UMA telecon 2014-09-11

...

Adrian notes that, in healthcare, there's a need for "Accounting for Disclosures" that needs to be accessed at individual relying parties for privacy reasons. Would the consent receipt play a role in pointing to where the resource owner could find the AfDs? It appears yes. Eve notes that, by default in UMA, the RS never does tell the AS that it did give access to some client/RqP on request – she'd seen this as a "bug" in that you can't (without further extension of what the RS tells the AS about actual access having been granted) centrally know what access was given, but maybe it's a "feature" for healthcare data in that this is kept decentralized.

Domenico presented an IoT use case where: The doctor needs share patient’s heartbeats data with EHR system and an external party. The sharing policy should be inherited by the mediator client (smart device) which will act as resource server for the EHR system and external Requester. The idea is that the granting of access comes with the right to grant further sharing "downstream". Adrian notes that in healthcare (which this example uses as the scenario!), the patient's identity is very important to be clear about! Is the patient pseudonymous, or what? So it could be that the granting of further sharing must be under deidentification controls of some sort. Domenico's wireframe example has an "anonymous data' checkbox, in fact.

...

AI: Eve: Stimulate discussion of the single-RS eager binding question and the RPT expiration question on the list leading up to the Sep 25 all-hands call.

Attendees

• Eve
• Mark D
• Domenico
• Susan
• Adrian
• Andi
• Mike
• Sal
• Mark L
• Yuriy
• Jin
• George
• Maciej

...