GDPR, the EU law on data protection, takes effect today, and I realize that we probably need to do some things on the organizational side of OpenMRS to comply with it.
This is an interesting non-authoritative summary of what we might need to do:
Some things we might need to do:
- Determine whether our (non-)privacy policy is consistent with GDPR, and maybe make changes
- Introduce a consent form on id.openmrs.org
- write an SOP for what to do if an EU citizen asks for access to all their own personal data
- determine how to delete an OpenMRS ID (“right to be forgotten”) and write an SOP around this
- start to keep a formal register with detailed descriptions of all procedures, purposes etc for which we process personal data
None of this sounds “fun”, but it’s important! Who is interested to help look into this further and/or to start implementing some solutions?