runfoo-org/morethanadiagnosis-hub
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
morethanadiagnosis-hub/openspec/changes/2025-11-17-privacy-compliance-baseline/proposal.md
Claude 3b2b808bc5
docs(openspec): archive baseline proposals after successful merge 
/archive link=https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/1

Complete the OpenSpec lifecycle for all four baseline proposals:
- Architecture Baseline → approved and applied
- Privacy & Compliance Baseline → approved and applied
- Accessibility Baseline → approved and applied
- Wix Migration Plan → approved and applied

All proposals marked as archived with PR traceability.
OpenSpec lifecycle complete: propose → review → apply → archive ✓
2025-11-17 23:35:10 +00:00

46 lines
1.6 KiB
Markdown
Raw Blame History

# Proposal: Privacy & Compliance Baseline
Status: archived
Archived: 2025-11-17
Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/1
Authors: Compliance Team
Owners: Compliance Lead, Security Lead
Created: 2025-11-17
Scope: policy|spec
Related: openspec/specs/privacy-compliance.md
Summary
- Define privacy classes (Public/PII/PHI), HIPAA/GDPR controls, DSR workflows, logging rules, and review gates for all future changes.
Motivation
- The community includes sensitive health contexts; we must minimize PHI exposure and ensure proper legal and ethical handling.
Goals / Non-Goals
- Goals: data classes, encryption, access controls, DSRs, retention, subprocessors, review gates.
- Non-Goals: vendor selection for key mgmt or SIEM (follow-up proposals).
User Stories
- As a member, I can control my data and request exports/deletions with clear SLAs.
Requirements
- Functional: DSR endpoints/process, consent registry.
- Accessibility: clear consent UX, readable policies.
- Privacy & Compliance: HIPAA/GDPR alignment, audit logging without PHI/PII.
Security & Threat Model
- Access to PII/PHI audited; least-privilege; incident response runbook.
Migration / Rollout Plan
- Apply policy immediately; integrate checks into CI; backfill data classification in `data-model.md`.
Test Plan
- Policy lint checks; table/field classification checkers; redaction tests for logs.
Acceptance Criteria
- `openspec/specs/privacy-compliance.md` approved; CI gates configured; DSR flow documented.
Slash Commands
- `/review areas=compliance,security`
- `/apply spec=openspec/specs/privacy-compliance.md`
- `/archive link=<PR>`
Reference in a new issue View git blame Copy permalink