1.5 KiB
1.5 KiB
Proposal: Privacy & Compliance Baseline
Status: draft Authors: Compliance Team Owners: Compliance Lead, Security Lead Created: 2025-11-17 Scope: policy|spec Related: openspec/specs/privacy-compliance.md
Summary
- Define privacy classes (Public/PII/PHI), HIPAA/GDPR controls, DSR workflows, logging rules, and review gates for all future changes.
Motivation
- The community includes sensitive health contexts; we must minimize PHI exposure and ensure proper legal and ethical handling.
Goals / Non-Goals
- Goals: data classes, encryption, access controls, DSRs, retention, subprocessors, review gates.
- Non-Goals: vendor selection for key mgmt or SIEM (follow-up proposals).
User Stories
- As a member, I can control my data and request exports/deletions with clear SLAs.
Requirements
- Functional: DSR endpoints/process, consent registry.
- Accessibility: clear consent UX, readable policies.
- Privacy & Compliance: HIPAA/GDPR alignment, audit logging without PHI/PII.
Security & Threat Model
- Access to PII/PHI audited; least-privilege; incident response runbook.
Migration / Rollout Plan
- Apply policy immediately; integrate checks into CI; backfill data classification in
data-model.md.
Test Plan
- Policy lint checks; table/field classification checkers; redaction tests for logs.
Acceptance Criteria
openspec/specs/privacy-compliance.mdapproved; CI gates configured; DSR flow documented.
Slash Commands
/review areas=compliance,security/apply spec=openspec/specs/privacy-compliance.md/archive link=<PR>