The tees confidentiality model: Mechanisms for implementing the sealed envelope

Jim Longstaff, Mike Lockyer

Research output: Contribution to journalArticlepeer-review

1 Citation (Scopus)


This paper offers mechanisms capable of implementing the authorization functionality to be supported by the NHS Care Records Service. The patient-confidentiality model for the Care Records Service includes restricting access to data by placing the data in a Sealed Envelope; providing access to data based on Legitimate Relationship, and other concepts; and the overriding of access restrictions in extraordinary or emergency situations. We informally show through examples how the Tees Confidentiality Model, a sophisticated model of authorization, can be used to implement Care Records Service authorization functionality to the level currently proposed, and also to much greater levels if they ever were to be required. The mechanisms discussed include using a range of permission types, called Confidentiality Permission Types; processing Confidentiality Permissions in a defined order according to complexity of type; using negative permissions to deny access; and providing override mechanisms for negative permissions.

Original languageEnglish
Pages (from-to)157-166
Number of pages10
JournalMedical Informatics and the Internet in Medicine
Issue number2
Publication statusPublished - 1 Jun 2005


Dive into the research topics of 'The tees confidentiality model: Mechanisms for implementing the sealed envelope'. Together they form a unique fingerprint.

Cite this