Stream: implementers
Topic: Data controller field for GDPR purposes
Maciej Milczarek (Oct 22 2021 at 08:19):
Hello! I wonder what is the best way to ensure that each company-level FHIR resource has the data controller specified (for the GDPR EU needs). I want to have it on all of my resources. Lloyd suggested it probably should be an extension on the Resource.meta. Do you have any experience / suggestions with dealing with that?
René Spronk (Oct 22 2021 at 08:34):
@Jose Costa Teixeira
Jose Costa Teixeira (Feb 22 2022 at 16:37):
Hi @Maciej Milczarek I completely missed this, my apologies
Jose Costa Teixeira (Feb 22 2022 at 16:38):
Not sure if you have any further insight, but whatever is the solution, it would be indeed on resource.meta.
Jose Costa Teixeira (Feb 22 2022 at 16:42):
I see 2 options:
- use an extension called "dataController" or "responsibleDataController"
- use an extension that contains the Permission resource and in that, one could consider the asserter as being the data controller - which is actually impossible because "asserter" is only for Person, should also be for Organization in that case.
Jose Costa Teixeira (Feb 22 2022 at 16:43):
Using Permission would give you the way to do the other fun stuff in GDPR - express the purpose, scope, etc.
But given that it's not ready yet, you may as well start with an extension just for the controller
Last updated: Apr 12 2022 at 19:14 UTC
