Sensitive Field Definition
Data Entity
Description
Defines which form fields are classified as sensitive personal data (e.g., address, contact details, medical history) requiring a spoken disclosure warning before a screen reader vocalises their content. Maintained by administrators via admin CRUD operations, loaded from Supabase on session start, and cached locally for low-latency focus-event lookups.
Data Structure
| Name | Type | Description | Constraints |
|---|---|---|---|
id |
uuid |
Primary key — immutable unique identifier for this sensitive field definition record | PKrequiredunique |
field_id |
string |
Stable programmatic identifier for the form field (e.g., 'contact_address', 'medical_history', 'personnummer'). Used as the lookup key in focus-event handlers. Must follow snake_case naming convention. | required |
field_name |
string |
Human-readable display name used in warning dialogs and admin UIs (e.g., 'Home Address', 'Medical History'). May be overridden per organisation via the organisation_label relationship. | required |
data_category |
enum |
Broad data protection category that determines the sensitivity level and default warning phrasing. Used to group fields in admin reports and to inform GDPR data classification. | required |
is_sensitive |
boolean |
Master toggle indicating whether the spoken disclosure warning must be presented before a screen reader vocalises this field. False means the record is retained for audit history but the guard is inactive. | required |
organization_id |
uuid |
Foreign key to the organisation that owns this definition. NULL means the definition applies globally to all organisations. Enables per-tenant overrides for fields that are sensitive in one context but not another. | - |
route_context |
string |
Optional GoRouter route name (e.g., '/contact/:id/edit') scoping where the guard is active. If null the guard applies to every screen that renders a widget with this field_id. | - |
warning_message_key |
string |
Label key resolved via the organisation terminology system to produce the custom warning message text. Falls back to a default warning template when null. | - |
suppress_duration_seconds |
integer |
Seconds for which the warning is suppressed after the user confirms it once within a session. Prevents repeated interruptions on revisit. Defaults to 1800 (30 minutes). Set to 0 to require confirmation on every focus event. | - |
created_by |
uuid |
User ID of the administrator who created this record. Stored for audit trail and cannot be changed after creation. | required |
created_at |
datetime |
UTC timestamp of record creation. Set automatically by the database and immutable thereafter. | required |
updated_by |
uuid |
User ID of the administrator who last modified this record. | - |
updated_at |
datetime |
UTC timestamp of the most recent update, maintained automatically via a database trigger on every write. | required |
Database Indexes
idx_sensitive_field_def_field_org
Columns: field_id, organization_id
idx_sensitive_field_def_org_id
Columns: organization_id
idx_sensitive_field_def_is_sensitive
Columns: is_sensitive
idx_sensitive_field_def_category
Columns: data_category
idx_sensitive_field_def_updated_at
Columns: updated_at
Validation Rules
field_id_snake_case_format
error
Validation failed
field_name_non_empty
error
Validation failed
data_category_valid_enum
error
Validation failed
suppress_duration_range
error
Validation failed
created_by_valid_admin_user
error
Validation failed
organization_id_active_org
error
Validation failed
warning_message_key_in_label_registry
error
Validation failed
route_context_valid_route_name
warning
Validation failed
Business Rules
unique_field_id_per_organization
The combination of field_id and organization_id must be unique. A given field may have one global definition (organization_id IS NULL) and one per-org override, but not two records for the same (field_id, organization_id) pair.
org_specific_overrides_global
When resolving whether a field is sensitive, an organisation-scoped record (matching organization_id) takes precedence over the global record (organization_id IS NULL). This allows an org to opt a field out of the global sensitive list.
cache_invalidation_on_change
Any write operation (create, update, delete) to a sensitive_field_definition record must invalidate the in-memory and local-storage cache held by sensitive-field-configuration so that focus-event lookups reflect the latest state on next session start or cache refresh.
admin_only_write_access
Only users holding the organisation_admin or global_admin role may create, update, or delete sensitive field definitions. Coordinators and peer mentors have read-only access via the cached lookup.
inactive_record_preserved_for_audit
Setting is_sensitive to false disables the warning guard but does not remove the record. Hard deletion is reserved for records explicitly removed by an admin. This preserves an audit trail of historical field classification changes.
warning_key_must_resolve
If warning_message_key is set, it must exist as a key in the organisation's label registry at save time. This prevents silent fallback to empty warning text which would leave screen reader users without disclosure.
CRUD Operations
Storage Configuration
Entity Relationships
The screen reader active state in accessibility_preferences determines whether the sensitive field privacy guard applies disclosure warnings defined in sensitive_field_definition records
An organization defines its own set of sensitive fields that require screen reader disclosure warnings before vocalization