Private Spaces and Data Access Control
The FamilySearch Family Tree provides access to person records, relationships, and other data that is regulated by law. FamilySearch controls access to the Family Tree data using a variety of access control mechanisms. Private Spaces is one such mechanism.
When FamilySearch implemented Private Spaces in August 2014, all regulated data was copied into the private space of individual users. Now, every FamilySearch user has a private space of their own. Data in a private space can be viewed and managed only by the assigned user of the private space. This document presents the ramifications of the migration of regulated data to Private Spaces.
FamilySearch no longer uses relationship access lists to restrict access to ancestral relationships. Users now have their own copy of regulated data so they will never encounter a situation where they cannot create or view a relationship within their own ancestral tree.
Users can view and manage relationships established between persons within their own private space, and between a person in their private space and a public person. Relationships involving only public persons, as always, can be seen by all users.
The Family Tree no longer receives automatic updates contributed by internal systems, such as the Church Membership system. For example, a child’s record in a parent’s private space is not automatically updated when the child is married and the child’s spouse is recorded in the Church Membership system. Each user who has a copy of that child’s record in their private space is responsible to update their own private space record with the marriage information. Depending on the timing of the Church Membership record update, users may receive hints that suggest changes to their private space data.
Change History Log
Users can view the change history for their own private space data. No user can view the history of another user’s private space data.
Living or Deceased
Private Spaces has implemented a Living Status flag for all private space person records. This is an additional mechanism to help restrict access to regulated data.
Beginning December 10, 2014, when creating a new person record in the Family Tree, the living status of that person must be specified as living or deceased. If the living property is not specified, then the person is created as a living person in the user’s private space.
Before December 10, 2014, if the living property is explicitly set as living when the person is created, then that value is saved as the living status of the person. If the living property is not specified, the person is considered dead if there is a death-like event. Otherwise, the person is considered living. Death-like events include facts such as cremation or burial. A death-like event also includes a birth date more than 110 years ago.
If a private space person record is flagged as deceased, then the person record becomes public for all to see. If a deceased record is discovered to be in error, a FamilySearch administrator is required in order to flag the person record as living. This is the case because a public person may be included in the pedigree of several users. Changing the living status from deceased to living represents an access control restriction, which removes the view of that person from all but one user, therefore creating a gap in some pedigrees. When the deceased person is flagged as living, the administrator creates a copy of the person in the private space of all users who have that person in their pedigree. Each copy placed in an additional private space has its own unique person ID. For this reason, the copies lose artifacts such as photos or stories that are attached to the person being copied.
Private Spaces also implemented a Sensitive data flag as a mechanism to control access to regulated data. A person or a relationship record that is marked sensitive by a Family Tree administrator remains in the private space regardless of the status of other access control restrictions. For example, a sensitive record of a deceased person can only be viewed by the user of the private space that the deceased person is assigned to.
Only an administrator can mark a person as sensitive or as no longer sensitive. A deceased person that is marked as no longer sensitive and has no other access restrictions is immediately made public and visible to all users.
See the Help Center Understanding Private Spaces article and links.