Application Data Exchange Assessment Framework and Functional Requirements for Mobile Health
0.1.0 - STU 1 Ballot

This page is part of the Application Data Exchange Assessment Framework and Functional Requirements for Mobile Health (v0.1.0: STU 1 Ballot 1) based on FHIR R4. . For a full list of available versions, see the Directory of published versions

User Choice

The user choice category ensures that a user has control over how sharing occurs. It includes features that enable the user to restrict commercial use of their data, and to remove themselves from the system, as well as download their data to enable transfer to another system.

Feature: The User Can Request Deletion of All of Their Data.

The system SHALL enable deletion of all of the user’s data at the user’s request.

NOTE: This requirement only describes the ability for a user to delete the data a system would normally make visible. It does not ensure that data that has exists in backups, or which has been sent to other parties is also deleted. That is outside of the scope of this specification.

Scenario: User Requests Data Deletion.

Given: A And: A (an App or Infrastructure) And: has been recorded in/by When: The requests deletion of their data from Then: The data is no longer available via .

Feature: The User Can Request Their Data Not be Sold.

The system SHALL enable a user to request their data not be sold.

NOTE: This requirement only describes the ability for a user to delete the data a system would normally make visible. It does not ensure that data that has exists in backups, or which has been sent to other parties is also deleted. That is outside of the scope of this specification.

Scenario: User Requests Their Data Not be Sold.

GIVEN
A <System> (an App or Infrastructure)
AND
published <Policies> for system regarding sale of user data (including aggregate/anonymized data).
WHEN
the <Policies> are reviewed,
THEN
it is clear that <Policies> prohibit sale of user data (including in aggregate and/or anonymized form).

Feature: The User Can Download All of Their Data.

The system SHALL enable download of all of the user’s data in a machine readable, integrity preserving form at the user’s request.

This feature enables a user to acquire their data before deleting their records from a system, possibly to transfer them to another system.

The download must preserve the integrity of the data, and be reasonably parsable by a computer system. A PDF report is NOT generally considered to be parsable, and so would not meet the requirments of this section. A spreadsheet containing multiple tabs which included all data accessible via APIs would satisfy this requirement. A system cannot simply claim this capability by virtue of their existing an API by which an appropriately developed App COULD perform this function. The system must provide this capability directly to the user.

Scenario: User Requests All of Their Data.

GIVEN
A <User>
AND
A <System> (an App or Infrastructure)
AND
<Data> has been recorded in/by <System>
WHEN
The <User> requests a <Download> of all of their <Data> from <System> and the <Download> is inspected
THEN
The <Download> is machine readable
AND
The <Download> contains all the <Data>

Feature: The User Can Request That Some or All Their Data be Shared With Another User or a Third Party.

This feature enables users to share or not share data with others of their choosing.

Scenario: User Requests Sharing With Another User or Third Party.

A user shall be able to share data with others of their choosing.

GIVEN
A <User>
AND
Another <Party> (either user or third party)
AND
A <System> (an App or Infrastructure)
AND
<Data> has been recorded in/by <System>
WHEN
The <User> requests sharing of their data from <System> with <Party>
THEN
<Party> can access the current data.

Scenario: User Requests That Sharing Stop With the Other User or Third Party.

After a user requests that sharing stop, any data previously accessible shall no longer be accessible to the third party, and future data shall not be sent to that party.

NOTE: This specification does not speak to the access a third party has to data that it has previously recieved and/or stored. That is outside of the scope of this specification.

GIVEN
A <User>
AND
Another <Party> (either user or third party) with whom the user has chose to share data with
AND
A <System> (an App or Infrastructure)
AND
<Data> has been recorded in/by <System>
WHEN
The <User> requests sharing of their data stope from <System> to <Party>
THEN
<Party> can no longer access the user data (both current and historical).