This wiki has undergone a migration to Confluence found Here

Difference between revisions of "GDPR (General Data Protection Regulation)"

From HL7Wiki
Jump to navigation Jump to search
Line 64: Line 64:
 
Privacy group noyb.eu led by activist Max Schrems said people were not being given a "free choice".
 
Privacy group noyb.eu led by activist Max Schrems said people were not being given a "free choice".
 
If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.
 
If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.
 +
*[https://www.npr.org/sections/alltechconsidered/2018/04/04/598888803/the-paris-lawyer-who-gives-google-nightmares The Paris Lawyer Who Gives Google Nightmares]
  
 
==UMA Legal==
 
==UMA Legal==
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/iaccmcontractingprinciples.pdf IACCM Contracting Principles International Association for Contract and Commercial Management]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/iaccmcontractingprinciples.pdf IACCM Contracting Principles International Association for Contract and Commercial Management]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/UMA%20Legal%20role%20definitions%20March%202018.pptx UMA Legal role definitions March 2018]
 
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/UMA%20Legal%20role%20definitions%20March%202018.pptx UMA Legal role definitions March 2018]

Revision as of 21:50, 29 May 2018

Back to Security Main Page

Meeting to produce a Whitepaper

Mondays at 10:00 am Eastern Time See HL7 Calendar item

Whitepaper proposed Outline

  1. Introduction and Scope -- that will explain we are only addressing FHIR specific topics
  2. Mapping of GDPR Articles to the existing Security or Privacy capability in FHIR -- this section will provide terse guidance on how we visualize the use.
  3. Identification of some gaps we identified -- nothing critical, mostly nice-to-have operations
  4. Conclusion -- FHIR is GDPR enabling

Editing likely will use new Confluence to enable easier editing with collaborative features of Confluence. Link to be defined

GDPR Background


GDPR Presentations and Papers

GDPR Connectathon May 2018

GDPR mHealth Apps

  • mHealth Code to Aid App Developers in the EU Privacy Code of Conduct for mHealth apps was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation (GDPR). The second section of the Code sets out the practical guidelines. These are:
  1. Consent of users: the need to obtain valid explicit consent from the data subject to collect and use their data
  2. Data Protection Principles – Purpose Limitation, Data Minimisation, Transparency, Privacy by design and privacy by default and data subject rights: these reflect principles at the heart of EU Data Protection rules
  3. Information to provide to users before they use the app: guidance on adopting a layered notice approach and using a condensed notice and full privacy policy
  4. Data Retention: the Code acknowledges that it can be difficult to irreversibly anonymise health data when the retention period expires
  5. Security: the requirement to carry out a Privacy Impact Assessment and adopt security measures recommended by ENISA
  6. Advertising on the app: any advertising must be authorised by the user but there is a difference in approach depending on whether the advertising involves the processing of personal data
  7. Use of data for secondary purposes: in instances where data could be used for scientific research or other big data analysis
  8. Disclosing data to third parties: ensuring that there’s an agreement in place with the third party is essential
  9. Data Transfers: complying with the rules around international data transfers
  10. Data Breach: what to do and whom to notify when a data breach occurs
  11. Children’s data: when apps are deliberately aimed at children

Posted on June 17th, 2016 By Victoria Hordern. Posted in Health Privacy/HIPAA, International/EU Privacy

  • Trust in mHealth apps: As revealed by the European Commission's 2014 mHealth Green Paper consultation, people often do not trust mHealth apps, such as those monitoring your health or giving health advice. Respondents to the mentioned consultation considered that having users' consent as well as strong privacy and security tools in place is a crucial issue in relation to mobile health apps.

GDPR Articles

The companies are accused of forcing users to consent to targeted advertising to use the services. Privacy group noyb.eu led by activist Max Schrems said people were not being given a "free choice". If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.

UMA Legal