agropper
commented
3 years ago I find it useful to frame issues related to consent in terms of policy decision points (PDP) and policy enforcement points (PEP). This issue seems to be about whether the policies of the PDP are visible to the PEP. This issue is the same regardless of whether the authorization model is capabilities or ACL. To the extent the resource owner (RO) controls the policies and also controls the structure of resources protected by the PEP, it would be up to the RO to design the structure, and therefore the filtering options for resources in storage.
From this perspective, this issue is out of scope for EDVs.
That said, an EDV that was particularly clever (or evil) could guess that it was storing FHIR-structured health records and then, based on traffic analysis, decode which component of a health record was being requested when and by which clients. A concerned resource owner would apply herd immunity principles to mitigate this risk. They might bundle the whole FHIR health record into one document and do the filtering client-side. They might introduce a mediator role in order to obscure the network address and other fingerprints of the client.
neiljthomson
While the core use cases cover only returning data items based on consent, while I suspect I am not looking hard enough, I don't see a requirement/use case for filtering data returned to a requester based on consent by the data owner (e.g., you can only have de-identified data vs. returning all the properties in my medical records).
While such a filtering service may be in the "client" of the client/server model (as I understand it - and is admittedly limited at this point) vs. the EDV server) or in an associated Data Hub, there surely are requirements that need to be specified in how this filtering can take place without leaking information (e.g., do the filtering in an sandbox within the EDV server/client or Data Hub vs. decrypting, transferring then filtering).