Privacy Report

About the Privacy Report

Data privacy in Tonic is measured by sensitivity of the data and the level of protection applied. Another consideration is the use case, or purpose and audience for the data, which is external to Tonic but influences the protective actions taken in Tonic. The Privacy Report captures details about the level of data protection in place with Tonic.
The Privacy Report is used at two key points in the de-identification process.
  • A preview can be used as a checkpoint during the process of protecting data to review generators applied or to look for at risk data. The preview can be exported from Tonic prior to running a generation to increase confidence or for confirmation that de-identification is complete.
  • Each time a generation runs to populate the destination database with de-identified data, the Privacy Report is created to record the protection status of the data associated with that generation.
The Privacy Report helps users to answer and communicate the following:
  • What is the value of Tonic?
  • How do I know the data is safe for use?
  • How was the data protected?
The Privacy Report consists of summary statistics and field level details in a downloadable CSV. A stylized version of the report is presented here:

How to display the Privacy Report

The sensitivity and protection details of the Privacy Report are accessed from the following areas in Tonic.

Preview in Privacy Hub

The preview of the Privacy Report is a snapshot of the generators in place in Tonic. Users can use the Privacy Hub to track their progress, toggling sensitivity and applying generators until all desired fields have been masked.
When ready to generate, or at any point during this process, a preview can be exported from Tonic. The exported CSV can be used for review or to share with others for pre-approval to run a generation. Once comfortable with the generators in place click generate to run a job.
Note that the preview is not tied to any version of output data in the destination database. It is simply a reflection of Tonic's state at a point in time.

Privacy Report in Job Details

The Privacy Report captures the privacy associated with a particular generation job; a snapshot is created with each generation. It corresponds with the output data in the destination database at a point in time.
It is accessible in the Jobs view under Job details for a given generation job.
The Job Details page displays summary statistics.
To export the full details of the Privacy Report, download the Privacy Report CSV.

Report definitions

The fields for each row in the Privacy Report fall into the following categories.


The Privacy Report exports all of the schema detail that is viewable from various views in the Tonic UI (Database View, Table View) into the CSV. The schema in the source will match the destination.
  • Schema - Schema name from the source database
  • Table - Table name from the source database
  • TableMode - Captures the Table Mode that is currently set in Tonic.
  • Column - Column name from the source database
  • DataType - Data type that is detected in the source database.

Data sensitivity

How sensitive data is - whether it includes personally identifiable information (PII), is regulated by law, or is business confidential - impacts decisions on how to protect the data. Tonic's autodetect will flag suspected sensitive fields during the privacy scan. Users may also toggle the sensitivity indicator manually on or off.
  • IsSensitive - Boolean indicator; TRUE includes automatically detected by Tonic which remain enabled, and fields manually flagged as sensitive.
  • SensitiveType - For fields that Tonic identifies as sensitive, the detected data type is provided (eg Tonic detects a field of type Address that may be sensitive). Manually flagged fields


Tonic's generators are the core feature which protects sensitive information in ways that retain utility for downstream data consumers. The protection section of the Privacy Report provides key details to users of Tonic or external stakeholders about how the data is protected in Tonic via masking transformations.
  • GeneratorId - Lists the generator that is currently applied to the column. Refer to the full list of generators for details on the transformation.
  • IsConsistent - Boolean that indicates whether consistency is on for a given field. Consistency retains data utility at the cost of a higher level of privacy protection, by ensuring that a given input will always result in the same output. When consistent is on, a field will have the Privacy Status of Masked, and not Anonymized (see below regarding Privacy Status).
  • ConsistencyColumn - An additional option for consistency is to be consistent to another column. If in use, the name of the referenced column will be included here.
There are two additional protection columns that report on the level of privacy associated with a given protection mechanism. These classifications are linked to the generator and generator settings (such as consistency) in use. One of these must be enabled in order for data to be considered "Anonymized" (see Privacy Status below).
  • IsDifferentiallyPrivate - Boolean which will be TRUE for generators that support differential privacy and have been toggled on. Field is guaranteed to be the highest level of privacy without the ability to re-identify the data.
  • IsDataFree - Boolean which indicates whether the current generator makes use of the underlying data. If the output data is completely unlinked to the source data, the generator is considered to be "data free", with a high degree of protection.

Privacy status

The Generation Job Details view displays the Privacy Status in the UI. This corresponds to the summary show in Privacy Hub.
There is another level of detail available in the CSV download:
  • ColumnPrivacyStatus
    • At-Risk - Columns which are marked as sensitive and in Masked table mode without a generator applied (other than passthrough), are considered at-risk and are labeled in the report as "Unprotected".
    • Protected - Columns with generators applied are considered protected in the summary counts. The CSV report further breaks the distinction into:
      • "Masked" - Generators other than passthrough which provide some protection against seeing source data.
      • "Anonymized" - Generators which by definition are guaranteed against reverse engineering. These generators make use of differential privacy, or are considered "data-free", where the output data is completely unlinked from the source data. Turning consistency on decreases the protection level; any columns making use of consistency are considered "Masked".
    • Non-Sensitive - Columns in tables that are truncated, or columns which are neither marked as sensitive nor are they protected with a generator are considered "NonSensitive".