44 lines
1.5 KiB
Markdown
44 lines
1.5 KiB
Markdown
# Proposal: Privacy & Compliance Baseline
|
|
|
|
Status: draft
|
|
Authors: Compliance Team
|
|
Owners: Compliance Lead, Security Lead
|
|
Created: 2025-11-17
|
|
Scope: policy|spec
|
|
Related: openspec/specs/privacy-compliance.md
|
|
|
|
Summary
|
|
- Define privacy classes (Public/PII/PHI), HIPAA/GDPR controls, DSR workflows, logging rules, and review gates for all future changes.
|
|
|
|
Motivation
|
|
- The community includes sensitive health contexts; we must minimize PHI exposure and ensure proper legal and ethical handling.
|
|
|
|
Goals / Non-Goals
|
|
- Goals: data classes, encryption, access controls, DSRs, retention, subprocessors, review gates.
|
|
- Non-Goals: vendor selection for key mgmt or SIEM (follow-up proposals).
|
|
|
|
User Stories
|
|
- As a member, I can control my data and request exports/deletions with clear SLAs.
|
|
|
|
Requirements
|
|
- Functional: DSR endpoints/process, consent registry.
|
|
- Accessibility: clear consent UX, readable policies.
|
|
- Privacy & Compliance: HIPAA/GDPR alignment, audit logging without PHI/PII.
|
|
|
|
Security & Threat Model
|
|
- Access to PII/PHI audited; least-privilege; incident response runbook.
|
|
|
|
Migration / Rollout Plan
|
|
- Apply policy immediately; integrate checks into CI; backfill data classification in `data-model.md`.
|
|
|
|
Test Plan
|
|
- Policy lint checks; table/field classification checkers; redaction tests for logs.
|
|
|
|
Acceptance Criteria
|
|
- `openspec/specs/privacy-compliance.md` approved; CI gates configured; DSR flow documented.
|
|
|
|
Slash Commands
|
|
- `/review areas=compliance,security`
|
|
- `/apply spec=openspec/specs/privacy-compliance.md`
|
|
- `/archive link=<PR>`
|
|
|