Masking PII
Introduction
This document serves as a comprehensive guide and framework for handling and protecting Personally Identifiable Information (PII) and Protected Health Information (PHI) within Aisera.
PII refers to any information that can be used to identify, locate, or contact an individual, either alone or in combination with other information.
PHI is any health information that includes elements identified by HIPAA and maintained by a covered entity or any information that can be reasonably used to identify a person.
As custodians of sensitive data, it is crucial for us to establish and maintain a secure environment to safeguard the privacy and confidentiality of individuals associated with Aisera.
The purpose of this document is to outline the steps through which customers can mark the PII information and best practices that should be followed when collecting, storing, transmitting, and disposing of PII. By adhering to these steps & guidelines, we aim to minimize the risk of unauthorized access, use, disclosure, alteration, or destruction of PII, thereby ensuring compliance with relevant privacy laws and regulations.
Supported Entities
Global
CREDIT_CARD
A credit card number is between 12 to 19 digits. Payment card number
CRYPTO
A Crypto wallet number. Currently only Bitcoin address is supported
DATE_TIME
Absolute or relative dates or periods or times smaller than a day.
DOMAIN_NAME
A domain name as defined by the DNS standard.
EMAIL_ADDRESS
An email address identifies an email box to which email messages are delivered
IBAN_CODE
The International Bank Account Number (IBAN) is an internationally agreed system of identifying bank accounts across national borders to facilitate the communication and processing of cross border transactions with a reduced risk of transcription errors.
IP_ADDRESS
An Internet Protocol (IP) address (either IPv4 or IPv6).
NRP
A person’s Nationality, religious or political group.
LOCATION
Name of politically or geographically defined location (cities, provinces, countries, international regions, bodies of water, mountains
PERSON
A full person name, which can include first names, middle names or initials, and last names.
PHONE_NUMBER
A telephone number
USA
US_BANK_NUMBER
A US bank account number is between 8 to 17 digits.
US_DRIVER_LICENSE
A US driver license. according to 
US_ITIN
US Individual Taxpayer Identification Number (ITIN). Nine digits that start with a "9" and contain a "7" or "8" as the 4 digit.
US_PASSPORT
A US passport number with 9 digits.
US_SSN
An US Social Security Number (SSN) with 9 digits.
UK
UK_NHS
A UK NHS number is 10 digits.
PII/PHI support and handling in Aisera
Aisera does not require any PII/PHI to fulfill its functions. It provides the capability to mask, anonymize, or remove PII/PHI information found within ingested, chat logs, or any other textual content prior to processing. Additionally, it has the ability to redact PII/PHI information from conversations that the end user has with the Aisera Virtual Agent so that when the request is reviewed in the Request Detail page, the system prevents the display of the PII/PHI data.
The configuration of the PII/PHI processing layer is conducted through the following steps:
Application of PII/PHI parameters to fields at the datasource level
Application of PII/PHI parameters to fields at the tenant configuration level
All PII/PHI scrubbing takes place at the ingress point, immediately upon the data being received by Aisera. Aisera has implemented a robust PII/PHI processing layer for the purpose of redacting, replacing, masking, or hashing PII/PHI information.
Regarding data collection, Aisera solely collects essential user information, namely usernames, email addresses, and locations, directly from the IT Teams. It only has API access to the source applications and does not make any alterations or modifications to this information in any way.
Applying PII/PHI at the datasource level
If you have your set of params ready you can apply it in the appropriate datasource field mappings by following the process below:
Go to Settings->Data Sources and select one of your tenant Data Sources.
Choose the Data Source that contains the fields you want to mask.
Scroll down until you see the list of fields.
Hover your pointer on the far right of the field you wish to anonymize and click on the pencil icon that appears.
Add the contents of a JSON file in the Anonymization Rules field (your Aisera representative can assist with this task.)
Do this for every field in the entity you want to anonymize.
Template:
This section contains a template you can use that will identify and scrub the following Aisera out-of-the-box Entities.
PERSON
PHONE
CREDIT CARD
The fields that need to be masked should be included in the AnalyzeTemplate object and the value it will be masked with should be added to the AnonymizeTemplate object.
{ "AnalyzeTemplate": { "fields": [ { "name": "PERSON" }, { "name":
"PHONE_NUMBER" }, { "name": "EMAIL_ADDRESS" }, { "name": "CREDIT_CARD" } ]
}, "AnonymizeTemplate": { "fieldTypeTransformations": [ { "fields": [ { "name": "PERSON" } ], "transformation": { "replaceValue": { "newValue": "
<PERSON>" } } }, { "fields": [ { "name": "PHONE_NUMBER" } ],
"transformation": { "replaceValue": { "newValue": "<PHONE_NUMBER>" } } },
{ "fields": [ { "name": "EMAIL_ADDRESS" } ], "transformation": {
"replaceValue": { "newValue": "<EMAIL_ADDRESS>" } } }, { "fields": [ { "name": "CREDIT_CARD" } ], "transformation": { "replaceValue": { "newValue": "<CREDIT_CARD>" } } } ] } }For entities that are not available as out-of-the-box entities, you will need to create a custom recognizer and specify the exact pattern of the data.
For example:
Server id can consist of more than 12 alphanumeric characters and some special characters or has the format ID-12345678. So you have to provide the pattern for each of these entities.
If a pattern is too generic, such as 8 numbers, the Aisera Gen AI platform cannot create a custom recognizer because it will have a lot of false positives.
Anonymization will be applied when data is ingested or pushed through web-hooks the next time through and they will be stored in an anonymized form within Aisera.
Applying PII/PHI at the tenant configuration level
If you want to anonymize/redact PII/PHI information out of the user queries/requests so that it is not visible to anyone reviewing it in the request detail page, follow the step below:
Go to Settings->Configuration->Conversation.
Enable Anonymize Conversation Audit.
In the section below Anonymize Conversation Audit, you will see the Anonymize Conversation Template.
Paste JSON code (similar to the example below) into the Anonymize Conversation Template, but with an additional element
"text":"$TEXT"as shown below:
{
"text":"$TEXT",
"AnalyzeTemplate":{
"allFields":true
},
"AnonymizeTemplate":{
"fieldTypeTransformations":[
{
"fields":[
{
"name":"PHONE_NUMBER"
}
],
"transformation":{
"maskValue":{
"maskingCharacter":"*",
"charsToMask":8,
"fromEnd":false
}
}
},
{
"fields":[
{
"name":"DOMAIN-NAME"
}
],
"transformation":{
"redactValue":{
}
}
}
]
}Examples:
Scrub SSN in the ticket title
In the Data Source, edit the field mapping for Title.
In Anonymization Rules add the following payload:
{
"AnalyzeTemplate":{
"fields":[
{"name": "US_SSN"}
]
},
"AnonymizeTemplate":{
"fieldTypeTransformations":[
{
"fields":[
{
"name":"US_SSN"
}
],
"transformation":{
"maskValue":{
"maskingCharacter":"*",
"charsToMask":8,
"fromEnd":false
}
}
}
]
}This configuration will mask first 8 characters of the SSN (********12435).
Click OK to save the mapping.
Scrub SSN and credit card in the ticket description
In the datasource, edit the field mapping for Description
In Anonymization Rules add the following payload:
{
"AnalyzeTemplate":{
"fields":[
{"name": "US_SSN"},
{"name": "CREDIT_CARD"}
]
},
"AnonymizeTemplate":{
"fieldTypeTransformations":[
{
"fields":[{"name":"US_SSN"}],
"transformation":{
"maskValue":{
"maskingCharacter":"*",
"charsToMask":8,
"fromEnd":false
}
}
},
{
"fields":[{"name":"CREDIT_CARD"}],
"transformation":{
"replaceValue":{
"newValue":"<CREDIT_CARD>"
}
}
}
]
}This configuration will:
Mask the first 8 characters of the
SSN (********12435)Replace the credit card number with the literal
<CREDIT_CARD>
3. Click OK to save the mapping
Payload to mask multiple fields
You can use the following payload to apply the same transformation (masking) to multiple fields:
Person's name
Phone
Email
Credit card
Dates
SSN
Driver's license number
{
"AnalyzeTemplate":{
"fields":[
{"name":"PERSON"},
{"name":"PHONE_NUMBER"},
{"name":"EMAIL_ADDRESS"},
{"name":"CREDIT_CARD"},
{"name":"DATE_TIME"},
{"name":"US_SSN"},
{"name":"US_DRIVER_LICENSE"}
]
},
"AnonymizeTemplate":{
"fieldTypeTransformations":[
{
"fields":[
{"name":"PERSON"},
{"name":"PHONE_NUMBER"},
{"name":"EMAIL_ADDRESS"},
{"name":"CREDIT_CARD"},
{"name":"DATE_TIME"},
{"name":"US_SSN"},
{"name":"US_DRIVER_LICENSE"}
],
"transformation":{
"maskValue":{
"maskingCharacter":"*",
"charsToMask":8,
"fromEnd":false
}
}
}
]
}
Last updated