The problem
When using Central, the sitewide admin is able to access all human readable data in all projects across the central installation. In a multi-user/service model deployment, this is problematic.
From a data security perspective, the current situation is non-ideal because the sitewide admin exists only to set up the project, to manage the users and so on. They rarely have a direct role in the project, or any responsibility for the stewardship of the data in the project. In my setup at LSHTM, I'm directly involved in about 12 of ~200 projects I host at any given time. The only way I can make the system compatible with GDPR, local standards etc. is either to (1) get myself named on the official paperwork as an individual with rights of access to the data or (2) to ask everyone to use project level encryption. Doing (1) is often problematic because [a] a lot of people don't think about this until it is too late and [b] many studies won't justify it as there has to be a coherent reason why I'd need it. As it stands, I currently have to use option (2) and ask everyone to encrypt everything. This sadly locks them out of the benefits of editing and any future entity based implementations of ODK. This problem is perhaps worse for commercial providers, where there's even less justification for the admins to be able to see a project's data, rather than simply to manage the service.
The goal of this feature request is
-
Sitewide admin should not be able to see human readable data on central projects unless they are also assigned a project role in the appropriate tab of the project. This makes for a more transparent view of who can access human readable data on any given project. In practical terms, this means that any sitewide admin should also be a project manager for any project on which they want to see human readable data.
-
Option to lock project roles with a password kept by the project manager. This acts as a preventative that stops the sitewide admin from simply assigning themselves a project role at any time [which would defeat the point of the previous feature]. Any changes to the project roles would therefore require the settings to be unlocked with a password known only to the project manager. This places full control of data access rights to project data with the project manager.
-
Project managers should be able to add web-users to their project with data collector or project viewer roles, removing the need for sitewide admin to manage this. I think that keeping project manager assignments with sitewide admin is sensible.
-
System logs should log system actions. Project logs should log project actions. Any changes to data should be logged and contained within the project environment. No project data should be accessible outside of the contol of the project roles.
What are some example use cases for this feature?
Use case 1
Current situation
- BÊlèn runs ODK Klood, an ODK Central hosting service. One project is a major clinical trial of a COVID-23 vaccine that is coincidentally recruiting participants in the neighbourhood in which BÊlèn lives. As sitewide admin, BÊlèn can see all the trial data and learns a lot of things she didn't know about her friends from the block.
Proposed situation
- BÊlèn runs ODK Klood, an ODK Central hosting service. One project is a major clinical trial of a COVID-23 vaccine that is coincidentally recruiting participants in the neighbourhood in which BÊlèn lives. As sitewide admin, BÊlèn creates the project and assigns several project roles including a project manager. BÊlèn does not need to see the data and so does not assign themselves a project role. The project manager then locks the project roles, preventing BÊlèn from being able to later access the data without it first being unlocked by the project manager. BÊlèn enjoys living in her community, knowing that she has supported the health of her her friends and neighbours whilst not compromising herself or exposing trial data.
Unknown element
- Momo is a really cool IT expert who manages the installation of Central and its databases for ODK Klood. Whether Momo can see all the data is a mystery to this narrator, but in this idealised world where ODK Klood is a thing, Momo has no reason to see the data and so they can't.
Use case 2
Current situation
- Harpo is working to support children who live on the streets in London. He plans to establish a central database of these children, which will be accessed and edited [all via Central] by stakeholders from the local authority, by teams from Harpo's charity and also by social workers on the ground. Harpo has read about ODK Central and realises that the new entity based features will be the perfect solution. Being short of funds and also low in IT support, Harpo applies to a zero-cost Central hosting provider that he finds on the internet. It all goes really well until Harpo discovers that the sitewide admin of the system is a member of a criminal gang who has stolen the data for horrible reasons. Things end badly.
Proposed situation
- Harpo is working to support children who live on the streets in London. He plans to establish a central database of these children, which will be accessed and edited by stakeholders from the local authority, by teams from Harpo's charity and also by social workers on the ground. Harpo has read about ODK Central and realises that the new entity based features will be the perfect solution. Being short of funds and also low in IT support, Harpo applies to a zero-cost Central hosting provider that he finds on the internet. It all goes really well and the children have much better lives.
Unknown element
- So this somewhat sensationalist use-case only really works if Momo-tui, the IT person, is also unable to see the human readable data. This is really only here to illustrate the fact that the person with highest data stewardship needs and responsibilities is the project manager and not the sitewide admin. They should have the power to lock the admin (or anyone else) out, without compromising UX functions like editing and entity based stuff.