November 19, 2018 GDPR whitepaper on FHIR call
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| . | John Moehrke Security Co-chair | . | Kathleen Connor Security Co-chair | . | Alexander Mense Security Co-chair | . | Trish Williams Security Co-chair | |||
| . | Christopher Shawn Security Co-chair | . | David Pyke PCBP Co-Chair | . | Giorgio Cangioli | . | Joe Lamy | |||
| . | Peter van Liesdonk | . | [mailto: ] | . | [mailto: ] | . | [mailto: ] |
Agenda
- (5 min) Roll Call, Agenda Approval
- (10 min) Presentation Proposal "Purpose of Processing" (Peter) (link: https://docs.google.com/document/d/1rIHhL5FTIFVD9EGgW70SkElfsMH9ofHoDuYnVHMOZF4/edit?usp=sharing)
- (20 min) Harmonization discussion - PoU vs. Purpose of Processing
- (10 min) Uses cases (Georgio)
- (5 min) Reminder - issues from WGM:
Are update events to be reported in a transparency report? Depth of Provenance
Operations: Grahams to define an erasure operation that takes a Patient or Person. It returns rejected. Success. Or partial success.... Is there a need for it to report what it deleted? Or what it didn't? It does need to report external recipients Is it necessary tp report what was deleted? Operation for transparency: search on AuditEvents?
Do we need a CapabilityStatement like resource that describes server data retention rules. Possibly useful for client too to state the client need.
We might need to address Break-Glass as a healthcare safety mechanism.
Links:
Harmonization proposal:
https://gdpr-info.eu/art-6-gdpr/
https://gdpr-info.eu/art-9-gdpr/
Link to Confluence page: http://confluence.hl7.org/display/SEC/FHIR+-+GDPR
