On 2003-04-29 3:44, "Thomas Clark" <tclark at hcsystems.com> wrote:
> Hi Paul, > >.... >.... > > You are very right concerning the involvement of judges and attorneys. The > legal issues must be handled up front. > > -Thomas Clark >>>>> Yes. The problem is that in Europe, the USA, Canada, Australia, etc, there are many legal systems. One generic solution that will fit all will be difficult. The problem is intractable because it is a problem with at 5 degrees of freedom, if not more. In order to solve this we need discussions on: Descriptions of contexts, Type of infrastructure (pull/push, federation/messaging, MAC/DAC, the level of social (persons) control versus the dependency on technology for control, etc, What is stored in the audit-log, Scenario's / use cases. And then we can have nice discussions as I read now on this list. One solution is to assume for the discussion the existence of a Service next to the EHR service that will control access. And that the EHR service is completely ignorant and passive for this Access Service to operate. Then each country (legal jurisdiction) is able to handle its own context. And we all can use the same standard for the EHR. The Access Service will act as 'firewall' and has all the responsibilities for granting access. Personally I favour this simplistic approach. But I know there are two major contexts: - within a legal entity - between legal entities. In an institution there can be a mix of these two. Within a legal entity I will depend on social measures and therefore audit trails for security. For this solution we need a set of agreed rules plus a discussion on the content of the audit-trail. Between legal entities information can only be exchanged when a person consciously accepts responsibilities for a set of information to be shared for a specific purpose with a specific set of other persons. The provisions for exceptions need to be spelled out completely. Here again the audit-tral and a set of rules are needed. But foremost it must be one person that takes full responsibility. As you can see I try to solve the problem by not depending to much on informational facilities in any EHR. But I will depend on the audit-trail where will be recorded what was published and what was accessed by whom, for what purpose, etc. This is not part of the EHR. The reason why I'm suggesting this way of solving the problem is: - the problem of access control is about handling responsibility and proof. Only persons can be held responsible - Access control easily assumes that the evaluation of Identity, Role, Participation, the trustworthiness of information (or sets if information) are constants of time. All are not constant at all over time. Therefore we can not rely on machines to operate on values judgements (rules) from the past. But we need judgements made by responsible persons as a reaction to a request by an other responsible person as much as possible. Gerard -- <private> -- Gerard Freriks, arts Huigsloterdijk 378 2158 LR Buitenkaag The Netherlands +31 252 544896 +31 654 792800 - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
