morethanadiagnosis-hub/openspec/changes/2025-11-17-privacy-compliance-baseline/proposal.md

Proposal: Privacy & Compliance Baseline

Status: archived Archived: 2025-11-17 Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/1 Authors: Compliance Team Owners: Compliance Lead, Security Lead Created: 2025-11-17 Scope: policy|spec Related: openspec/specs/privacy-compliance.md

Summary

• Define privacy classes (Public/PII/PHI), HIPAA/GDPR controls, DSR workflows, logging rules, and review gates for all future changes.

Motivation

• The community includes sensitive health contexts; we must minimize PHI exposure and ensure proper legal and ethical handling.

Goals / Non-Goals

• Goals: data classes, encryption, access controls, DSRs, retention, subprocessors, review gates.
• Non-Goals: vendor selection for key mgmt or SIEM (follow-up proposals).

User Stories

• As a member, I can control my data and request exports/deletions with clear SLAs.

Requirements

• Functional: DSR endpoints/process, consent registry.
• Accessibility: clear consent UX, readable policies.
• Privacy & Compliance: HIPAA/GDPR alignment, audit logging without PHI/PII.

Security & Threat Model

• Access to PII/PHI audited; least-privilege; incident response runbook.

Migration / Rollout Plan

• Apply policy immediately; integrate checks into CI; backfill data classification in data-model.md.

Test Plan

• Policy lint checks; table/field classification checkers; redaction tests for logs.

Acceptance Criteria

• openspec/specs/privacy-compliance.md approved; CI gates configured; DSR flow documented.

Slash Commands

• /review areas=compliance,security
• /apply spec=openspec/specs/privacy-compliance.md
• /archive link=<PR>