Define compliance requirements for DCP Tier 0 data

[brianraymor]

Deliver requirements for Tier 0 data. Tier 0 data is data from deceased donors, as well as from healthy living individuals that has been consented for fully open access.

Demoable Criteria: Tier 0 requirements have been submitted as an Informational RFC in the dcp-community repo.

---

November 14 Update [stahiri]

The attorney work product that outlines tiers of data and associated draft requirements has been held for Compliance WG and GDPR TF final review/comment/approval. Once those approvals have been obtained, it will be linked in this ticket + released more broadly to the DCP community. Current estimated release is the 1st week of December.

October 7 Update [stahiri]
As discussed in the 10/3 PM meeting, this ticket is being overhauled to align with Shawn Liu's framework for deriving compliance requirements based on tiers of data segmented by consent form and disease status (from Jonah/JohnM’s data roadmap). Updates have been made accordingly.

Historical summary:
This ticket was originally scoped to define requirements and scenarios for managed access. Two RFCs were proposed and withdrawn to allow the effort of defining requirements to consolidate into the Compliance Working Group. The Compliance Working Group has defined 4 tiers of data (Compliance Working Group doc link will be shared this week) and advises that rolling out requirements per tier of data will allow the DCP to accept data with greater velocity.

[brianraymor]

@stahiri and @briandoconnor - would you please add a pointer to the work in progress RFC?

[mweiden]

Small update from this week's Compliance WG meeting: we should have a timeline for when the legal review from Bird & Bird will come, which will provide some clarity on requirements.

[kozbo]

Work in progress RFC for data access control in the data store:
https://docs.google.com/document/d/1D8y-u6Sk9zP5MsgRqwXThhhZF9qz2MlHBJaYCYDWcMg/edit#heading=h.c6d284dldnmr

[brianraymor]

Per the July 18 Refinement meeting, I requested clarification from the Project Leads on whether the GDPR review should block progress on understanding the requirements for this Informational RFC.

[brianraymor]

Laura's response:

The GDPR task force recommendations should not change the existing requirements needed to support data that requires managed access due to the consent they were collected under

The GDPR taskforce may both/either extend those requirements to more data and make additional requirements but are very unlikely to make doing the RFC and initial engineering spokes work this quarter to plan for existing managed access invalid

The GDPR task force recommendations are waiting for two things the DPIA from the compliance working group and the further answers/recommendations from the lawyers

[brianraymor]

@stahiri and @briandoconnor - the roadmap objective in the top-level summary comment indicates that the deliverable is Solidify our requirements and scenarios for our target end-user (draft an informational RFC) but the referenced work-in-progress added by @kozbo is ACLs for the Data Store? Can you advise on the scope of this issue and add more information on how this RFC is currently being developed?

[briandoconnor]

I asked Kevin to make sure the draft RFC aligns with the intent of this Roadmap Objective

[kozbo]

I have been working to understand and eventually combine the two draft RFCs that have been created. One is listed above, and the other is from Laura https://docs.google.com/document/d/1g_20xRCshmr5gmgr0OY64wW34r0DYxVRFpo6MhlXWkM/edit?pli=1#heading=h.43a8pp8ntlom