The EPI framework: A data privacy by design framework to support healthcare use cases

Data sharing is key to enabling data analysis and research advancement, and that is especially true in healthcare. Due to the inherited sensitivity of health data, institutions are still wary of sharing their data, especially with the increasing number of breaches in recent years and the strict privacy legislation involved (GDPR, HIPAA, etc.). Privacy and security concerns exist when making data available for use or processing.
To tackle these concerns, we initially incorporate Privacy by Design (PbD) principles. This informs our approach to constructing a data-sharing framework that aligns with said principles. Subsequently, we introduce examples of data-centric use cases requiring support, followed by the delineation of the computation events model and data properties intrinsic to a use case. Furthermore, to gain insight into the potential privacy risks associated with executing a workflow request, we expand upon the privacy threat assessment model to quantitatively evaluate the risks of data likability, identifiability, non-repudiation, detectability, unintended disclosure, indulgence, and policy & consent noncompliance. Subsequently, we construct a framework; the EPI framework; aimed at mitigating these identified risks, via adhering to PbD properties and provisioning extra services.