EIP-AHA Privacy Preferences for Active and Healthy Ageing

Version 1 · Aug. 2018

PDF version of this document

Table of Contents

Introduction

Notes on the Terms

GENERAL PERSONAL DATA

Personal identification data

Sensitive data

Personal contacts

Personal Calendar

MEDIA

Video

Audio

Photos

MEDICAL DATA

Medical reports

Emergency calls

Health-related data

SMART-HOME DATA

Security

Communication

Acknowledgments

Annex: Alphabetical List of EIP-AHA Privacy Preference Terms

 

Introduction

This document presents the main results of the European Innovation Partnership on Active and Healthy Ageing (EIP-AHA) privacy preferences collaborative work between Action Group C2 and D4 in the spring of 2018 on privacy preference terms in Active and Healthy Ageing (AHA).

 

User preferences on privacy settings are meant to be complementary to data protection laws, like the European Union’s General Data Protection Directive in Europe (Directive 2016/6791). This Directive (EU) regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. It does not apply to the processing of personal data of deceased persons or of legal entities. GDPR rules also do not apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.

 

The EIP-AHA Privacy Preferences do not intend to replace or overlap these legislative rules, but to work as a useful tool to collect the user’s will on how their data are processed across application and platform borders. This means that a user’s personal privacy settings may further restrict a system’s data processing capabilities, even beyond what data protection laws would allow. On the other side, data protection laws must always be observed, disregarding a user’s personal preferences on privacy.

 

This set of 31 privacy preference terms (called EIP-AHA Privacy Preference Terms) is based on a set of 15 AHA use cases, assembled by the working group from various sources. Each EIP-AHA Privacy Preference Term addresses a specific privacy setting that occurs in one or multiple use cases. In determining a user’s preferred collection of privacy settings, a system has to ask the user some relevant “privacy setup questions”, or let the user choose between a set of pre-defined privacy settings (e.g. represented as personas), or both.

Notes on the Terms

The privacy preference terms are structured along categories and sub-categories, as outlined in the headings below. Categories are written in capital letters (e.g. “GENERAL DATA”), sub-categories in lower-case letters, except for the first character (e.g. “Personal identification data”).

 

For every term, the following information is given:

·       Term name: Unique name of the term, for reference. The prefix “eip-aha.” is prepended, to make the terms globally unique. If needed, a simple label for a term can be derived by removing the prefix.  Note that, although a term can only have one name, there may be multiple labels for one term, including in multiple languages.

·       Term definition: A textual definition of the term.

·       Value space: A technical definition of the term’s value space, i.e. its allowed values. 

o   The value “Undefined” means that the user has no preferred choice.  In this case, the system should ask the user for their preference every time (e.g. on installation of the service, or when an immediate need arises).

o   The default value is “Undefined” for terms with a value space of String, and a collection with a single element of string “Undefined” for terms with a value space of a collection of Strings.

o   For any term that takes a set of values, an empty set means that none of the pre-defined values applies.  

o   For some values, clarifications are added in parentheses, e.g. “Undefined (can only occur alone). These clarifications are not part of the pre-defined value.

·       Setup question: This is a suggested question to the user that may be included in a system’s setup dialog.  Systems may use other wordings and inquiry methods, as long as the original intention of the question is maintained. 

 

Some privacy settings (not listed here) have been identified as out of scope for the EIP-AHA Common Privacy Preference Terms for the following reasons:

·       Application-specific settings: Users would typically want to set the privacy restrictions individually for every application. For example, the question on how often a medical report should be generated is considered an issue that is peculiar to a special type of medical systems.

·       Settings that are governed by law: Users cannot decide themselves - providers need to observe the law. For example, regarding the duration of storing a user’s data on a server, the law requires that the user’s data can only be stored as long as needed for the intended purpose.

 

GENERAL PERSONAL DATA

Personal identification data

 

Term name

eip-aha.HomeAddressReceivers

Term definition

A set of pre-defined categories of services/organizations that may obtain the user’s home address on request.

Value space

Collection of strings, with 0 or more of the following values:

·       DeliveryService

·       TransportService

·       MedicalService

·       EmergencyService

·       EmergencyServiceInEmergencyOnly

·       Police

·       PoliceInEmergencyOnly

·       Undefined (can only occur alone)

Setup question

Who may obtain your home address?

 

Sensitive data

 

Term name

eip-aha.PersonalInformationTypesExposed

Term definition

A matrix (mapping of pre-defined data categories to pre-defined person/service categories) indicating which personal information items the system may expose openly when other persons are present.

 

Notes:

·       Any data category that is missing in the matrix is assumed to be “undefined”.

·       If a system cannot identify the persons who are present, it can only expose the information if the category “Everybody” is specified for it.

Value space

Mapping (e.g. hash table) of strings (keys) to collections of strings (values), as follows:

·       Keys: One of the following values:

o   Appointment

o   MedicalAppointment

o   HealthData

o   Medication

o   SurveillanceVideo

o   SurveillanceAudio

·       Values: Collection of 0 or more strings of the following values:

o   PersonOfConfidence

o   CloseRelative

o   Relative

o   Roommate

o   HouseholdMember

o   CloseResident

o   Friend

o   Doctor

o   Nurse

o   Pharmacy

o   HealthCareServiceCenter

o   EmergencyCallCenter (always)

o   EmergencyCallCenterInEmergencyOnly

o   LivingQuarterHeadOffice

o   EverybodyInContactList

o   Everybody

o   Undefined (can only occur alone)

Setup question

What kind of information may the system present to you if other persons are present (physically or remotely, e.g. by phone, Skype)?

 

Term name

eip-aha.CurrentLocationReceivers

Term definition

A set of pre-defined categories of services that may receive the user’s current geographical location.

Value space

Collection of strings, with 0 or more of the following values:

·       LocalNavigationApp (no cloud upload)

·       CloudNavigationService

·       LocalNotificationApp (no cloud upload)

·       CloudNotificationService

·       LocalHealthMonitoring (no cloud upload)

·       CloudHealthMonitoringServices

·       LocalEmergencyApp (no cloud upload)

·       CloudEmergencyServiceInEmergencyOnly (location is only transferred in an emergency case)

·       CloudEmergencyService (location is always available)

·       Undefined (can only occur alone)

Setup question

Who may read your current location?

 

Term name

eip-aha.PastLocationsReceivers

Term definition

A set of pre-defined categories of services/organizations that may receive the user’s past geographical location.

Value space

Collection of strings, with 0 or more of the following values:

·       LocalNavigationApp (no cloud upload)

·       CloudNavigationService

·       LocalNotificationApp (no cloud upload)

·       CloudNotificationService

·       LocalHealthMonitoring (no cloud upload)

·       CloudHealthMonitoringService

·       LocalEmergencyApp (no cloud upload)

·       CloudEmergencyServiceInEmergencyOnly (past locations are only transferred in an emergency case)

·       CloudEmergencyService (past locations are always available)

·       Undefined (can only occur alone)

Setup question

Who may read your past locations?

 

Personal contacts

 

Term name

eip-aha.PersonalContactsStoreLocations

Term definition

A set of pre-defined categories of storage locations where the user’s personal contacts may be stored.

Value space

Collection of strings, with 1 or more of the following values:

·       Local (no cloud upload)

·       Cloud

·       Undefined

Setup question

Where may your contact list be saved?

 

Personal Calendar

 

Term name

eip-aha.PersonalCalendarReceivers

Term definition

A set of pre-defined categories of services/organizations that may read the user’s calendar.

Value space

Collection of strings, with 0 or more of the following values:

·       LocalNavigationApp (no cloud upload)

·       CloudNaviationService

·       LocalNotificationApp (no cloud upload)

·       CloudNotificationService

·       Undefined (can only occur alone)

Setup question

Who may read your personal calendar?

 

MEDIA

Video

Note: Terms referencing “video” refer to visual streaming only (no audio).  For video+audio streaming, two settings (one referencing “video” and one referencing “audio”) must be consulted. See also next section on “Audio”.

 

Term name

eip-aha.VideoMonitoringLocations[1]

Term definition

A set of pre-defined categories of locations where the user may be monitored by video.

Value space

Collection of strings, with 0 or more of the following values:

·       AtHome

·       AtOtherPersonsHome

·       AtPublicPlace[2]

·       Undefined (can only occur alone)

Setup question

Where do you allow being monitored on video?

 

Term name

eip-aha.VideoRecordingLocations1

Term definition

A set of pre-defined categories of locations where the user may be recorded by video.

Value space

Collection of strings, with 0 or more of the following values:

·       AtHome

·       AtOtherPersonsHome

·       AtPublicPlace2

·       Undefined (can only occur alone)

Setup question

Where do you allow being recorded on video, that means storing the video for later use?

 

Term name

eip-aha.VideoMonitoringCircumstances[3]

Term definition

A set of pre-defined categories of circumstances under which the user may be monitored by video.

Value space

Collection of strings, with 0 or more of the following values:

·       WhenPersonOfConfidencePresent

·       WhenCloseRelativePresent

·       WhenRelativePresent

·       WhenRoommatePresent

·       WhenCloseResidentPresent

·       WhenFriendPresent

·       WhenDoctorPresent

·       WhenNursePresent

·       WhenDressed

·       WhenNaked

·       InKitchen

·       InBathroom

·       InBedroom

·       InOtherRooms

·       WhenCooking

·       WhenWatchingTV

·       WhenSleeping

·       AfterFalling

·       InEmergencyCase

·       VideoConference

·       FaceRecognition

·       LipReading (e.g. for support of voice input)

·       Undefined (can only occur alone)

Setup question

Under which circumstances may the system monitor you by video?

 

Term name

eip-aha.VideoRecordingCircumstances3

Term definition

A set of pre-defined categories of circumstances under which the user may be recorded by video.

Value space

Collection of strings, with 0 or more of the following values:

·       WhenPersonOfConfidencePresent

·       WhenCloseRelativePresent

·       WhenRelativePresent

·       WhenRoommatePresent

·       WhenCloseResidentPresent

·       WhenFriendPresent

·       WhenDoctorPresent

·       WhenNursePresent

·       WhenDressed

·       WhenNaked

·       InKitchen

·       InBathroom

·       InBedroom

·       InOtherRooms

·       WhenCooking

·       WhenWatchingTV

·       WhenSleeping

·       AfterFalling

·       InEmergencyCase

·       VideoConference

·       FaceRecognition

·       LipReading (e.g. for support of voice input)

·       Undefined (can only occur alone)

Setup question

Under which circumstances may the system record you by video, that means storing the video for later use?

 

Term name

eip-aha.VideoMonitoringVisualisation[4]

Term definition

A pre-defined visualisation type for video monitoring.

Value space

String with one of the following values:

·       RealImage

·       Blurred

·       Pixelated

·       Silhouette

·       VirtualAvatar

·       Undefined

Setup question

How do you want your image to be monitored by video?

 

Term name

eip-aha.VideoRecordingVisualisation4

Term definition

A pre-defined visualisation type for video recording.

Value space

String with one of the following values:

·       RealImage

·       Blurred

·       Pixelated

·       Silhouette

·       VirtualAvatar

·       Undefined

Setup question

How do you want your image to be recorded by video?  In other words: How should your image look on the stored video?

 

Audio

 

Term name

eip-aha.AudioMonitoringLocations[5]

Term definition

A set of pre-defined categories of locations where the user may be monitored by audio.

Value space

Collection of strings, with 0 or more of the following values:

·       AtHome

·       AtOtherPersonsHome

·       AtPublicPlace[6]

·       Undefined (can only occur alone)

Setup question

Where do you allow being monitored by audio?

 

Term name

eip-aha.AudioRecordingLocations5

Term definition

A set of pre-defined categories of locations where the user may be recorded by audio.

Value space

Collection of strings, with 0 or more of the following values:

·       AtHome

·       AtOtherPersonsHome

·       AtPublicPlace6

·       Undefined (can only occur alone)

Setup question

Where do you allow being recorded by audio, that means the audio is stored for later use?

 

Term name

eip-aha.AudioMonitoringCircumstances[7]

Term definition

A set of pre-defined categories of circumstances under which the user may be monitored by audio.

Value space

Collection of strings, with 0 or more of the following values:

·       WhenPersonOfConfidencePresent

·       WhenCloseRelativePresent

·       WhenRelativePresent

·       WhenRoommatePresent

·       WhenCloseResidentPresent

·       WhenFriendPresent

·       WhenDoctorPresent

·       WhenNursePresent

·       InKitchen

·       InBathroom

·       InBedroom

·       InOtherRooms

·       WhenCooking

·       WhenWatchingTV

·       WhenSleeping

·       AfterFalling

·       InEmergencyCase

·       AudioConference

·       VoiceRecognition

·       VoiceInput

·       Undefined (can only occur alone)

Setup question

Under which circumstances may the system monitor you by audio?

 

Term name

eip-aha.AudioRecordingCircumstances7

Term definition

A set of pre-defined categories of circumstances under which the user may be recorded by audio.

Value space

Collection of strings, with 0 or more of the following values:

·       WhenPersonOfConfidencePresent

·       WhenCloseRelativePresent

·       WhenRelativePresent

·       WhenRoommatePresent

·       WhenCloseResidentPresent

·       WhenFriendPresent

·       WhenDoctorPresent

·       WhenNursePresent

·       InKitchen

·       InBathroom

·       InBedroom

·       InOtherRooms

·       WhenCooking

·       WhenWatchingTV

·       WhenSleeping

·       AfterFalling

·       InEmergencyCase

·       AudioConference

·       VoiceRecognition

·       VoiceInput

·       Undefined (can only occur alone)

Setup question

Under which circumstances may the system record you by audio, that means the audio is stored for later use?

 

Photos

 

Term name

eip-aha.PhotosReceivers

Term definition

A set of pre-defined categories of persons who may receive the user’s photos.

Value space

Collection of strings, with 0 or more of the following values:

·       PersonOfConfidence

·       CloseRelative

·       Relative

·       Roommate

·       CloseResident

·       Friend

·       Doctor

·       Nurse

·       Pharmacy

·       HealthCareServiceCenter

·       EmergencyCallCenter (always)

·       EmergencyCallCenterInEmergencyOnly

·       LivingQuarterHeadOffice

·       EverybodyInContactList

·       Everybody

·       Undefined (can only occur alone)

Setup question

Who may access your photos?

 

Term name

eip-aha.PhotosSharingPurposes

Term definition

A set of pre-defined categories/services of purposes for which the user’s photos may be accessed.

Value space

Collection of strings, with 0 or more of the following values:

·       SocialSharing

·       TechnicalAssistance

·       Caregiver

·       Insurance

·       Undefined (can only occur alone)

Setup question

For which purposes may your photos be accessed?

 

MEDICAL DATA

Medical reports

 

Term name

eip-aha.MedicalReportReceivers

Term definition

A set of pre-defined categories of services/organizations that may access the user’s medical reports.

Value space

Collection of strings, with 0 or more of the following values:

·       Doctor

·       Nurse

·       Pharmacy

·       HealthCareService

·       EmergencyCallCenter

·       EmergencyCallCenterInEmergencyOnly

·       Undefined (can only occur alone)

Setup question

Who may receive your medical report?

 

Emergency calls

 

Term name

eip-aha.EmergencyCaseNotificationReceivers

Term definition

A set of pre-defined categories of services/organizations that may be notified when the user is in an emergency case.

Value space

Collection of strings, with 0 or more of the following values:

·       PersonOfConfidence

·       CloseRelative

·       Relative

·       Roommate

·       HouseholdMember

·       CloseResident

·       Friend

·       Doctor

·       Nurse

·       Pharmacy

·       HealthCareServiceCenter

·       EmergencyCallCenter (always)

·       EmergencyCallCenterInEmergencyOnly

·       LivingQuarterHeadOffice

·       EverybodyInContactList

·       Everybody

·       Undefined (can only occur alone)

Setup question

Who may be notified in case of an emergency?

 

Term name

eip-aha.EmergencyCaseAudioDropIn

Term definition

A set of pre-defined categories of services/organizations that may drop in on the user by audio in an emergency case without confirmation.

Value space

Collection of strings, with 0 or more of the following values:

·       PersonOfConfidence

·       CloseRelative

·       Relative

·       Roommate

·       CloseResident

·       Friend

·       Doctor

·       Nurse

·       Pharmacy

·       HealthCareServiceCenter

·       EmergencyCallCenter (always)

·       EmergencyCallCenterInEmergencyOnly

·       LivingQuarterHeadOffice

·       EverybodyInContactList

·       Everybody

·       Undefined (can only occur alone)

Setup question

Who may drop in on you for an audio call in an emergency case (without confirmation)?

 

Term name

eip-aha.EmergencyCaseVideoDropIn

Term definition

A set of pre-defined categories of services/organizations that may drop in on the user by video in an emergency case without confirmation.

Value space

Collection of strings, with 0 or more of the following values:

·       PersonOfConfidence

·       CloseRelative

·       Relative

·       Roommate

·       HouseholdMember

·       CloseResident

·       Friend

·       Doctor

·       Nurse

·       Pharmacy

·       HealthCareServiceCenter

·       EmergencyCallCenter (always)

·       EmergencyCallCenterInEmergencyOnly

·       LivingQuarterHeadOffice

·       EverybodyInContactList

·       Everybody

·       Undefined (can only occur alone)

Setup question

Who may drop in on you for a video call in an emergency case (without confirmation)?

 

Health-related data

 

Term name

eip-aha.HealthDataMonitored[8]

Term definition

A set of pre-defined categories of health data that may be monitored.

Value space

Collection of strings, with 0 or more of the following values:

·       HeartRate

·       BloodPressure

·       SkinConductance

·       BodyTemperature

·       BloodSugarLevel

·       BodyWeight

·       Gait

·       BathroomUsage

·       BodyMovement

·       FoodIntake

·       SleepMonitoring

·       EmotionalPsychosocialStatus

·       Undefined (can only occur alone)

Setup question

What kind of your health-related data may be monitored?

 

Term name

eip-aha.HealthDataRecorded8

Ter