Appendix #02 — Personal Data Protection Regime under ARTERIA
Front: legal defense
ARTERIA's public traceability does NOT contradict the patient's habeas data right. It realizes it. The owner of the clinical record is the patient — the system operates from that premise.
Executive summary
ARTERIA operates on sensitive personal data (clinical history, clinical events, prescriptions, dispensing, adverse events) at national scale. This legal sensitivity is structural, not incidental. Any constitutional lawyer or data protection authority will legitimately ask: how do public traceability of financial flow + cryptographic identity of the professional coexist with the legal confidentiality of health data + the patient's habeas data right?
The answer is architectural, not rhetorical. ARTERIA implements privacy by design: public traceability operates on dissociated and aggregated metadata, not on identities + clinical content. The patient's sensitive personal data is encrypted with the patient's own hardware-bound cryptographic key, accessible only by the patient and by those the patient explicitly authorizes. Neither the State, nor the operating foundation, nor the Ministry can read a patient's clinical record without the patient's authorization or a qualified judicial order.
Fundamental structural guarantee: ARTERIA makes the patient's data protection stronger than the current system. Today, clinical records live in vulnerable physical files or in databases opaquely managed by EPS (health insurers) and IPS (health providers) without cryptographic verification or access traceability. ARTERIA inverts the asymmetry — the patient is the technical and legal owner of their data, and any access is immutably recorded.
§1. Applicable legal framework in force
| Norm | Function |
|---|---|
| Political Constitution art. 15 | Habeas data as a fundamental right — every person may know, update, and rectify the information collected about them in databases |
| Law 1266 of 2008 | Financial habeas data — regime for commercial and financial information on persons |
| Law 1581 of 2012 | General Personal Data Protection Law |
| Decree 1377 of 2013 | Partial regulation — authorization, transfer, international transmission, duty of confidentiality |
| Decree 886 of 2014 | National Registry of Databases before SIC |
| Resolution 1995 of 1999 (modified by Res. 839/2017) | Handling, custody, minimum 15-year retention, preservation of clinical history |
| Law 2015 of 2020 | Interoperable Electronic Clinical History (HCEI) — specific legal framework |
| Resolution 866 of 2021 | HCEI regulation — operational implementation |
| Law 1098 of 2006 | Reinforced protection of minors' data |
| Statutory Law 1751 of 2015 (Statutory Health Law) | Confidentiality + patient rights |
| Ruling C-1011/2008 | Constitutional framework of habeas data |
| Ruling T-114/2018 | Specific habeas data in health — patient's right over their clinical record |
| Ruling T-307/1999 | Clinical record as sensitive data of maximum protection |
Data Protection Authority: the SIC (Superintendence of Industry and Commerce) retains full jurisdiction. ARTERIA does NOT replace it — it operationally strengthens it.
§2. Data classification in the health system under ARTERIA
Four categories with differentiated regime:
| Category | Definition | Regime | Access |
|---|---|---|---|
| Patient sensitive data | Clinical history, diagnoses, prescriptions, lab results, individual adverse events, biometrics | Law 1581 art. 5+6 | Exclusive to the data subject + explicit authorization + qualified judicial order in forensic cases |
| Patient private data | Civil identity, location, contact, affiliation status | Law 1581 art. 3 | Data subject + controller + authorized processors |
| Public system data | Provider registry, identity and licensing of professionals (ReTHUS), effective drug prices, regulatory decisions | Law 1581 art. 3 | Open public access |
| Dissociated and aggregated data | Epidemiological analysis, aggregate adverse-event surveillance, operational metrics, quality indicators by category | Law 1581 art. 25 + D-1377 | Open public access |
Key operational principle: cryptographic separation among categories. The public layer operates on dissociated data; the private layer operates on data encrypted with the data subject's key; no operator can combine them without explicit authorization.
§3. Mapping of Data Protection regime roles to ARTERIA
| Law 1581 role | In ARTERIA |
|---|---|
| Data subject | The patient. Legal and technical owner of their clinical history |
| Controller | The State via MinSalud (Ministry of Health) + ADRES + territorial entities |
| Processors | IPS (health providers), professionals, dispensers, regulatory authorities — authorized for a specific subset |
| Technical operator of the Standard | The operating foundation runs the platform without access to encrypted clinical content. It processes dissociated metadata |
| Data Protection Authority | SIC — full jurisdiction preserved and reinforced |
| Ombudsman (Defensor del Pueblo) | Constitutional function + tutela actions on behalf of patients |
| Delegate Inspector for Data Protection (Procuraduría Delegada) | Disciplinary function over public officials |
Critical distinction vs. the current system: in the legacy model, EPS act as processors with broad autonomy and without cryptographic traceability. In ARTERIA, the patient is the technical data subject, IPS act as processors with explicitly traced authorization, and the standard operator does not access content. The EPS↔patient asymmetry is structurally inverted.
§4. Operationalization of Law 1581 principles in ARTERIA
| Law 1581 principle | Materialization in ARTERIA |
|---|---|
| Legality | All processing within the constitutional + legal framework. Standard authorized by decree + specific law where applicable |
| Purpose | Purpose explicitly declared per data category. No use outside declared purpose is valid |
| Freedom | Prior, express, and informed consent. Exceptions (emergencies, public health, judicial order) taxatively defined |
| Veracity | Data verifiable by the data subject and rectifiable. Cryptographic identity guarantees veracity of signature |
| Transparency | The data subject can consult at any time what data they have, who provided it, who accessed it, and under what purpose |
| Restricted access and circulation | Only the data subject and authorized parties access sensitive data. Technical operator does not access content |
| Security | Multi-pillar post-quantum cryptography + hardware-bound identity + partitioning + redundancy + reproducible builds. Standard higher than legally required |
| Confidentiality | End-to-end encrypted storage. Not even the operating foundation can read the content. Architectural property, not institutional commitment |
§5. Concrete guarantees to the data subject (patient)
ARTERIA materializes the data subject's rights (Law 1581 art. 8) as enforceable rights technically operationalized:
| Data subject's right | How it is exercised in ARTERIA |
|---|---|
| Know, update, and rectify | Full access from the native client. Rectification with cryptographic signature + immutable audit trail |
| Request proof of authorization | Every authorization is recorded in the data subject's signed DAG |
| Be informed of data use | Native client shows in real time each query, by whom, under what purpose |
| File complaints before the SIC | Mechanism from the native client + direct channel to SIC with consolidated cryptographic evidence |
| Revoke authorization + erasure | Rotation of the patient's cryptographic key — clinical history becomes cryptographically inaccessible without physical destruction (compatible with the 15-year legal retention). Revocation to a specific IPS with immediate effect |
| Free access | From native client, free, real time, no paperwork |
| Assignment / portability | Exportable in FHIR R5 international standard |
Five additional guarantees the current system does NOT deliver:
- Cryptographic traceability of access — each query is recorded with identity, date, time, purpose
- Granularity of authorization — the patient can authorize access to specific parts (cardiology only, not mental health) or specific periods
- Real-time notification — the patient receives immediate notification of each access
- Frictionless revocation — operational in seconds from the native client
- Permanent external audit — DAG auditable by SIC, the Inspector General's Office, and independent auditors contracted by the data subject
§6. Processing of sensitive data — reinforced protection
Health data is sensitive by legal definition (Law 1581 art. 5). Reinforced-protection categories:
| Category | Reinforced protection |
|---|---|
| Mental health + addictions | Access restricted to direct treating professional + documented emergencies. Additional authorization for non-direct consultation. Special auditing |
| HIV/AIDS | Special regime Law 972/2005 + reinforced protection. Restricted access by default, granular authorization |
| Sexually transmitted diseases | Reinforced protection analogous to HIV |
| Oncology + catastrophic illnesses | Special handling of prognostic information + protection against labor and insurance discrimination |
| Legal abortion (Ruling C-355/2006 and subsequent) | Maximum confidentiality. Access only to the treating professional and the woman who is the data subject. Excluded from general searches |
| Genetics + genomic medicine | Special protection — hereditary data affect non-subject relatives. Extended consent |
| Reproductive health | Reinforced confidentiality. Protection against access by partner or relatives without explicit authorization |
Technical mechanism: reinforced-protection categories are implemented as separate cryptographic compartments within the unified clinical history. Each compartment requires specific authorization from the data subject for access, even by the treating professional of another specialty.
§7. Special cases and regulated exceptions
7.1. Minors (Law 1098/2006)
- Legal representation by parents, guardian, or family ombudsman
- Sensitive data of minors with reinforced protection — parental access restricted in some cases (progressive autonomy)
- Adolescents ≥ 14 years old with capacity for informed consent for specific treatments per jurisprudence
- The system requires dual authorization when applicable (legal representative + adolescent)
7.2. Older adults with cognitive decline
- Representation by a legally authorized caregiver (curator, supports under Law 1996/2019)
- Reinforced auditing of access by representative
- Mechanisms of protection against abuse by the representative
7.3. Scientific research with health data
- Regime under Decree 8430/1993 + Resolution 1407/2002 (Good Clinical Practice)
- Dissociated data (irreversibly anonymized) without requiring individual consent
- Identifiable data with informed consent + ethics committee
- Continuous protocol auditing
7.4. Public health (epidemics, pandemics)
- Exception regulated under Law 9/1979 + Statutory Law 1751/2015
- Aggregated dissociated data accessible to sanitary authority
- Identifiable data only under declaration of national health emergency + reinforced auditing
- Epidemiological surveillance on aggregate patterns
7.5. Forensic cases + judicial order
- Access under qualified judicial order (judge of the republic)
- Reinforced auditing
- Notification to the data subject as soon as compatible with the investigation
- Accessed data remains in judicial custody
7.6. International data transfer
- Regime under Decree 1377/2013 + Chapter 25 of Law 1581
- Transfer to countries with an adequate regime certified by SIC
- International research: dissociated data + agreement + explicit authorization from the data subject
- ARTERIA operates under national technical sovereignty — servers and operational jurisdiction are Colombian. International transfer is a regulated exception, not an operating condition
7.7. Special regimes (armed forces, teachers, Ecopetrol)
- They retain their special regimes with operational coordination with ARTERIA where applicable
- Integrable to the national technical standard under specific agreements without losing administrative autonomy
§8. Privacy by design — cryptographic architecture as legal compliance
ARTERIA implements the international principle of privacy by design (Ann Cavoukian, 2009; codified in GDPR art. 25) as an architectural property:
| Privacy by Design principle | Materialization in ARTERIA |
|---|---|
| Proactive, not reactive | Protection by architecture from the ground up, not as an additional layer |
| Privacy by default | Maximum privacy configuration by default. The patient must explicitly opt in to share |
| Privacy embedded in design | E2E encryption with the data subject's key is a structural property, not an option |
| Full functionality — positive-sum | Public traceability + patient privacy coexist because they operate on dissociated categories |
| End-to-end security | Encryption at rest + in transit + in computation (zero-knowledge proofs) |
| Visibility and transparency | The patient sees exactly who accessed what and when |
| Respect for user privacy | The data subject operationally controls their data |
Applied technical standards:
- ISO 27799:2025 (information security management in health)
- ISO/IEC 27001 (information security management system)
- Cryptography with robust public auditing and post-quantum backing
- Key storage bound to the data subject's device hardware
The specific cryptographic primitives selected, the algorithms, and the implementation parameters are documented in the technical repository under the control of the Foundation of the Standard (technical proposal §10), auditable by qualified independent technical teams under a technical confidentiality agreement. The institutional rationale for this balance is articulated in technical proposal §3.
§9. Comparison with GDPR (international standard)
The GDPR (EU Regulation 2016/679) is the most demanding international standard. ARTERIA meets or exceeds its requirements:
| GDPR right | ARTERIA complies |
|---|---|
| Access (art. 15) | Yes, in real time from the native client |
| Rectification (art. 16) | Yes, with cryptographic audit trail |
| Erasure (art. 17) | Yes, via key rotation (compatible with legal retention) |
| Restriction of processing (art. 18) | Yes, granularity by compartment |
| Portability (art. 20) | Yes, FHIR R5 export |
| Objection (art. 21) | Yes, operational revocation in seconds |
| Automated decisions (art. 22) | Smart contracts execute standardized rules; decisions affecting individual rights require human intervention by the professional |
| Privacy by design + by default (art. 25) | Yes, by architecture |
| DPIA (art. 35) | Continuous DAG audit by independent auditors |
| DPO (art. 37-39) | Function in the operating foundation + coordination with SIC |
| Breach notification (art. 33-34) | Automatic via smart contract to SIC + affected data subjects within legal deadline |
Conclusion: ARTERIA meets or exceeds full GDPR. Relevant for international data transfer, collaborative clinical research with European institutions, and Colombia's international standing in digital health standards.
§10. Sanctioning regime + relationship with the SIC
Law 1581 art. 23 sanctions applicable to controllers and processors:
- Fines up to 2,000 SMMLV (~COP $2.847 billion as of 2026)
- Suspension of activities up to 6 months
- Temporary closure
- Immediate and definitive closure
Reinforced sanctions for ARTERIA:
- Automatic compliance verification: the DAG allows SIC to audit in real time without reactive investigation
- Sanctioning smart contract: when a verifiable violation is detected (unauthorized access recorded in the DAG), the system automatically triggers a proceeding before SIC with consolidated evidence
- Immediate technical suspension: in case of verified breach, the operating foundation can technically suspend the actor (revoking cryptographic identity) in parallel with the formal proceeding
Relationship with the SIC: the Superintendence retains full jurisdiction. ARTERIA does NOT remove authority — it delivers consolidated and verifiable evidence. The disciplinary process operates on cryptographically auditable data, which strengthens its capacity.
§11. Data protection implementation plan
| Period | Action |
|---|---|
| Months 0–3 | Formal definition of the national standard's data protection policy. Designation of the Data Protection Officer in the operating foundation. Initial coordination with SIC |
| Months 3–6 | Registration of unified system databases before SIC (Decree 886/2014). Security audit by external firm. Design of cryptographic compartments |
| Months 6–9 | Native client deployment with full habeas data functionality. First 100,000 voluntary users |
| Months 9–12 | Coverage in voluntary IPS pilots. Training of clinical human talent. Continuous DPIA in operation |
| Months 12–18 | Gradual migration of legacy clinical records with consent + special auditing. Auto-initiation of proceedings before SIC for detected cases |
| Months 18–24 | National coverage. Complete annual external audit. Full operational coordination with SIC, Inspector General's Office, and Ombudsman |
| Month 24+ | Stabilized operation. Annual public reports. Continuous improvement under the legal framework |
§12. Summary of explicit legal defenses
Defense 1 — "Does ARTERIA violate habeas data?"
No. It operationally realizes it with greater strength than the current system. The patient is the technical and legal owner of their data. Any access is cryptographically recorded. Revocation is operational in seconds. Rectification is traceable. Portability is native. The system implements the eight Law 1581 principles + the seven data subject rights as architectural properties, not as institutional commitments.
Defense 2 — "Does public traceability contradict the legal confidentiality of health data?"
No. Public traceability operates on dissociated and aggregated metadata (UPC financial flow, provider quality indicators, operational metrics). The patient's sensitive personal data is encrypted with the patient's own key. No authority — neither the Ministry, nor ADRES, nor the operating foundation, nor the SIC — can read a patient's clinical record without their authorization or without a qualified judicial order.
Defense 3 — "Will the State have undue access to personal information?"
No. The State is the legal controller of processing but is not the technical operator with access to encrypted content. The operating foundation operates on metadata, not payloads. Accessing clinical content requires the data subject's authorization or a judicial order. This is structurally greater protection than the current system's.
Defense 4 — "What if there is a massive security breach?"
ARTERIA implements defense in depth: post-quantum cryptography + hardware-bound identity + partitioning + redundancy + continuous auditing + reproducible builds + ISO 27799:2025. A technical breach compromising the system would require simultaneously compromising multiple independent layers — operationally close to impossible for real adversaries. In the hypothetical case of a verified breach, the system automatically notifies SIC and affected data subjects within the legal deadline.
Defense 5 — "What about sensitive cases such as mental health, HIV, legal abortion?"
Reinforced protection by separate cryptographic compartments (§6). These categories require additional specific authorization from the data subject for any access, even by the treating professional of another specialty. The confidentiality standard is higher than the current system's.
Defense 6 — "Are we handing national sensitive data to a private company?"
No. The operating foundation is a non-profit entity of public law with a mixed technical council + international external auditing. There is no foreign provider: neither Microsoft Azure, nor AWS, nor Google Cloud, nor Oracle, nor IBM have access. National infrastructure + custody under the Foundation of the Standard + reproducible builds + public auditing. Full technical and legal sovereignty.
Appendix status
- v1.0: 2026-06-11
- Front: legal defense
- Audience: constitutional lawyers, MinSalud legal team, SIC, Ombudsman's Office, Delegate Inspector for Data Protection, technical journalists, multilaterals
- Next iteration: update with jurisprudence subsequent to June 2026