Pseudonymisation Quickstart: Banking KYC

Register four query-time pseudonymisation rules on a retail-bank KYC table, redact SSN, mask phone, keyed-hash last name, generalize date of birth, and prove that COUNT/SUM/AVG still read the underlying clean values.

Syntax

-- ============================================================================
-- SETUP: Zone, schema, Delta table, and 4 pseudonymisation rules
-- ============================================================================
CREATE ZONE IF NOT EXISTS {{zone_name}}
    TYPE EXTERNAL
    COMMENT 'Demo zone for pseudonymisation quickstart';

CREATE SCHEMA IF NOT EXISTS {{zone_name}}.pseudonymisation_demos
    COMMENT 'Schema for banking KYC pseudonymisation demo';

CREATE DELTA TABLE IF NOT EXISTS {{zone_name}}.pseudonymisation_demos.bank_customers (
    customer_id    VARCHAR,
    first_name     VARCHAR,
    last_name      VARCHAR,
    date_of_birth  DATE,
    email          VARCHAR,
    phone          VARCHAR,
    ssn            VARCHAR,
    address_line   VARCHAR,
    city           VARCHAR,
    state          VARCHAR,
    zip_code       VARCHAR,
    account_tier   VARCHAR,
    balance        DOUBLE,
    active         BOOLEAN
) LOCATION '{{data_path}}/bank_customers';

GRANT ADMIN ON TABLE {{zone_name}}.pseudonymisation_demos.bank_customers TO USER {{current_user}};

-- 1. Redact SSN, fully hidden
CREATE PSEUDONYMISATION RULE ON {{zone_name}}.pseudonymisation_demos.bank_customers (ssn)
    TRANSFORM redact
    PARAMS (mask = '***-**-****');

-- 2. Mask phone, show last 5 characters
CREATE PSEUDONYMISATION RULE ON {{zone_name}}.pseudonymisation_demos.bank_customers (phone)
    TRANSFORM mask
    PARAMS (show = 5);

-- 3. Keyed-hash last name, deterministic pseudonym for linkage
CREATE PSEUDONYMISATION RULE ON {{zone_name}}.pseudonymisation_demos.bank_customers (last_name)
    TRANSFORM keyed_hash
    SCOPE person
    PARAMS (salt = 'bank_name_salt_2024');

-- 4. Generalize date of birth, bucket to decade
CREATE PSEUDONYMISATION RULE ON {{zone_name}}.pseudonymisation_demos.bank_customers (date_of_birth)
    TRANSFORM generalize
    SCOPE relationship
    PARAMS (range = 10);

-- ============================================================================
-- QUERIES: Inspect rules, read pseudonymised data, aggregate
-- ============================================================================
-- All 4 rules visible in the catalog
ASSERT ROW_COUNT = 4
SHOW PSEUDONYMISATION RULES FOR {{zone_name}}.pseudonymisation_demos.bank_customers;

-- Protected SELECT: SSN is literally '***-**-****' for every row
ASSERT ROW_COUNT = 6
ASSERT VALUE ssn_redacted = '***-**-****' WHERE customer_id = 'C001'
ASSERT VALUE account_tier = 'Premium' WHERE customer_id = 'C001'
SELECT customer_id, first_name,
       last_name     AS last_name_hashed,
       date_of_birth AS dob_generalized,
       phone         AS phone_masked,
       ssn           AS ssn_redacted,
       account_tier, balance, active
FROM {{zone_name}}.pseudonymisation_demos.bank_customers;

-- Aggregations untouched, balance totals reflect stored bytes
ASSERT ROW_COUNT = 2
ASSERT VALUE customer_count = 3 WHERE account_tier = 'Premium'
ASSERT VALUE customer_count = 3 WHERE account_tier = 'Standard'
SELECT account_tier,
       COUNT(*)               AS customer_count,
       ROUND(AVG(balance), 2) AS avg_balance,
       ROUND(SUM(balance), 2) AS total_balance
FROM {{zone_name}}.pseudonymisation_demos.bank_customers
GROUP BY account_tier
ORDER BY account_tier;

-- ============================================================================
-- CLEANUP: Rules drop per-table when the column pattern is omitted
-- ============================================================================
DROP PSEUDONYMISATION RULE ON {{zone_name}}.pseudonymisation_demos.bank_customers;
DROP TABLE   IF EXISTS {{zone_name}}.pseudonymisation_demos.bank_customers;
DROP SCHEMA  IF EXISTS {{zone_name}}.pseudonymisation_demos;
DROP ZONE    IF EXISTS {{zone_name}};

Description

## When to Use Use this demo when onboarding analysts or auditors to a KYC / retail-banking dataset where the raw PII (SSN, full phone, full name, exact date of birth) must never reach the screen, but downstream aggregations, balance per tier, active-customer counts, cohort averages, must remain exact. It is the shortest path from "I have a Delta table with PII" to "my analysts see safe values while my numbers stay correct", using only four CREATE PSEUDONYMISATION RULE statements and no data rewrites. ## What You Will Learn 1. How CREATE PSEUDONYMISATION RULE attaches a runtime transform to a Delta table without touching a single row on disk [ref: CREATE_PSEUDONYM_RULE] 2. How the four core transforms differ in intent: `redact` for totally hidden fields, `mask` for partial disclosure, `keyed_hash` for deterministic pseudonyms that still support joins and GROUP BY, and `generalize` for k-anonymity-style bucketing 3. Why SCOPE matters: `PERSON` gives the same pseudonym everywhere for the same individual (enabling cross-table linkage), `RELATIONSHIP` is the default and scopes to related records, `TRANSACTION` scopes only to the current query 4. Why COUNT, SUM, and AVG over `balance` keep producing correct, byte-exact values: pseudonymisation rewrites the TableProvider's display path, not the stored bytes 5. How SHOW PSEUDONYMISATION RULES FOR `<table>` returns exactly the active rule set for a single table so you can audit coverage ## Prerequisites - DeltaForge GUI or CLI session connected to a workspace with CREATE ZONE / CREATE SCHEMA / CREATE DELTA TABLE privileges - `{{data_path}}` resolvable to a writable location (the demo creates `{{data_path}}/bank_customers`) - `{{current_user}}` has (or will receive) ADMIN on the created table - A Key Vault / KeyStore backing the `keyed_hash` salt, in the default compute-node deployment this is the universal Key Vault backed by the OS credential store; in standalone/test mode the salt is held in session memory only

Pitfalls

• `redact` is irreversible in the output channel but does not erase the stored data, the original SSN is still on disk in the Delta files and accessible to anyone with permission to read raw storage or to query a prior snapshot via time travel. Use APPLY PSEUDONYMISATION (or VACUUM after an APPLY) when you need actual on-disk removal.
• `keyed_hash` produces stable pseudonyms only as long as the salt is stable. Rotating `salt = 'bank_name_salt_2024'` to a new value silently breaks every downstream join that matched on the hashed column, plan salt rotations as coordinated events across all consuming pipelines, not unilateral rule edits.
• SCOPE `PERSON` is what lets the hashed last_name act as a linkable key across tables and queries; the default SCOPE `RELATIONSHIP` is narrower. If you change a rule from `SCOPE PERSON` back to the default while downstream jobs rely on cross-table linkage, the pseudonyms will silently stop aligning.
• `generalize` with `range = 10` reduces date-of-birth resolution to a decade, which trims re-identification risk but does not eliminate it: combine with zip_code, gender and one more attribute and you can still re-identify most individuals in a small cohort. Treat generalize as one layer, not a full anonymisation guarantee.
• `mask` with `show = 5` leaves the last five characters of the phone number visible, which is enough to identify a household when combined with city/zip. Tune `show` to the minimum your business use case actually needs, default is 4.
• GDPR Article 17 (erasure) is not satisfied by query-time rules alone: a rule can be dropped and the raw PII re-surfaces. For erasure, pair CREATE PSEUDONYMISATION RULE with an APPLY PSEUDONYMISATION run at the end of the retention window, then VACUUM the Delta log past the retention horizon.
• Rules are persisted to the catalog only when a CatalogRouter is configured (standard compute-node deployment). In standalone or df-sql-runner sessions they live in session-scoped memory and disappear on restart, do not use the quickstart topology to prove compliance.
• `DROP PSEUDONYMISATION RULE ON <table>` with no column pattern drops every rule on that table, not just one. The cleanup step in this demo relies on that behaviour; inside a live environment, always pass the column pattern explicitly to avoid accidentally un-protecting columns you meant to keep.

See Also

• demo_pseudonymisation_lifecycle
• demo_pseudonymisation_apply
• demo_pseudonymisation_healthcare
• CREATE_PSEUDONYM_RULE
• SHOW_PSEUDONYM_RULES
• DROP_PSEUDONYM_RULE