The Tees Confidentiality Model: mechanisms for implementing the sealed envelope.

This paper offers mechanisms capable of implementing the authorization functionality to be supported by the NHS Care Records Service. The patient-confidentiality model for the Care Records Service includes restricting access to data by placing the data in a Sealed Envelope; providing access to data based on Legitimate Relationship, and other concepts; and the overriding of access restrictions in extraordinary or emergency situations. We informally show through examples how the Tees Confidentiality Model, a sophisticated model of authorization, can be used to implement Care Records Service authorization functionality to the level currently proposed, and also to much greater levels if they ever were to be required. The mechanisms discussed include using a range of permission types, called Confidentiality Permission Types; processing Confidentiality Permissions in a defined order according to complexity of type; using negative permissions to deny access; and providing override mechanisms for negative permissions.