# Proposal: Privacy & Compliance Baseline

Status: draft
Authors: Compliance Team
Owners: Compliance Lead, Security Lead
Created: 2025-11-17
Scope: policy|spec
Related: openspec/specs/privacy-compliance.md

Summary
- Define privacy classes (Public/PII/PHI), HIPAA/GDPR controls, DSR workflows, logging rules, and review gates for all future changes.

Motivation
- The community includes sensitive health contexts; we must minimize PHI exposure and ensure proper legal and ethical handling.

Goals / Non-Goals
- Goals: data classes, encryption, access controls, DSRs, retention, subprocessors, review gates.
- Non-Goals: vendor selection for key mgmt or SIEM (follow-up proposals).

User Stories
- As a member, I can control my data and request exports/deletions with clear SLAs.

Requirements
- Functional: DSR endpoints/process, consent registry.
- Accessibility: clear consent UX, readable policies.
- Privacy & Compliance: HIPAA/GDPR alignment, audit logging without PHI/PII.

Security & Threat Model
- Access to PII/PHI audited; least-privilege; incident response runbook.

Migration / Rollout Plan
- Apply policy immediately; integrate checks into CI; backfill data classification in `data-model.md`.

Test Plan
- Policy lint checks; table/field classification checkers; redaction tests for logs.

Acceptance Criteria
- `openspec/specs/privacy-compliance.md` approved; CI gates configured; DSR flow documented.

Slash Commands
- `/review areas=compliance,security`
- `/apply spec=openspec/specs/privacy-compliance.md`
- `/archive link=<PR>`