FHIR Chat · GDPR Controller · implementers

Stream: implementers

Topic: GDPR Controller

view this post on Zulip Krishna Moorthi (Jul 15 2020 at 15:03):

Hi all,
We are currently working on healthdata integeration where the source application needs to tag every resource with GDPR controller.
can you please suggest some options for the below

  • how to model element in each resources such as observation, medicationadministration etc?
  • do you have any reference links for this requirements?
    much appreciated.

Thanks
Krish

view this post on Zulip René Spronk (Aug 01 2020 at 14:33):

Probably using the Provenance resource. But capturing a controller is just one tiny part of dealing with GDPR.. @Jose Costa Teixeira ?

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:35):

Indeed, controller would be with Provenance, and it is only a small part of it.

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:35):

We are discussing this in the Security calls presently. Basically the key topics would be (just a summary from the top of my head, not binding and not validated):

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:36):

in the profiles (or in the resources) you can have a Permission resource, exposing what are the things that you can do with the data - can you share or not, and if so, which data, with whom, for which purpose.

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:37):

When you exchange the data, the permission and provenance would go along, to show: where does this data come from, and what is it allowed for.

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:38):

the idea is that at every step in the exchange, you would where data comes from and what can be done with it.

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:39):

If the permission to use data comes from a Consent, then you use a consent as well. If the permission comes from a policy, you show that policy.

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:40):

Permission can also say things like "if you do not have the right role, you cannot read or search by Social Security Number"

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:41):

this should solve Art 30 which is IMO the epicenter of GDPR

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:42):

we still didn't see how this solves the other Data Subject rights (e.g. right to erasure), but I think the concepts are not that different. A patient may issue a request to delete data , but the access control system must see if that data can be really deleted.

view this post on Zulip René Spronk (Aug 01 2020 at 14:43):

Is there a draft version of the Permission resource somewhere (its not in the latest R5 draft) ?

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:43):

http://build.fhir.org/permission

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:43):

it is very drafty...

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:44):

pinging @John Moehrke to add some ideas I may have left out

view this post on Zulip Jose Costa Teixeira (Aug 01 2020 at 14:45):

if we have an interesting group of people (and if we start having 12 day weeks), I'd like to propose this for a Connectathon and some cookbooks - with examples, scenarios, etc

view this post on Zulip John Moehrke (Aug 03 2020 at 11:54):

I do prefer using Provenance as the linkage between these policy statements and the data. There is a Povenance.policy element for just this kind of situation. This element today is defined as a URI, so it can point at anything. One would have to have trust frameworks surrounding your environment (domain) to assure that everyone understands the use of Proveance and the .policy element. Included in this is the understanding of what exists at the .policy URI location. Some options for what exists there, a Consent resource, some othere agreed to policy encoding such as XACML, or the .policy URI is just an identifier to a well-known policy published within your domain.

view this post on Zulip John Moehrke (Aug 03 2020 at 11:56):

The Permission resource is a draft work to make a resource that can do what Consent does, but also carry policy that is not specifically a patient specific consent. For cases like legal mandates, or business terms, etc. Not as a replacement for Consent, but for those other cases. -- it is not well modeled yet, we are looking for use-cases to do use-case analysis. https://confluence.hl7.org/display/SEC/FHIR+Permission

view this post on Zulip John Moehrke (Aug 03 2020 at 11:57):

There is also the DS4P implementation guide that some are working on. It is approaching this set of problems with a different modeling approach. I don't know where it is going to end up

view this post on Zulip Krishna Moorthi (Aug 18 2020 at 12:47):

Hi all - Appologies for the delayed response. thanks a lot for your input and suggestion.

@Jose Costa Teixeira Is there possibility for me to read the cookbooks , examples,etc when it is ready?

Thanks

view this post on Zulip Jose Costa Teixeira (Aug 19 2020 at 19:16):

Of course

view this post on Zulip Jose Costa Teixeira (Aug 19 2020 at 19:16):

@Krishna G it will all be public and I expect we'll want to show it

view this post on Zulip Krishna Moorthi (Aug 28 2020 at 10:08):

Thank you @Jose Costa Teixeira

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -