FHIR Chat · Zulip Traffic Analysis · social

Stream: social

Topic: Zulip Traffic Analysis

view this post on Zulip Grahame Grieve (Nov 29 2018 at 21:53):

HL7 has asked us to get some traffic analysis done regarding use of the Zulip for the FHIR community. In preparation for this, we've updated our data use policy. It's here:

http://wiki.hl7.org/index.php?title=Chat.fhir.org_community_expectations#GDPR_Statement

Comments are welcome

view this post on Zulip René Spronk (Nov 30 2018 at 09:52):

From a formal perspective, sharing data with HL7 would require an opt-in under the GDPR (if you disagree you should document the exact legal reason as to why you're sharing the data). Given e.g. the URL used it can hardly be argued that those that use the forum have a contractual relationship with HL7, whereby HL7 has an agreement with the FHIR Foundation to host the chat forum (in the latter case sharing data with HL7 would be OK). What GDPR legal basis is there to share the data with another entity than HL7? It would be much easier to state that "The FHIR Foundation will on a regular basis perform traffic analysis on all the public streams and publicly publish its findings (e.g. on the chat forum). Any individual or organization may use this information.". Nothing beyond that public information could be shared with HL7 though.

As for the "no GDPR Erasure" clause - that's a clash between the ISO rules (but that's not a law) and the GDPR. A "no GPDR erasure" clause will be very hard to enforce, and stating that the software doesn't support it is hardly an argument. Change the software. It won't happen that often, but if someone requests it, one should be able to somehow anonimize a comment, fulfilling both the GDPR as well as the ISO requirements.

view this post on Zulip John Moehrke (Nov 30 2018 at 13:33):

hmmm. I was thinking that there was some regulated backing to a Standards Organization following the rules of being a Standards Organization. I presume now that an SDO is an SDO by choice, and not by regulation. If it was by regulation then GDPR enables (like with medical records retention) that regulated purpose to override GDPR erasure clause. If an SDO is an SDO by choice, then this Erasure clause will cause all kinds of pain to the functioning of ALL the SDO in the world... ouch

view this post on Zulip Grahame Grieve (Nov 30 2018 at 20:17):

  • it's not clear to me how GPR erasure applies to private messaging
  • I do not see any clash between GDPR and ISO here. Nowhere does it state that the only reason to retain records is to meet EU legal requirements
  • regarding comment about FHIR foundation and HL7: given that the community code of conduct that everyone agrees to is an HL7 agreement, I do think that there is grounds for this. @Wayne Kubick

view this post on Zulip René Spronk (Dec 01 2018 at 13:38):

Don't think so, the chat is hosted by the FHIR foundation, so I have implicitly agreed upon a 'contract' with the FHIR Foundation, not with HL7. It doesn't say anywhere that HL7 is somehow involved in the forum. So either those that participate in the forum should be made aware that they're entering into an agreement with HL7 (in which case the FHIR Foundation can share whatever data with HL7, given that HL7 is the ultimate controller), or if users enter into an agreement with the FHIR Foundation then you'd have to use a legal reason for sharing data with HL7.

Besides, the use of the words 'sharing analytics' is not specific enough, the sharing of aggregate data, which can't be traced back to participating individuals is unlikely to raise concerns [so you might as well make that available on the forum itself], whereas the sharing of raw data (including IP addresses, login names and the activities associated with these accounts) is much more of a concern which may lead to user profiling. We probably don't want any external party to have that kind of data (.. which is why the GDPR requires opt-in for profiling). As such the code of conduct should detail what we're talking about. What is it that is intended to be shared with HL7?

Items that are part of your GDPR statement can't be in conflict with the GDPR; they'd be null and void anyway. "We don't do erasure" won't hold - document the legal ground for such a statement, and it better be good.

view this post on Zulip Grahame Grieve (Dec 03 2018 at 19:31):

well, the request from HL7 is quite specific - analysis of member vs non-member participation on the forum. So very definitely not aggregate data. (though I have no idea, at this point, how anyone is going to connect Zulip account emails to the HL7 member database). And any other analytics can be done on the published stream data

view this post on Zulip René Spronk (Dec 04 2018 at 05:58):

So from a privacy perspective HL7 may hand over the list of its members and their e-mail addresses (if those members have given permission to do so) to the FHIR Foundation, why can do the analysis and provide HL7 with a summary answer. FHIR Foundation and HL7 are two different legal entities, so you'd need an opt-in from all participants to share this kind of individualised information (e-mail address, activity profile)
(Note: I can see the purpose of such an analysis, but that's beside the point - some of us have studied the GDPR in some level of detail, and you asked for feedback on the current wording) IMHO you can't hand over any detailed data which can be traced to an individual, whilst you could share the aggregated outcome of the analytics process.

view this post on Zulip Grahame Grieve (Dec 04 2018 at 06:01):

so a legal arrangement between HL7 and FHIR foundation requires all members of both organizations to agree to? You can't be serious

view this post on Zulip Grahame Grieve (Dec 04 2018 at 06:02):

is Europe rejecting all corporate buy outs?

view this post on Zulip Grahame Grieve (Dec 04 2018 at 06:04):

and all out-sourcing?

view this post on Zulip Mikael Rinnetmäki (Dec 04 2018 at 07:05):

While we're at it, we might want to record the terms and conditions, as well as the privacy policy to https://chat.fhir.org/terms/ and https://chat.fhir.org/privacy/...

Since at the moment there's nothing there, I'd say it would be quite safe to interpret that everyone who has signed up to the forum is OK with their contributions and info to be shared in whatever means with whatever third parties.

view this post on Zulip Alexander Zautke (Dec 04 2018 at 07:30):

By default such data can only be shared without prior consent in cases of “legitimate interests” by the FHIR Foundation if and only if the data sharing is also in the interest of the users. See https://gdpr-info.eu/art-6-gdpr/

In all other cases all users would need to give their consent to the data sharing. The first option is based on a very thin line between what is allowed and what could be misinterpreted.

For more Information about what HL7 needs to implement and acknowledge:
https://gdpr-info.eu/art-28-gdpr/

view this post on Zulip Vadim Peretokin (Dec 04 2018 at 08:45):

Here's an example of a well-made privacy page I've come across recently: https://www.ns.nl/en/privacy/in-and-around-the-station.html

view this post on Zulip Vadim Peretokin (Dec 04 2018 at 08:46):

This is for the wifi-based tracking they do in several major train stations for people-flow analysis.

view this post on Zulip Diego Bosca (Dec 04 2018 at 16:38):

and all out-sourcing?

If I remember correctly, outsourcing outside from EU is allowed as long as the destination country has a similar citizen data high-protection law, or at least that your overseas partner is fully compliant with GDPR. If they break the law (data leak, etc.) you would be the one fined as you are the responsible of that data collection

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -