runfoo-org/morethanadiagnosis-hub
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
morethanadiagnosis-hub/openspec/specs/privacy-compliance.md
admin cd53606dd4 chore: OpenSpec scaffold
2025-11-17 22:57:40 +00:00

26 lines
818 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Privacy & Compliance Spec
Status: draft
Owners: Compliance, Security
Scope
- GDPR: data subject rights, consent, DSR workflows, data minimization.
- HIPAA: PHI handling, access controls, audit logging, BAAs, breach response.
Data classes
- Public, PII, PHI — document perfield classification in `data-model.md`.
Controls
- Encryption in transit (TLS 1.3) and at rest (AES256). Key mgmt with rotation.
- RBAC/ABAC for sensitive actions; least privilege; admin action audit.
- Logging with redaction; no PHI/PII in logs/traces.
DSR & retention
- Defined SLAs and automated workflows for export/delete; retention policies per entity.
3rdparty
- Subprocessors inventory; data flow diagrams; DPAs/BAAs tracked.
Validation
- Privacy & security review is a gate on every proposal that touches user data.
Reference in a new issue View git blame Copy permalink