Just to restate that while individual implementation issues will need to address national or sub national particularities in law, but the protocol and related documentation should avoid depending on or referencing any particular country's laws. 

Parenthetically I'll note that on privacy issues and rights the U.S. Is more of an outlier. 

John Wunderlich,

Sent frum a mobile device,
Pleez 4give speling erurz

"...a world of near-total surveillance and endless record-keeping is likely to be one with less liberty, less experimentation, and certainly far less joy..." A. Michael Froomkin




On Fri, Aug 5, 2016 at 5:23 PM -0400, "Adrian Gropper" <agropper@healthurl.com> wrote:

Today's legal call was about the contract between the Grantor and the AS - or is it the ASO? As I understand it, we're looking for language to describe the relationship between the grantor / resource owner and her agent that will be operating an authorization service on her behalf.


The description of fiduciary duty seems to be quite clear.

Page 72 deals with Principal's Consent. The key paragraphs are (my underline):
  • (1)(a)(ii) 

    (ii) discloses all material facts that the agent knows, has reason to know, or should know would reasonably affect the principal's judgment unless the principal has manifested that such facts are already known by the principal or that the principal does not wish to know them

  • (1)(b)

    (b) the principal's consent concerns either a specific act or transaction, or acts or transactions of a specified type that could reasonably be expected to occur in the ordinary course of the agency relationship.

When Alice is informed about a particular transaction by the agent (in UMA this means that Alice is alerted to the specific RqP, Client, and Scopes) the situation is clear because Alice is more or less in the authorization loop. I would not use consent to describe this kind of transparency but IANAL.

Under what circumstances can the Agent be less transparent? Regardless of our creativity in adding modifiers like "dynamic" to consent, the key points are underlined by me as
  • A positive statement by Alice that she doesn't want to be notified, or
  • A "specified type that could reasonably be expected to occur".

I propose that the only way to get closure on this topic is by focusing on these two issues when Alice is signing a contract with an AS as a separate entity. The burden is on the ASO to adequately describe to Alice the specifications of the transactions that she will not be notified about and that are reasonably expected to occur. Alice would then use these descriptions in court in case of dispute.

Adrian




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.