James,In healthcare this is current best-practice, when a consent needs to be known by multiple parties. Most consents only need to be known by the data-holder to enable them to release data that the consent authorizes. When multiple parties need to know, we use a system like you have described. The dominant form of this comes from a profiling organization -- Integrating the Healthcare Enterprise (IHE) -- a very similar organization to Kantara for the healthcare domain. This is profiled in "Basic Patient Privacy Consents (BPPC)".There is also the work of Kantara on Consent Receipts....This kind of evidence could be defined in pseudonym space and of YES/NO basis, thus reasonable to put on blockchain. If done, the smart-contract could be simple enough. This is the essence of a blog article I posted in May.This supports consents without exceptions or conditions or obligations. Which covers some space. Healthcare is moving to the next step, being able to encode some of the rules (vectors) that are commonly needed by Patients. Again within IHE there is an effort focused on a Document Sharing system, also from IHE. This is profiled as "Advance Patient Privacy Consent" (APPC), which is a profile of XACML policy-set. It leverages BPPC to manage the documentation, just using XACML for the exceptions to the base policy.SImilar is being done in HL7 FHIR in a RESTful resource -- Consent Resource. ....somewhat related is the work of HEART. -- rather than focus on capturing consent rules in standardized documentation, they focus on standardizing access control decisions using UMA.....I am working on a series of blog articles to explain this. Just published yesterday a top-level viewwhen the rules get more complex, I think the system must use a more comprehensive access control system, smart-contracts will not be sufficient. It is possible that the smart-contract could leverage a access control service using one of the above. But question as to why it would be helpful to put a smart-contract onto blockchain that does nothing but return the results of service call... Hence why I am not convinced that the authorization to access healthcare data should be implemented in smart-contract. This doesn't diminish the discussion, it is just my current perspective.JohnJohn Moehrke
Principal Engineering Architect: Standards - Interoperability, Privacy, and Security
CyberPrivacy – Enabling authorized communications while respecting Privacy
M +1 920-564-2067
JohnMoehrke@gmail.com
https://www.linkedin.com/in/johnmoehrke
https://healthcaresecprivacy.blogspot.com
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")On Tue, Aug 23, 2016 at 11:12 AM, James Hazard <james.g.hazard@gmail.com> wrote:Very good call today. I was very interested in the discussion of templated consents. This seems very productive. If the consents are authored from templates and have GUIDs, then they can be made machine readable even if all the machine can read is the GUID (for instance in scanned PDFs, which I'm told are common). The GUID also provides a basis for notifications and permissions.Here is a bit of old work that I did (Primavera did the diagrams) for the Global Alliance for Genomics and Health.http://www.commonaccord.org/index.php?action=list&file=Wx/or The complexity of the example reflects (some of) the complexity of the relationships.g/genomicsandhealth/REWG/Demo/ --@commonaccord
_______________________________________________
DG-BSC mailing list
DG-BSC@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-bsc