6. Configuration and Profiles
Anonymization rules are defined in three JSON-based profiles: Light-touch, Balanced (recommended), and Max-safe. These profiles are loaded dynamically from the platform and apply consistent one-way cryptographic hashing (SHA-256-based) to generate non-reversible pseudonymous identifiers, with no capability for reverse lookup or re-identification on the platform.
| Profile | Label | Description |
|---|---|---|
| light.json | Light-touch | Keeps most non-identifying fields; applies hashing and rounding only to key personal fields. Suitable for trusted data sources.Minimal intervention: hashes key identifiers and UIDs, removes birth date, retains institution/centre information where appropriate. Suitable for lower-risk scenarios. |
| default.json | Balanced (recommended) | Recommended default: sets patient name and referring physician to “Anonymous”, hashes patient/study/accession IDs, generates stable pseudonymized UIDs, removes birth date, and retains clinically valuable fields.. |
| strict.json | Max-safe | Removes or clears almost all optional fields that could contain identifiers. Used when maximum anonymization is required.Most aggressive: clears additional potential identifiers (e.g., institution name, device details, operator name) in addition to the Balanced profile actions. Use when maximum privacy protection is required. |
The following table summarizes the anonymization and pseudonymization rules applied by the platform across DICOM metadata, derived series JSON, and clinical Excel data.
| Field / Attribute | Handling | Notes |
|---|---|---|
| Patient Name | Set to “Anonymous” | Removed at source |
| Referring / Performing / Physician Names | Set to “Anonymous” | Covers all physician name tags |
| Patient ID | Hash | Stable pseudonym |
| Study ID / Accession No. | Hash | |
| DICOM UIDs (Study, Series, SOP) | Hash UID | Preserves DICOM consistency |
| Gender | Keep | No anonymization: Required for analysis |
| Age | Rounded | 5-year bins. e.g. 32→30, 33→35 |
| Date of Birth | Null | Avoids direct re-identification |
| Diagnosis | Keep | No anonymization: Clinically essential |
| Any date field (study, admission, ICU, etc.) | Shift ±3 days | Random offset per patient: Same offset applied to all dates for that patient |
Certain clinically essential variables (such as gender and diagnosis) are intentionally retained without anonymization to preserve scientific and analytical value. The associated privacy risk is mitigated through strong pseudonymization of identifiers, age generalization, and consistent temporal date shifting.
All profiles are based on the principles of DICOM PS3.15 Annex E (Basic Application Level Confidentiality Profile) with configurable retention or cleaning of attributes.
The selected profile is displayed in the interface with a direct link to view the full JSON rules. The following example illustrates a simplified view of the anonymization configuration used by the platform.
Example from default.json (Balanced profile)
{
"slug": "default",
"label": "Balanced (recommended)",
"dicom_rules": [
{ "op": "set", "tag": "00100010", "value": "Anonymous" },
{ "op": "hash", "tag": "00100020" },
{ "op": "hash", "tag": "00080050" },
{ "op": "hash", "tag": "00200010" },
{ "op": "hash_uid", "tag": "0020000D" },
{ "op": "hash_uid", "tag": "0020000E" }
],
"clinical_rules": {
"columns": [
{ "name": "Patient_ID", "op": "hash" },
{ "name": "Study_ID", "op": "hash" },
{ "name": "Study_Date", "op": "date_round_jan1" },
{ "name": "Sex", "op": "keep" },
{ "name": "Age", "op": "keep" },
{ "name": "Diagnosis", "op": "keep" }
]
}
}DICOM section → defines which tags are changed, removed, or hashed.
Clinical section → applies the same logic to Excel columns.
The system automatically loads the selected profile before anonymization. Each institute can use the Balanced profile unless stricter rules are required.
During anonymization, the tool also generates internal mapping and summary files in the output folder. These include id_mapping.csv and folder_name_mapping.csv, which record how identifiers and folder names were transformed during the anonymization process.
They are used only for internal traceability by the institute (for example, if reverse lookup is required by ethics approval) and are not uploaded to the ZODIAC platform.
These files act as lightweight anonymization logs, showing how each dataset was processed.