nuts-foundation / nuts-specification

Contains the source of the Nuts specification RFCs.
https://nuts-foundation.gitbook.io
2 stars 1 forks source link

'Legal Base' should be 'Legal basis' and align with the legal definition. (RFC001 Nuts Start Architecture) #248

Closed CiolinaNictiz closed 1 year ago

CiolinaNictiz commented 1 year ago

I noticed both the terminology and definition in RFC001 deviates from established legal texts, specifically the GDPR.

Terminology: 'Rechtsgrond' translates to 'Legal basis', not 'Legal Base'. This may be verified by comparing the English and Dutch texts of the GDPR, where the term first appears in consideration 41 of the opening statement (and then throughtout the document).

N.B. Permission as used in Wabpvz art. 15a doesn't provide a legal basis for exchange of medical data (just index sharing), so Wabpvz definition of permission does not apply.

Definition: The current definitionof Legal Base in RFC001 ends with 'By default, no medical data may be exchanged'. This conforms to Article 9, paragraph 1 of the GDPR.

However the opening ('Grounds ... given by the subject ...') implies a data subject must assign the legal grounds for processing of their personal (health) data. This is wrong, as technically the controller must establish the legal basis before they process data to achieve a specific goal! It also, wrongly, implies only consent as defined in GDPR article 9, paragraph 2, point A can be used to process medical data, ignoring point B to J of the same paragraph. These provide many more possible legitimizations, most without the explicit dependance on other laws present in point A.

I suggest removing the reference to consent and changing to: 'Grounds for medical data exchange conforming to national and international legislation.'

woutslakhorst commented 1 year ago

Thank you for your feedback. I made some changes in #249. Could you review them?