Glossary
This is still a Work In Progress, please report any error or misleading description. You can also suggest entries.
Consent Management
Consent management is the ability to limit the usage of end-user data to the usage explicitly approved by the end-user within the limit of the local laws. It is a legal constraint coming from the various data privacy law. The consent management feature provided by DHP does not includes Consent Form, it only cover Data Access Control
Consent Directive
A legally binding record of a “grantor” choice: the “Consent Directive Choice“ for a “Consent Rules” for an end-user. May requires additional proof to be legally binding, such as electronic signature or wet signature. The execution of a “consent form” by the “grantee” create a “consent directive”. Consent Directive are immutable.
Consent Directive Choice
Represent the “grantor” choice for a “Consent Rules” when a “consent form” is executed. A part of the “Consent Directive”. Possible Value: granted, not granted, no information.
Consent Directive Proof
To be legally binding, a “Consent Directive Proof” may need to be attached to a “Consent Directive”. It is the “grantee” responsibility to capture and store the required proof. The proof could be a wet signature, an audio record of an oral agreement or an actual electronic signature from the grantor. Exact required proof is to be define by the DPO.
Consent Form
A user interface used to capture the “grantor” choice for a given “Consent Rules”. Can be oral, written, digital, … In most law, previous consent must be editable by the “grantor” in a “Self-service preference / Consent Center” interface.
Consent Granting
In the context of a “Consent Form”, the “grantor” act of granting a consent. The consent may have been withdrawn before or never requested to the end-user.
Consent Recipient / Consent Recipient role
Entities executor of the “purpose”, an entity receiving personal data, affected by the “Consent Directive”. Eg a Service Provider which need to read some health data or DHP Platform which generate anonymous population statistic. The data controller is always a recipient.
Consent Rules
Identify a list of “recipient” or “recipient role” which want to perform some “data scope action” for one or more “purpose” during a “date period” using a “data scope”. Link to a “Consent Statement”.
Consent Statement
Text describing the “Consent Rules” to the “grantor”, typically contain a reference or link to the full legal agreement, oftne called Privacy Notice. It explains who ask for what to what end. Can be as simple as “I read and agree to the TOS (link to the TOS)”
See also: Privacy Notice
Consent withdrawing
In the context of a “Consent Form”, the “grantor” act of withdrawing a previously granted consent.
Data Retention
GDRP Data Retention is the “date period” of the consent directive during which the data must be kept. After this date period, the data must be erased. Fulfilment of the “purpose” (i.e. when the reason for the data collection don’t exist anymore) can also end the data retention.
Data Scope
the data coverd by the scope, that is controlled by, a consent. The data scopes have multiple dimensions: data category, sub data model, instances id, and creation date period. Each dimension adds to the other reducing the data scope. The Data scope is defined as part of the Consent Rules for a given purpose.
Data Scope Action
Low level and fine grain Action to be perform on a “data scope” by a “Consent Recipient”, the (list of) “data scope action” is required for the “recipient” to perform the “purpose”. Only possible value on DHP : READ or WRITE
Data Scope Categories
A kind of Data Scope. A collection of various (sub) data model / business objet by business scope. Eg “Medications”, “Diagnostics”, “Care Provision”, “Billing”, “Payment”.
See also: see also https://www.hl7.org/fhir/resourcelist.html
Data Scope Sub Data Model
A kind of fine graine Data Scope. For a given data model, a sub set of the data model, limiting the fields which can be accessed. This can be expressed as a FHIR profile or a JSON schema
Date Period
A date period is a continue time frame between two dates. The date range is defined by a “start” and an “end” date. “start” and “end” are expressed with absolute date in UTC. The date can be partial. Both boundaries are fully included. The date period doesn’t have to “start” or “end” today. in a Consent Rules, date Period can be define as a moving windows. eg ending in 365 days. In a Consent Directive, absolute date must be used.
Grantee
The (legal) entity which requested to the “grantor” the consent with the mean of a “consent form”, and which receive the “grantor” choice. The grantee must be “(Co-) Data Controller [GDPR]”. Eg a Producer (but not a producer channel)
Grantor
Whom which grant or withdraw a “consent directive” of an “end-user”. Usually the “end-user” themselves, but it can also be a “Grantor Delegate”.
Grantor Delegate
A “grantor” acting on the behalf of the “end-user” as a representative or tutor with decision power. Do not confuse with an entities forwarding the decision of the grantor.
Purpose
Objective of the data processing activity. Business, commercial, or legal process. Eg “health care diagnosis”, “population research”.
Act on the Protection of Personal Information
Acronyms: APPI
Japanese Act on the Protection of Personal Information applies to any business entity or organization that handles or processes the personal information of Japanese citizens, irrespective of where a particular business or organization is physically located.
Aggregated Data
A kind of Derivated Data. High level data “population data”, obtain by combinaing individual data. Aggregate data are mainly used by researchers , data warehouse and analysts. Aggregate data are normally not impacted by Data Privacy law and consent once aggregate, but consent may be necessary to include the data in the aggregate.
Anonymisation
A kind of Derivated Data. Property of Anonymised data, which state that the individuals who are the subjects of the data cannot be re-identified.
British Data Protection Act
Acronyms: DPA
British Data Protection Act, substitutes GDPR after Brexit.
California Consumer Privacy Act
Acronyms: CCPA
American California Consumer Privacy Act of 2018. Apply only to California residents. (TBC)
Commission nationale de l'informatique et des libertés
Acronyms: CNIL
France Commission nationale de l'informatique et des libertés . (no legislative power)
Consumer Data Right
Acronyms: CDR
Australian Consumer Data Right applies to Australian citizens (TBC)
Data Processor
as per GPDR, ‘processor’ means a legal person or other body which processes personal data on behalf of the data controller
Derivated Data
Personal Data can be processed to derivate other kind of data set or change the characteristics of the Personal Data.
General Data Protection Regulation
Acronyms: GDPR
European General Data Protection Regulation from 2016. Applies to all companies operating on European territory. Most other legislation are inspired by the GDPR.
Health Insurance Portability and Accountability
Acronyms: HIPAA
American Health Insurance Portability and Accountability Act of 1996. Stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent.
Hébergeurs de Données de Santé
Acronyms: HDS
The Hébergeurs de Données de Santé (HDS) certification is required for entities such as cloud service providers that host the personal health data governed by French laws.
HiTrust CSF
An American Private company providing organizations globally a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management. Common Security Framework is based on multiple existing frameworks, regulation and standards.
Inferred data
A kind of Derivated Data. Inferred data is information that a was not collected either passively or actively from the end-users, but rather was inferred (ie calculated) using collected data or other inferred data. Eg.: user segment, profile, interest weight, … GDPR don’t impose the same constraints on Inferred data and “personal data [GDPR]”. Inferred data may be considered PII.
ISO 27701
Goal is to enhance the existing Information Security Management System (ISMS) with additional requirements for the Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors.
loi informatique et liberté
Acronyms: LIL
France “loi informatique et liberté” Law from 1978 regulating storing and processing of personal data.
National Institute of Standards and Technology
Acronyms: NIST
American physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. "Guide for Applying the Risk Managment Framework to Federal Information System". Does not provide certification, but it is used by some Audits providers
Office of Privacy and Open Government
Acronyms: OPOG
American Office of Privacy and Open Government
Personal Data
Personal Data, as per GDPR, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
See also: Personal Information, PII
[External Ref](https://gdpr.eu/article-4-definitions/ pt1)
Pseudonymisation
A kind of Derivated Data. This substitutes the identity of the data subject with a surrogate identity such that additional information is needed to be able to re-identify the subject. Pseudonymisation is reversible. eg: tokenised data : replace the user Id by a hash of the user Id. Pseudonymised data are in the scope of data privacy law and consent.
Re-identification
The process of identifying a data subject inside an anonymized data set using a combination of known properties of the data subject.
Synthetic data
A population data set created through anonymisation or another computer generation process having a population distribution similar to a real data set. Synthetic data can be used to test processes without having access to real data protected by data privacy law.
Agile Release Train
Acronyms: ART
The Agile Release Train (ART) is a long-lived team of Agile teams, which, along with other stakeholders, incrementally develops and delivers solutions.
See also: Scrum Of Scrum, PO Sync, Product Increment
Epic (Business)
An Business Epic is a container for a significant Solution development initiative. Its business outcoms is the measurable benefits the epic will bring.
See also: Enabler Epic
Epic Owners
Epic Owners are responsible for coordinating portfolio Epics through the Portfolio Kanban system. the Epic Owner should focus on the merits of the business case of a specific epic.
See also: Lean Portfolio Management
Feature (Business)
A Feature fulfills a business need. Each feature includes a benefit hypothesis and acceptance criteria and is sized or split as necessary to be delivered in a Program Increment (PI). Features and enablers are mapped to a parent Epic.
See also: Enabler Epic
Inspect and Adapt
Acronyms: I&A
The Inspect and Adapt (I&A) is a significant event, held at the end of each Program Increment (PI), where the current state of the Solution is demonstrated and evaluated by the train. Teams then reflect and identify improvement backlog items via a structured, problem-solving workshop.
See also: Sprint Review
Lean Portfolio Management
Acronyms: LPM
The Lean Portfolio Management competency aligns strategy and execution by applying Lean and systems thinking approaches to strategy and investment funding, Agile portfolio operations, and governance.
See also: Portfolio SAFe
Minimum viable product
Acronyms: MVP
A version of a new product which allows a team to collect the maximum amount of validated learning about customers with the least effort.
See also: Lean Startup
Portfolio SAFe
Portfolio SAFe aligns strategy with execution and organizes solution development around the flow of value through one or more value streams. It is essential to achieving Business Agility
See also: Lean Portfolio Management, vision
Product Backlog Item
Acronyms: PBI
A Product Backlog Item (PBI) is the minimum piece of functionality that provides value to the product. It can be either a user story or a technical enabler development which fits in a Sprint. It is included in the Product Backlog and prioritized by the product owner.
See also: Iteration Backlog, Sprint, Product Backlog
Product Manager
Acronyms: PM
Product Management is responsible for defining and supporting the building of desirable, feasible, viable, and sustainable products that meet customer needs over the product-market lifecycle. They collaborate with a wide range of people to identify and define customer needs, and develop the Program Vision, Roadmap, and Features required to meet these needs.
See also: Product Ower
Product Owner
Acronyms: PO
The Product Owner (PO) is a member of the Agile Team responsible for defining Stories and prioritizing the Team Backlog to streamline the execution of program priorities. This role has significant relationships and responsibilities outside the local team, including working with Product Management, Customers, Business Owners, and other stakeholders.
See also: Product Management, Product Backlog
Program Increment
Acronyms: PI
A Program Increment (PI) is a timeboxed planning interval during which an Agile Release Train plans and delivers incremental value in the form of working, tested software and systems. A PI is a set of 4 Development Sprints followed by one Innovation and Planning (IP) Sprint.
See also: Program Increment Planning
Program Increment Planning
Acronyms: PI planning
A PI Planning is a big room event occurring before each PI in order to align leadership, product management and development teams to achieve a set of PI Objectives in the coming 5 Sprints (PI)
See also: Program Increment
Proof of Concept
Acronyms: POC
Realization of a certain method or idea to demonstrate its feasibility, or a demonstration in principle, whose purpose is to verify that some concept or theory has the potential of being used. A proof of concept is usually small and may or may not be complete.
See also: Test And Learn, Innovation, Exploration
Scrum
Scrum is a team collaboration framework used in Agile project mgmt. for developing, delivering, and sustaining complex products
See also: Scrum Master
Scrum master
Acronyms: SM
Team member acting as servant leader and coach for agile team. Examples of responsibilities: models and agile mindset and educates team on agile behaviours; removes impediments; fosters environment for high performing team dynamics; improves team performance by facilitating and challenging norms related to quality, communication, predictibility, flow, velocity
See also: Scrum
[External Ref](https://www.scaledagileframework.com/scrum-master/ https://www.scrum.org/resources/what-is-a-scrum-master)
Scrum of scrum
Acronyms: SoS
The Scrum of Scrums proceeds otherwise as a normal daily meeting, with ambassadors reporting completions, next steps and impediments on behalf of the teams they represent.
See also: PO Sync, Product Increment
Spike
Spikes are explorations enablers to gain the appropriate knwoledge to reduce the risk of a technical approach, to better understand a requirement or increase the reliability of an estimate.
See also: Product backlog, Test And Learn, Innovation, Exploration
Sprint
A Sprint is a timebox where agile feature teams delivers incremental value on the product. Usually two weeks.
See also: Scrum, Iteration Backlog
User Acceptance Test
Acronyms: UAT
The last phase of the software testing process that verifies whether the solftware is fit for the purpose it was built for. Do not confuse with "UAT environement".
Vision
The Vision is a description of the future state of the Solution under development. It reflects customer and stakeholder needs, as well as the Feature and Capabilities proposed to meet those needs.
See also: Portfolio vision, solution vision
Weighted Shortest Job First
Acronyms: WSJF
Weighted Shortest Job First (WSJF) is a prioritization model used to sequence jobs (eg., Features, Capabilities, and Epics) to produce maximum economic benefit. In SAFe, WSJF is estimated as the Cost of Delay (CoD) divided by job size.
Scaled Agiled Framework
Acronyms: SAFe
SAFe is a knowledge base of proven, integrated principles, practices, and competencies for achieving business agility using Lean, Agile, and DevOps. SAFe have different "SAFe configuration" which include more or less elements.