The principle of consent and the rules used to interpret it are well entrenched --- they have evolved over centuries of clinical experience, and are supported by data protection law. In this section, we express them in the form of a security policy --- a set of principles governing which subject can access which object in a computer system. They contain nothing that is radically new, but rather restate commonsense principles in the modern language of computer security.
The policy covers clinical systems in general. Some clinicians will have extra requirements, and those that treat more than one identifiable patient at a time (such as pediatric psychiatrists, embryologists and human genome researchers) face particularly subtle dangers. For example, the access rights enjoyed by data subjects might enable one subject to discover information about another; there are also special legal requirements in many cases. Designers of systems supporting such activities should seek further advice.
There are basically two ways to organise electronic clinical records. The first mirrors the existing paper based system; each clinician keeps a record in her own computer (or manual filing system), and information passes between them in the form of summaries (such as referral and discharge letters). The second assumes that each patient will have a single electronic file which will be opened before birth, closed on autopsy, and contain everything of clinical interest in between.
In what follows, we shall start off by assuming the first paradigm, as it is prevalent in the actual practice of clinical medicine and is much simpler to deal with. Once we have developed a security policy for this case, we will discuss the other approach, which has been called `patient-based records' but in reality may mean keeping records in some central registry. We will finally look at compromise approaches such as keeping the detailed records in clinicians' systems but compiling a central summary with pointers to them.