Data Protection Requirements

User Story Title	User Story Description	Acceptance Criteria

User Story Title	User Story Description	Acceptance Criteria
Collect Single consent from new patients via mandatory checkbox on mobile app	As a data controller, I want to record consent to collect and process the data of patients the first time they login / register in the mobile app via a checkbox	Implement mandatory checkbox at sign up The user cannot submit the form until they tick the checkbox to show they accept the conditions for processing Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record that the user ticked the checkbox in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable)
Re-collect consent after signup from existing patients on mobile app NEW	As a data controller, I want to be able to re-collect consent to collect and process the data of patients should the purpose of processing change	Admin can trigger process in backend Patient see mandatory popup with link to new privacy policy on next log in The user cannot submit the form or continue to the app until they tick the checkbox to show they accept the conditions for processing Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record that the user ticked the checkbox in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable)
Collect T&C acceptance for therapist and backend admin web app NEW	As a data controller, I want to ensure the Therapists accept the terms and conditions of processing the data of patients the first time they login / register in the therapist web app via a toggle	Implement mandatory checkbox at sign up The user cannot submit the form until they tick the checkbox to show they accept the conditions for processing Include link to terms and conditions that opens in a new window All form text including terms and conditions link must be editable by admin Record that the user ticked the checkbox in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable)
Recollect T&C acceptance for therapist and backend admin web app NEW	As a data controller, I want to be able to re-collect consent to collect and process the data of patients should the purpose of processing change	Admin can trigger process in backend Patient see mandatory popup with link to new privacy policy on next log in The user cannot submit the form or continue to the app until they toggle the setting to show they accept the conditions for processing Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record the timestamp when the user submitted the form in the backend (non-editable)
Permanent data deletion	As an admin, I want to be able to permanently delete a patient and any associated identifiable data from the system	User can find information on how to request data deletion via the privacy policy Admin can trigger deletion process from backend All personally identifiable data about the patient is deleted or irreversibly masked e.g. message history - deleted. Patient record - irreversibly masked Reports are not affected System behaviour is not affected due to undefined references
Data access request	As an admin, I want to be able to fulfill data access requests, by providing patients with a copy of all data collected about them within 72 hours of the request	User can find information on how to request access via the privacy policy Admin can trigger export process from backend All data is exported, including any personal information, message history, activity history, browsing behaviour, images etc. Format: reuse schema.org definitions as much as possible, for either JSON or XML. If the data is simple enough, a CSV/XLS export would also be fine
Implement link to privacy policy on mobile app NEW	As a patient, I want to get easy access to legal documentation about the use of my data and contact details via a link to the privacy policy in the app PRIVACY & TERMS OF USE <some text about how HI protects data> TERMS Link to terms	User can easily find and access a link to the privacy policy via their account settings
Auto log out for therapist web app NEW	As a data controller, I want to ensure that data is protected by auto logging the therapists (and other users?) out of the system after X minutes of inactivity	Therapist is logged out after X minutes of inactivity
Patient List for Global Admin	As a data controller, I want to ensure that patient data is protected in the patient list by hiding selected Personally identifiable information (PII) and Sensitive personal information (SPI) in the data table, so that the Global admin can still use these information for research
Patient List for Global Admin	As a data controller, I want to ensure that therapist data is protected in the patient list by hiding selected Personally identifiable information (PII) and Sensitive personal information (SPI) in the data table, so that the Global admin can still use these information for research
Collect Granular Consent from new patients via toggle settings	As a data controller, I want to record granular consent to collect and process the data of patients the first time they login / register in the mobile app via two check boxes.	Implement mandatory checkbox at sign up Implement optional non-mandatory checkbox at sign up Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record which checkboxes the user checked in the backend (non-editable) Record the timestamp when the user submitted the form in the backend (non-editable) Record which version of the privacy policy the patient consented to
Collect implied consent via submit button	As a data controller, I want to record consent to collect and process the data of patients the first time they login / register in the mobile app via submitting the form only (no checkbox)	Include link to privacy policy that opens in a new window All form text including privacy policy link must be editable by admin Record the timestamp when the user submitted the form in the backend (non-editable) Record which version of the privacy policy the patient consented to
Allow user to give or withdraw granular consent inside the app	As a data controller, I want to allow the patients be able to give or withdraw their consent from certain processing activities Assuming two reasons for processing Tele-rehabilitation services Inform research (may be optional)	User can add / withdraw consent on a granular level via privacy dashboard If the patient removes consent for tele-rehabilitation services → patient must not be able to use the app general usage features (tele-rehabilitation), but still needs to access privacy controls? If the patient removes consent for research → data must not be included in reports If patient removes consent from both → account deletion process is triggered Record consent history of user

Use user roles to restrict access to therapist and patient data
Data minimization is an important principle of the GDPR. Controllers and Processors are advised to hold only the necessary information they need to fulfil their purpose. The system should collect the minimum data needed
No exports of data possible from the system

Non-functional requirements related to general system design