Unmasking De-identified Data
Under certain strict conditions it is possible to recover the original values for tokens contained in a Protected Data Domain (PDD). This is known as Unmasking. Privitar provides this unmasking capability to support:
Storing de-identified data in remote systems while locally retaining Token Vaults.
Processing records produced as part of an external analysis that contain masked values but conform to a different Schema.
Rules compatible with Unmasking
The de-identified output of certain Privitar Rules may be unmasked, given the appropriate Roles/permissions and Policy configuration. Output of several Rule types may be unmasked.
For a list of Rule types that are compatible with Unmasking, see Masking Rule Types Supporting Unmasking:
Restrictions on Unmasking
Unmasking the output from Rule types that support unmasking requires the following conditions to be met:
The Privitar User has the correct Role and permissions for the unmasking being performed.
It can be established which PDD and Rule produced the token.
The token was produced by a Rule with Preserve data consistency and Permit unmasking of original values enabled.
And for all but the Encrypt and SecureLink Encryption Rules:
A populated Token Vault. That is, the Job has been run at least once to populate the Token Vault, and the Token Vault has not since been deleted.
Unmasking Features
Privitar can unmask tokens in two ways:
Unmasking a single token
Unmasking a file of tokens