Confounded by privacy settings for complex layers

rachel3 · August 14, 2020, 9:53pm

I’m building a caregiving coordination app and want the privacy to be highly customizable. Not sure if this is possible in Bubble, now that I’m digging in deeper. Would greatly appreciate some advice here from a seasoned privacy Bubbler.

I have Users who can be a member of one or more private CareHubs. Each CareHub contains CareAreas and CareAreaRoles, and each User has a usertype (admin/primary/secondary/supporter/paid caregiver). There are documents, journal entries, files, etc. that pertain to various CareAreas and may need to be accessible or not depending on usertype or depending on default settings set by the admin. Ideally, privacy (eg, whether someone has access to a patient’s health info or financial/legal info) would be customizable at various levels: User/CareArea/CareAreaRole/usertype so that my app can be responsive to the needs of my caregiving families and their teams. And obviously, people need to be able to only access any CareHub at all for which they have permission.

Originally, I set my database up with a table for CareTeamMembers to record data specific for a User’s relationship to that particular CareHub (such as their role in that hub, how they’re connected to the care recipient, etc), but now that I’m combing through to get the privacy right, I’m getting really stumped.

I’ve gone back through and added a HubAdmins, HubPrimary, etc field to the CareHubs so that I could do privacy based on hub role types, and I just went through and added in a hub_health_access and hub_financial_access list field into the User table so that their permissions for those arenas could be tracked at the user level but still accessible in the privacy settings. However, I’m running into a problem.

In my JournalEntries table, I want to set permission so that only those users who have health access can have access to the journal entries associated with the health care area, but there’s no way I can find to dig in that deep. I know I can do some of this on visibilities at the UI level, but some of this is incredibly sensitive information, and I need the privacy to be tight. I will have the same issue in several other tables that hold various types of data that is tagged by CareArea and CareAreaRole.

I’d gratefully welcome any help or advice. Or just tell me if I should stop banging my head against this particular wall and accept this as a limitation of the platform.

Thanks,
Rachel
www.CaregivingHQ.com

grottofilms · August 15, 2020, 1:28am

this is hard to parse without seeing but when dealing with privacy rules, two-way data connections are very useful. They are cumbersome to maintain but can help with privacy-intense applications. So, you can easily navigate in privacy to this caregiver’s care area contains this and this caregiver’s careteammember is in this, etc.

rachel3 · August 15, 2020, 7:40pm

Thank you, @grottofilms, for responding. Yes, I’m concerned about setting up tons of 2-way data connections, but even with those, it seems I can only create privacy settings from the User and from the Thing, without conditions. Any workarounds you know of?

grottofilms · August 15, 2020, 10:56pm

not really sure; it’s hard to talk about this stuff in the abstract. maybe you could create and update a list of things that indicate access?

keith · August 16, 2020, 5:19am

That’s all you can do. You’ve got it pretty well figured out. Note that Privacy Rules are not intended for “privacy protection” in the PII/PHI sense. If you’re going to attempt that you’ll use (as I think you’re doing) Privacy Rules in conjunction with careful management of your data access.

(This is a long way of saying: PRs are convenient, but not sufficient for a “sensitive data” type app.)

What they are for is for making user-centric apps insanely simple. Consider:

If you are building a User-centric app, privacy rules are awesome. They eliminate any need to do anything to enable full multi-user/multi-tenant functionality.
For example: You can build an app where each User can create any number of Things. But
Things can ONLY be seen by their creating User.
And then, in your (non-code) code, you need never differentiate between the logged in User and all other Users. “Search for ‘Things’” will only yield Things that the User created.

If you think about it, Privacy Rules are like a static/standing filter between your requests and the database. You can’t screw it up. You can just ask for all Things and only those Things that the User created (or otherwise has access to) will ever be returned.

And that’s what Privacy Rules are for.

But that’s it. If you need to go beyond that, you have to manage things yourself. You can protect some things from accidental search exposure, but not all things. That’s just how it is.

This is not to say that you can’t do more complex private data protection. On the contrary, you can do as much as you like.

But you can’t SOLELY count on these “standing filters” to protect the data for you.

That’s pretty much it.

rachel3 · August 16, 2020, 3:14pm

Thank you, @keith. This is helpful. I think I’d gotten the impression from other posts on this forum that privacy is most effectively set at the Privacy Settings level, rather than at the UI level, which is why I’ve been trying to figure out how to do it there. Given the complexity of my application, I think I’ll just need to go through extra carefully with each element on each page. I’d love to see a HIPAA-enabled version of Bubble someday, but in the meantime, am certainly avoiding any PHI interactions with providers that would require HIPAA-level compliance. All data will be user-entered, which spares me that regulatory headache, but I want it to be super-secure of course regardless. Thanks.

system · October 23, 2020, 9:53pm

This topic was automatically closed after 70 days. New replies are no longer allowed.