morethanadiagnosis-hub/openspec/specs/privacy-compliance.md

Privacy & Compliance Spec

Status: approved Owners: Compliance, Security

Scope

• GDPR: data subject rights, consent, DSR workflows, data minimization.
• HIPAA: PHI handling, access controls, audit logging, BAAs, breach response.

Data classes

• Public, PII, PHI — document per‑field classification in data-model.md.

Controls

• Encryption in transit (TLS 1.3) and at rest (AES‑256). Key mgmt with rotation.
• RBAC/ABAC for sensitive actions; least privilege; admin action audit.
• Logging with redaction; no PHI/PII in logs/traces.

DSR & retention

• Defined SLAs and automated workflows for export/delete; retention policies per entity.

3rd‑party

• Subprocessors inventory; data flow diagrams; DPAs/BAAs tracked.

Validation

• Privacy & security review is a gate on every proposal that touches user data.

Data subject request (DSR) workflow

• Intake: authenticated portal and support channel; track request ID and SLA clock.
• Verify: identity verification step appropriate to sensitivity; log access.
• Fulfill: export machine‑readable JSON/CSV; delete with reversible soft‑delete window when permitted.
• Notify: confirmation to requester; record of processing activities updated.

Acceptance and enforcement

• CI policy checks for classification coverage and log redaction.
• Table/field inventory maintained in data-model.md with data class and retention policy.