP code. ===== Preparation ===== In order for this de-pseudonymization to be documented clearly, a third person is first required whom you authorize for data protection releases in the survey project. This person needs a separate user account on the survey server. - Within the **project settings**, in the //sharing tab//, click on //set person// for //privacy approvals//. - Enter the username of the person you want to authorize for privacy approvals. - The changes are documented in the project management log (**User account** → **Projects** → Download button //log file for this project//). - The person you entered will now receive a message and must confirm the approval for your survey project. Together with the privacy release, this person also gets at least read access to the survey project. ===== PHP code and release ===== The function that triggers the removal of pseudonymity is ''[[:en:create:functions:paneldisclose|panelDisclose()]]''. This function can be conditionalized using [[:en:create:php-filters|PHP-Filter]]. So, for example, if you query a characteristic in the scale "SK01" that indicates a possible disease, and a scale mean of 4.0 is considered critical, then the PHP code could look like this: if (valueMean('SK01') >= 4) { panelDisclose('user01@department.example.com'); } This function can be placed at the earliest on the page that follows the page with question "SK01". As a parameter for the ''panelDisclose()'' function, the user name or e-mail address of the person who is allowed to view the contact data must be specified. If the contact data is to be shared with more than one person, the function can be inserted multiple times. A message appears below the PHP code stating that the ''panelDisclose()'' function can only be used with the permission of the data protection officer. In this message you will find a link to send a request for approval. **Note:** The request can be sent only after the person has accepted your approval for the survey project. If you access the link below the PHP code, you will be able to send an appropriate request. The person who is responsible for privacy approvals in your survey project will get this message in the user account. Then the person can call the corresponding page in the questionnaire and release the PHP code. The release is valid until you make changes to the PHP code (except blank lines and comments). ===== Viewing contact information ===== **Important:** SoSci Survey can only save the association between address entry and interview if the questionnaire was accessed via a personalized mail merge link. Make sure that the option "Mail Merge / Participation URL" is selected in the //access restrictions// under **Compose questionnaire** → //Settings//. If the filter for ''panelDisclose()'' becomes active in an interview, you will receive a message in the user account. Afterwards, you can go to **Send Invitations** → **Pseudonymization** to retrieve the information about which address entry belongs to the record in question. Both the removal of the pseudonymity and the retrieval of the address data are documented in the project log, which you can retrieve in the **Project Settings** → //Privacy tab// with the //Download Log// function.