November 19, 2018 GDPR whitepaper on FHIR call
|x||Member Name||x||Member Name||x||Member Name||x||Member Name|
|X||John Moehrke Security Co-chair||X||Kathleen Connor Security Co-chair||X||Alexander Mense Security Co-chair||.||Trish Williams Security Co-chair|
|.||Christopher Shawn Security Co-chair||X||David Pyke CBCP Co-Chair||X||Giorgio Cangioli||.||Joe Lamy|
|X||Peter van Liesdonk||.||[mailto: ]||.||[mailto: ]||.||[mailto: ]|
- (5 min) Roll Call, Agenda Approval
- (10 min) Presentation Proposal "Purpose of Processing" (Peter) (link: https://docs.google.com/document/d/1rIHhL5FTIFVD9EGgW70SkElfsMH9ofHoDuYnVHMOZF4/edit?usp=sharing)
- (20 min) Harmonization discussion - PoU vs. Purpose of Processing
- (10 min) IPS uses case - current state (Georgio) (link: https://docs.google.com/document/d/1j8tWH52kEg_D_V2G8CXbKajfmidIk8P24HUbH0pHKjQ/edit?usp=sharing)
- (5 min) Reminder - open issues from WGM, still to be addressed:
Are update events to be reported in a transparency report? Depth of Provenance
Operations: Graham poposes to define an erasure operation that takes a Patient or Person. It returns rejected. Success. Or partial success.... (question: is there a need for it to report what it deleted? Or what it didn't? Nevertheless, it does need to report external recipients)
Is there a need for a Operation for transparency: i.e. a search on AuditEvents?
Do we need a CapabilityStatement like resource that describes server data retention rules. Possibly useful for client too to state the client need.
We might need to address Break-Glass as a healthcare safety mechanism.
Link to Confluence page: http://confluence.hl7.org/display/SEC/FHIR+-+GDPR