User Story Title | User Story Description | Acceptance Criteria |
---|
Collect Single consent from new patients via mandatory checkbox on mobile app | As a data controller, I want to record consent to collect and process the data of patients the first time they login / register in the mobile app via a checkbox | Implement mandatory checkbox at sign up The user cannot submit the form until they tick the checkbox to show they accept the conditions for processing Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record that the user ticked the checkbox in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable)
|
---|
Re-collect consent after signup from existing patients on mobile app NEW | As a data controller, I want to be able to re-collect consent to collect and process the data of patients should the purpose of processing change | Admin can trigger process in backend Patient see mandatory popup with link to new privacy policy on next log in The user cannot submit the form or continue to the app until they tick the checkbox to show they accept the conditions for processing Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record that the user ticked the checkbox in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable)
|
---|
Collect T&C acceptance for therapist and backend admin web app NEW | As a data controller, I want to ensure the Therapists accept the terms and conditions of processing the data of patients the first time they login / register in the therapist web app via a toggle | Implement mandatory checkbox at sign up The user cannot submit the form until they tick the checkbox to show they accept the conditions for processing Include link to terms and conditions that opens in a new window All form text including terms and conditions link must be editable by admin Record that the user ticked the checkbox in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable)
|
---|
Recollect T&C acceptance for therapist and backend admin web app NEW | As a data controller, I want to be able to re-collect consent to collect and process the data of patients should the purpose of processing change | Admin can trigger process in backend Patient see mandatory popup with link to new privacy policy on next log in The user cannot submit the form or continue to the app until they toggle the setting to show they accept the conditions for processing Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record the timestamp when the user submitted the form in the backend (non-editable)
|
---|
Permanent data deletion | As an admin, I want to be able to permanently delete a patient and any associated identifiable data from the system | User can find information on how to request data deletion via the privacy policy Admin can trigger deletion process from backend All personally identifiable data about the patient is deleted or irreversibly masked Reports are not affected System behaviour is not affected due to undefined references
|
---|
Data access request | As an admin, I want to be able to fulfill data access requests, by providing patients with a copy of all data collected about them within 72 hours of the request | User can find information on how to request access via the privacy policy Admin can trigger export process from backend All data is exported, including any personal information, message history, activity history, browsing behaviour, images etc. Format: reuse schema.org definitions as much as possible, for either JSON or XML. If the data is simple enough, a CSV/XLS export would also be fine
|
---|
Implement link to privacy policy on mobile app NEW | As a patient, I want to get easy access to legal documentation about the use of my data and contact details via a link to the privacy policy in the app PRIVACY & TERMS OF USE <some text about how HI protects data>
TERMS Link to terms | |
---|
Auto log out for therapist web app NEW | As a data controller, I want to ensure that data is protected by auto logging the therapists (and other users?) out of the system after X minutes of inactivity | |
---|
Patient List for Global Admin | As a data controller, I want to ensure that patient data is protected in the patient list by hiding selected Personally identifiable information (PII) and Sensitive personal information (SPI) in the data table, so that the Global admin can still use these information for research | |
---|
Patient List for Global Admin | As a data controller, I want to ensure that therapist data is protected in the patient list by hiding selected Personally identifiable information (PII) and Sensitive personal information (SPI) in the data table, so that the Global admin can still use these information for research | |
---|
Collect Granular Consent from new patients via toggle settings | As a data controller, I want to record granular consent to collect and process the data of patients the first time they login / register in the mobile app via two check boxes. | Implement mandatory checkbox at sign up Implement optional non-mandatory checkbox at sign up Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record which checkboxes the user checked in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable) Record which version of the privacy policy the patient consented to
|
---|
Collect implied consent via submit button | As a data controller, I want to record consent to collect and process the data of patients the first time they login / register in the mobile app via submitting the form only (no checkbox) | Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record the timestamp when the user submitted the form in the backend (non-editable) Record which version of the privacy policy the patient consented to
|
---|
Allow user to give or withdraw granular consent inside the app | As a data controller, I want to allow the patients be able to give or withdraw their consent from certain processing activities Assuming two reasons for processing Tele-rehabilitation services Inform research (may be optional)
| User can add / withdraw consent on a granular level via privacy dashboard If the patient removes consent for tele-rehabilitation services → patient must not be able to use the app general usage features (tele-rehabilitation), but still needs to access privacy controls? If the patient removes consent for research → data must not be included in reports If patient removes consent from both → account deletion process is triggered Record consent history of user
|
---|