[License-review] Request for approval by license steward: Tidepool Open Access to Health Data Software License

Josh Berkus josh at postgresql.org
Mon Oct 7 17:08:30 UTC 2013

>>> (C) Open Health Data.  You must ensure that the Health Data remains
>>> Open to its Data Owner for a period of three years after the Health
>>> Data is first generated.
>> Why three years?  And what's the definition of "first generated"?
> The intent is "first generated by your body and collected by the device/sensor that gathered it from your body." 
> We are definitely open to suggestions for wording here.

Yes, but why 3 years?  Why not more, or less, or indefinite?

The problem with the "first generated" concept is that it's very hard to
measure and invites hairsplitting debates.  Effectively, the clause
above is imposing a data retention burden on the Licensee which could be
unreasonable, and could contradict local or national law, and is hard to
interpret to boot.  Also, it invites the circumstance where a patient's
data is kept indefinitely by the Licensee, but is only available to the
Owner for 3 years.  It's not like Health Data loses its usefulness after
3 years.

I suggest this instead:

(C) Open Health Data.  You must ensure that the Health Data remains Open
to its Data Owner for as long as the Health Data exists on Your System*
in readable form.

* Your System: computer servers, personal or mobile software
applications, and/or medical devices, whether designed, owned and/or
controlled by You or your organizational partners, successors and
assingnees, on which any part of the Software is running or onto which
systems running the Software have copied or transmitted data.

... in other words, if the Licensee can read the data, the Owner must be
able to read the data, but the Licensee can destroy the data for
regulatory, upgrade, or cost reasons.  Also, no getting around this
requirement by copying the data to a 3rd-party "partner" server.

Of course, a lawyer would need to wordsmith this, but I think it strikes
a better balance of patient rights and developer requirements.

--Josh Berkus

More information about the License-review mailing list