Use scopes and introduce a pairwise pseudonymous identifier

[AxelNennker]

What type of PR is this?

Add one of the following kinds:

• enhancement/feature

What this PR does / why we need it:

For privacy reasons the API consumer should be able to specify which data fields should be returned. Only required data should be asked for and returned by the API.
See Art. 5 GDPR Principles relating to processing of personal data.
See UK Information Commisioner's Office

As always in CAMARA the allowed scopes for an API consumer are determined a Onboarding Time.

For privacy reasons globally unique and permanent identifiers should be avoided.
IMEI and IMEISV are such globally unique and permanent identifiers.
Globally unique and permanent identifiers allow user tracking across API consumers.
Colluding API consumers can track the user.

This PR uses scopes which allow the API consumer to specify which data they want in the API result.
This PR introduces the identifier PPID (pairwise pseudonymous identifier) which is local to the API producer or if based on a sector_identifier to a group of API consumers.

Additional Context

#36

[eric-murray]

Hi @AxelNennker

This PR was discussed at the last Device Identifier sub-project meeting. Everyone was fine with introducing PPID as a third device identifier, but controlling this via scopes through a single endpoint was not agreed.

If you want PPID to be part of the Spring 25 meta-release version, I would suggest to reformulate this PR as an additional endpoint retrieve-ppid, controlled by a single scope and returning only the ppid and lastChecked parameters. Both can be required, so that there are no options in the response.

If you want to keep the PR unchanged, then I'll put it in the backlog for now, and we can discuss following finalisation of the Spring 25 version.