This wiki has undergone a migration to Confluence found Here
Difference between revisions of "GDPR (General Data Protection Regulation)"
Jump to navigation
Jump to search
| (36 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
[[Security|Back to Security Main Page]] | [[Security|Back to Security Main Page]] | ||
| + | |||
| + | [["Is Privacy Obsolete" Study Group Page"|Is Privacy Obsolete Study]] | ||
| + | ==Meeting to produce a Whitepaper== | ||
| + | Mondays at 10:00 am Eastern Time | ||
| + | See [http://www.hl7.org/concalls/CallDetails.aspx?concall=40560 HL7 Calendar item] | ||
| + | |||
| + | Whitepaper proposed Outline | ||
| + | |||
| + | # Introduction and Scope -- that will explain we are only addressing FHIR specific topics | ||
| + | # Mapping of GDPR Articles to the existing Security or Privacy capability in FHIR -- this section will provide terse guidance on how we visualize the use. | ||
| + | # Identification of some gaps we identified -- nothing critical, mostly nice-to-have operations | ||
| + | # Conclusion -- FHIR is GDPR enabling | ||
| + | |||
| + | The whitepaper will be published on the HL7 confluence page: [http://confluence.hl7.org/display/SEC/FHIR+-+GDPR FHIR - GDPR] | ||
| + | |||
| + | ===Conference Calls Agenda and Minutes:=== | ||
| + | Call details: [https://join.freeconferencecall.com/security36 Security WG FreeConference web meeting] | ||
| + | |||
| + | Online Meeting ID: security36 | ||
| + | |||
| + | Dial-in Number: (515) 604-9567 | ||
| + | |||
| + | Access Code: 880898 | ||
| + | |||
| + | |||
| + | |||
| + | * [[August 27, 2018 GDPR whitepaper on FHIR call]] | ||
| + | * [[September 10, 2018 GDPR whitepaper on FHIR call]] | ||
| + | * [[September 24, 2018 GDPR whitepaper on FHIR call]] | ||
| + | * [[October 22, 2018 GDPR whitepaper on FHIR call]] | ||
| + | * [[November 19, 2018 GDPR whitepaper on FHIR call]] | ||
| + | * [[November 26, 2018 GDPR whitepaper on FHIR call]] | ||
| + | '' | ||
| + | '' | ||
| + | '' | ||
| + | * [[Jan 28, 2019 GDPR whitepaper on FHIR call]] | ||
| + | * [[Feb 04, 2019 GDPR whitepaper on FHIR call]] | ||
| + | * [[Feb 11, 2019 GDPR whitepaper on FHIR call]] | ||
| + | * [[Feb 25, 2019 GDPR whitepaper on FHIR call]] | ||
| + | '' | ||
| + | '' | ||
| + | * [[April 01, 2019 GDPR whitepaper on FHIR call]] | ||
| + | * [[April 08, 2019 GDPR whitepaper on FHIR call]] | ||
| + | * [[April 15, 2019 GDPR whitepaper on FHIR call]] | ||
| + | |||
==GDPR Background== | ==GDPR Background== | ||
*[https://gdpr-info.eu/ Useful GDPR regulation text reference] | *[https://gdpr-info.eu/ Useful GDPR regulation text reference] | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/GDPR%20reference%20material/Special%20Eurobarometer%20359%20Attitudes%20on%20Data%20Protection%20and%20Electronic%20Identity%20in%20the%20European%20Union.pdf Special Eurobarometer 395 Attitudes on Data Protection and Electronic Identity in the European Union] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/GDPR%20reference%20material/Special%20Eurobarometer%20359%20Attitudes%20on%20Data%20Protection%20and%20Electronic%20Identity%20in%20the%20European%20Union.pdf Special Eurobarometer 395 Attitudes on Data Protection and Electronic Identity in the European Union] | ||
| + | *[https://gforge.hl7.org/gf/project/security/docman/GDPR/Handbook%20on%20European%20data%20protection%20law%202018.pdf Handbook on European data protection law 2018] | ||
| + | The handbook has been prepared by the EU Agency for Fundamental Rights (FRA), | ||
| + | with the Council of Europe (together with the Registry of the European Court of | ||
| + | Human Rights) and the European Data Protection Supervisor. | ||
| + | |||
| + | This handbook outlines the legal standards relating to data protection set by the | ||
| + | European Union (EU) and the Council of Europe (CoE). It is designed to assist practitioners | ||
| + | not specialised in the field of data protection, including lawyers, judges and | ||
| + | other legal practitioners, as well as individuals working for other bodies, such as | ||
| + | non-governmental organisations (NGOs), who may be confronted with legal questions | ||
| + | relating to data protection. | ||
| + | The handbook serves as a first point of reference on relevant EU law and the | ||
| + | European | ||
| + | Convention on Human Rights (ECHR), as well as the CoE Convention for | ||
| + | the Protection of Individuals with regard to Automatic Processing of Personal Data | ||
| + | (Convention 108) and other CoE instruments. | ||
| + | |||
==GDPR Presentations and Papers== | ==GDPR Presentations and Papers== | ||
*[https://vimeo.com/267769545 Standards support for key GDPR Policies] - Rene Spronk | *[https://vimeo.com/267769545 Standards support for key GDPR Policies] - Rene Spronk | ||
| Line 14: | Line 76: | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/Wilson_HL7_Koln.pdf GDPR is good for HL7 and standardization] HL7 May 2018 Cologne - Petra Wilson | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/Wilson_HL7_Koln.pdf GDPR is good for HL7 and standardization] HL7 May 2018 Cologne - Petra Wilson | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/GDPR%20reference%20material/EU%20Data%20Protection%20Regulation_short.pdf Bernd Blobel EU Data Protection Regulation] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/GDPR%20reference%20material/EU%20Data%20Protection%20Regulation_short.pdf Bernd Blobel EU Data Protection Regulation] | ||
| + | * [https://healthcaresecprivacy.blogspot.com/2018/05/erasure-receipt.html John Blog on Erasure Receipt] | ||
| + | * [https://healthcaresecprivacy.blogspot.com/2018/05/gdpr-on-fhir.html John Blog report out from HL7 workgroup meeting GDPR discussions in Cologne] | ||
| + | * [https://docs.google.com/spreadsheets/d/1--6HKnMY7QCqsorpJXdgIm9lC-MJ-O_qIPTcjPdUGKg/edit?usp=sharing Spreadsheet notes from GDPR discussions in Cologne] | ||
==GDPR Connectathon May 2018== | ==GDPR Connectathon May 2018== | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/GDPR-v1.pptx GDPR Presentation for May 2018 Connectathon] - Alex Mense | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/GDPR/GDPR-v1.pptx GDPR Presentation for May 2018 Connectathon] - Alex Mense | ||
| − | |||
*[http://wiki.hl7.org/index.php?title=201805_GDPR May Cologne Connectathon 201805 GDPR] | *[http://wiki.hl7.org/index.php?title=201805_GDPR May Cologne Connectathon 201805 GDPR] | ||
| + | * [https://healthcaresecprivacy.blogspot.com/2018/05/erasure-receipt.html John Blog on Erasure Receipt] | ||
| + | * [https://healthcaresecprivacy.blogspot.com/2018/05/gdpr-on-fhir.html John Blog report out from HL7 workgroup meeting GDPR discussions in Cologne] | ||
| + | * [https://docs.google.com/spreadsheets/d/1--6HKnMY7QCqsorpJXdgIm9lC-MJ-O_qIPTcjPdUGKg/edit?usp=sharing Spreadsheet notes from GDPR discussions in Cologne] | ||
| + | |||
| + | ==GDPR Vocabulary== | ||
| + | *[https://gforge.hl7.org/gf/project/security/docman/Harmonization/July%202018%20Harmonization/2018JulyHARM%20Initial%20PROPOSAL%20SECURITY%20v3%20and%20v2%20Table%200717%20Privacy%20Law%20and%20Consent%20Directive%20codes.doc Initial PROPOSAL SECURITY v3 and v2 Table 0717 Privacy Law and Consent Directive codes] | ||
| + | *[https://gforge.hl7.org/gf/project/security/docman/GDPR/gdpr_lawful_reasons_for_processing%20Rene%20Spronk%20original.docx gdpr_lawful_reasons_for_processing Rene Spronk] | ||
| + | ==GDPR Implementation by Country== | ||
| + | *[https://www.dlapiperdataprotection.com/index.html International Privacy Protection Law tool] | ||
| + | *[https://iclg.com/practice-areas/data-protection-laws-and-regulations International Privacy Laws] | ||
| + | *[https://iclg.com/practice-areas/data-protection-laws-and-regulations/norway Norway Data Protection Laws and Regulations] | ||
| − | |||
==GDPR mHealth Apps== | ==GDPR mHealth Apps== | ||
*[https://www.hldataprotection.com/2016/06/articles/health-privacy-hipaa/a-mhealth-code-to-aid-app-developers-in-the-eu/ mHealth Code to Aid App Developers in the EU] Privacy Code of Conduct for mHealth apps was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation (GDPR). The second section of the Code sets out the practical guidelines. These are: | *[https://www.hldataprotection.com/2016/06/articles/health-privacy-hipaa/a-mhealth-code-to-aid-app-developers-in-the-eu/ mHealth Code to Aid App Developers in the EU] Privacy Code of Conduct for mHealth apps was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation (GDPR). The second section of the Code sets out the practical guidelines. These are: | ||
| Line 41: | Line 115: | ||
==GDPR Articles== | ==GDPR Articles== | ||
*[https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect Sites block users, shut down activities and flood inboxes as GDPR rules loom] Unfortunately, even going to the extremes of blocking every user based in the EU might not be enough to inure companies from the consequences of GDPR: the law applies to data processed on EU citizens wherever they are based in the world. | *[https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect Sites block users, shut down activities and flood inboxes as GDPR rules loom] Unfortunately, even going to the extremes of blocking every user based in the EU might not be enough to inure companies from the consequences of GDPR: the law applies to data processed on EU citizens wherever they are based in the world. | ||
| + | *[http://www.bbc.com/news/technology-44252327 Google and Facebook accused of breaking GDPR laws] Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect. | ||
| + | The companies are accused of forcing users to consent to targeted advertising to use the services. | ||
| + | Privacy group noyb.eu led by activist Max Schrems said people were not being given a "free choice". | ||
| + | If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined. | ||
| + | *[https://www.reuters.com/article/us-facebook-privacy-eu/facebook-says-users-must-accept-targeted-ads-even-under-new-eu-law-idUSKBN1HP0HB Facebook says users must accept targeted ads even under new EU law] | ||
| + | *[https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclusive-facebook-to-put-1-5-billion-users-out-of-reach-of-new-eu-privacy-law-idUSKBN1HQ00P Facebook to put 1.5 billion users out of reach of new EU privacy law] | ||
==UMA Legal== | ==UMA Legal== | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/iaccmcontractingprinciples.pdf IACCM Contracting Principles International Association for Contract and Commercial Management] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/iaccmcontractingprinciples.pdf IACCM Contracting Principles International Association for Contract and Commercial Management] | ||
*[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/UMA%20Legal%20role%20definitions%20March%202018.pptx UMA Legal role definitions March 2018] | *[https://gforge.hl7.org/gf/project/security/docman/Security%20White%20Papers/Is%20Privacy%20Obsolete%20Study%20Group%20Library/UMA/UMA%20Legal%20role%20definitions%20March%202018.pptx UMA Legal role definitions March 2018] | ||
Latest revision as of 15:51, 15 April 2019
Contents
Meeting to produce a Whitepaper
Mondays at 10:00 am Eastern Time See HL7 Calendar item
Whitepaper proposed Outline
- Introduction and Scope -- that will explain we are only addressing FHIR specific topics
- Mapping of GDPR Articles to the existing Security or Privacy capability in FHIR -- this section will provide terse guidance on how we visualize the use.
- Identification of some gaps we identified -- nothing critical, mostly nice-to-have operations
- Conclusion -- FHIR is GDPR enabling
The whitepaper will be published on the HL7 confluence page: FHIR - GDPR
Conference Calls Agenda and Minutes:
Call details: Security WG FreeConference web meeting
Online Meeting ID: security36
Dial-in Number: (515) 604-9567
Access Code: 880898
- August 27, 2018 GDPR whitepaper on FHIR call
- September 10, 2018 GDPR whitepaper on FHIR call
- September 24, 2018 GDPR whitepaper on FHIR call
- October 22, 2018 GDPR whitepaper on FHIR call
- November 19, 2018 GDPR whitepaper on FHIR call
- November 26, 2018 GDPR whitepaper on FHIR call
- Jan 28, 2019 GDPR whitepaper on FHIR call
- Feb 04, 2019 GDPR whitepaper on FHIR call
- Feb 11, 2019 GDPR whitepaper on FHIR call
- Feb 25, 2019 GDPR whitepaper on FHIR call
- April 01, 2019 GDPR whitepaper on FHIR call
- April 08, 2019 GDPR whitepaper on FHIR call
- April 15, 2019 GDPR whitepaper on FHIR call
GDPR Background
- Useful GDPR regulation text reference
- Special Eurobarometer 395 Attitudes on Data Protection and Electronic Identity in the European Union
- Handbook on European data protection law 2018
The handbook has been prepared by the EU Agency for Fundamental Rights (FRA), with the Council of Europe (together with the Registry of the European Court of Human Rights) and the European Data Protection Supervisor.
This handbook outlines the legal standards relating to data protection set by the European Union (EU) and the Council of Europe (CoE). It is designed to assist practitioners not specialised in the field of data protection, including lawyers, judges and other legal practitioners, as well as individuals working for other bodies, such as non-governmental organisations (NGOs), who may be confronted with legal questions relating to data protection. The handbook serves as a first point of reference on relevant EU law and the European Convention on Human Rights (ECHR), as well as the CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and other CoE instruments.
GDPR Presentations and Papers
- Standards support for key GDPR Policies - Rene Spronk
- Impact of the GDPR on the use of interoperability standards- Rene Spronk
- Guide to the General Data Protection Regulation - Bird&Bird
- GDPR is good for HL7 and standardization HL7 May 2018 Cologne - Petra Wilson
- Bernd Blobel EU Data Protection Regulation
- John Blog on Erasure Receipt
- John Blog report out from HL7 workgroup meeting GDPR discussions in Cologne
- Spreadsheet notes from GDPR discussions in Cologne
GDPR Connectathon May 2018
- GDPR Presentation for May 2018 Connectathon - Alex Mense
- May Cologne Connectathon 201805 GDPR
- John Blog on Erasure Receipt
- John Blog report out from HL7 workgroup meeting GDPR discussions in Cologne
- Spreadsheet notes from GDPR discussions in Cologne
GDPR Vocabulary
- Initial PROPOSAL SECURITY v3 and v2 Table 0717 Privacy Law and Consent Directive codes
- gdpr_lawful_reasons_for_processing Rene Spronk
GDPR Implementation by Country
- International Privacy Protection Law tool
- International Privacy Laws
- Norway Data Protection Laws and Regulations
GDPR mHealth Apps
- mHealth Code to Aid App Developers in the EU Privacy Code of Conduct for mHealth apps was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation (GDPR). The second section of the Code sets out the practical guidelines. These are:
- Consent of users: the need to obtain valid explicit consent from the data subject to collect and use their data
- Data Protection Principles – Purpose Limitation, Data Minimisation, Transparency, Privacy by design and privacy by default and data subject rights: these reflect principles at the heart of EU Data Protection rules
- Information to provide to users before they use the app: guidance on adopting a layered notice approach and using a condensed notice and full privacy policy
- Data Retention: the Code acknowledges that it can be difficult to irreversibly anonymise health data when the retention period expires
- Security: the requirement to carry out a Privacy Impact Assessment and adopt security measures recommended by ENISA
- Advertising on the app: any advertising must be authorised by the user but there is a difference in approach depending on whether the advertising involves the processing of personal data
- Use of data for secondary purposes: in instances where data could be used for scientific research or other big data analysis
- Disclosing data to third parties: ensuring that there’s an agreement in place with the third party is essential
- Data Transfers: complying with the rules around international data transfers
- Data Breach: what to do and whom to notify when a data breach occurs
- Children’s data: when apps are deliberately aimed at children
Posted on June 17th, 2016 By Victoria Hordern. Posted in Health Privacy/HIPAA, International/EU Privacy
- Trust in mHealth apps: As revealed by the European Commission's 2014 mHealth Green Paper consultation, people often do not trust mHealth apps, such as those monitoring your health or giving health advice. Respondents to the mentioned consultation considered that having users' consent as well as strong privacy and security tools in place is a crucial issue in relation to mobile health apps.
GDPR Articles
- Sites block users, shut down activities and flood inboxes as GDPR rules loom Unfortunately, even going to the extremes of blocking every user based in the EU might not be enough to inure companies from the consequences of GDPR: the law applies to data processed on EU citizens wherever they are based in the world.
- Google and Facebook accused of breaking GDPR laws Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect.
The companies are accused of forcing users to consent to targeted advertising to use the services. Privacy group noyb.eu led by activist Max Schrems said people were not being given a "free choice". If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.
- Facebook says users must accept targeted ads even under new EU law
- Facebook to put 1.5 billion users out of reach of new EU privacy law
