Dazza and I were chatting about how roles might map between UMA and the MVCR, (which references roles from ISO 29100). We thought this might be useful in providing a place to start. - Mark Extracted from Binding Obligations Requesting Party Resource Server Operator Authorization Server Operator Authorizing Party Statutory Privacy Roles Extracted from ISO 29100 2.11 PII controller entity (or entities) that determines the purposes and means for processing PII other than individual persons who use data for personal purposes NOTE A PII controller sometimes instructs others (e.g., PII processors) to process PII on its behalf while the responsibility for the processing remains with the PII controller. 2.12 PII principal natural person to whom the PII relates NOTE Depending on the jurisdiction and the particular data protection and privacy legislation, the concept of a “PII principal” may also be defined as a “data subject”. 2.13 PII processor entity that processes PII on behalf of and in accordance with the instructions of a PII controller 2.26 third party an entity other than the PII principal, the PII controller and the PII processor, and the persons who are authorized to process the data under the direct authority of the PII controller or the PII processor UMA Healthcare Use Case Roles Extracted from Adrian's use cases Alice Bob EHR-1 Operator EHR-2 Operator PCP (Primary Care Provider) Custodian 3.1.1 Extrapolating from Existing Legal Scenarios"