Where two records with different access control lists correspond to the same patient, then the only information flow permissible without further consent is from the less to the more sensitive record:
Principle 7: Information derived from record A may be appended to record B if and only if B's access control list is contained in A's.
The technical mechanisms needed to in enforce such a principle are described in standard computer security texts such as Amoroso [Amo94]: a process's access control list should be set to the intersection of the access control lists of the records it has read, and it should only be able to write to a record whose access control list is included in its own.
Where two records with different access control lists correspond to the same patient, the hard question is whether the existence of the sensitive record will be flagged in the other one. This is one of the continuing dilemmas on which there is no consensus yet [GC95]. If the existence of hidden information is flagged, whether explicitly or by the conspicuous absence of parts of the record, then inferences can be drawn. For example, doctors in the Netherlands removed health records from computer systems whenever the patient was diagnosed with cancer. The result was that whenever insurers and pension funds saw a blank record, they knew that with high probability the subject was a cancer sufferer [Cae95]. Visible flags have also led to a UK case that is currently subjudice.
In the absence of flags, other problems arise. Suppose for example that a psychiatric outpatient goes for an AIDS test and requests that the result be kept secret. Before the result is known, the stress causes a breakdown and his psychiatrist marks him as no longer competent to see his records. However, the psychiatrist is unaware of the test and so does not tell the STD clinic of the patient's new status. It is not possible to solve this problem by having a world readable register of which patients are currently not competent, as mental incapacity is both confidential and a function of circumstance. Another consequence of not flagging hidden data is that sufferers from Munchhausen's syndrome could be harder to detect and manage.
We expect that clinicians will decide in favour of discrete flags that indicate only the presence of hidden information. These will prompt the clinician to ask `is there anything else which you could tell me that might be relevant?' once some trust has been established.
In any case, system developers should give careful consideration to the propagation of sensitivity properties through dependent records, and to the effects of this on system integrity.
Finally, there needs to be a mechanism for dealing with the release of data that have been made anonymous. As with the downgrading of information in multilevel systems, we will not incorporate this within the security policy model itself. We recommend however that releasing a record believed to be anonymous should require a deliberate act by the responsible clinician and should be logged.