A Conceptual Framework to Ensure Privacy in Patient Record Management System

Privacy has become an increasingly significant apprehension in today’s rapidly changing economy primarily for personal and sensitive user data. The levels of personal data violation are increasing day by day however privacy-preserving frameworks are available. This paper conducted an in-depth analysis of contemporary frameworks to identify the key mechanisms to produce a sophisticated data privacy framework to reduce the rate of data breach particularly for the Patient Record Management System (PRMS). There are several studies available that stated healthcare data privacy, still, complete data protection solution with the application of privacy by design towards patients’ health data by ensuring privacy in each layer of the PRMS are quite limited, which is the focus of this study. PRMS manages personal and sensitive data while delivering healthcare services to the patients and as such, have also the potential to carry significant risks to the privacy of their data. A novel conceptual framework with three distinct and sequential phases is suggested in this research, each of which is defined in a distinct section. The first phase is defined as the planning to identify the key limitations of contemporary frameworks so these can be minimized to ensure privacy in each layer of data processing. The second phase incorporates the key components of data privacy to satisfy the efficiency and effectiveness of the proposed framework. Finally, the third phase is the implementation of the selected requirements of the assessment phase to prevent privacy incursion events in PRMS. The complete framework is anticipated to deliver a sophisticated resistance in contradiction to the continuous data breaches in the patients’ information domain.


I. INTRODUCTION
Nowadays privacy is an increasingly imperative concern when considering information systems that collect personal and sensitive user data [1]. Constructing a regulatory framework for the assets of an organization in contradiction of the rising tide of cyber threats is an enormous concern of governments around the world. Most organizations provide e-services to identify and manage the personal information of users that are stored in the information system [2,3]. Data breaches can lead to malicious activities in financial interruption as well as reputational damages on both the personal and organizational front. Major intimidations to data privacy had been succeeded due to unauthorized access, data theft, data loss, hacking of IT incidents, and improper data disposal [4,5].
In our previous research, statistics of data breaches along with the associated costs had been highlighted to detect the data breach hazards that were growing every year around the world [6]. Between 1 January to 30 June in 2020, healthcare service providers confronted maximum data breaches than other sectors in Australia, where 115 data breaches were reported by healthcare sectors according to the Office of the Australian Information Commissioner (OAIC) [7]. The average data breach cost comprising of 1 million data is almost AUD 40 million [8]. Many organizations have constantly encountered data breaches and have so far struggled to discover effective way-outs [9]. Single data breach costs AUD 408 in healthcare organizations which is three times more per record than all other sectors [10].
Privacy by design is an approach that ensures personal control over an individual's privacy in the operations of information systems and business practices by proactively embedding good privacy practices resulting in a sustainable competitive advantage for organizations [11]. Developing a trustworthy system is a major challenge in the software engineering field particularly to perform personal or professional activities. Limited methods have been suggested by researchers to discourse the solution to data breach problems [12,13]. Some of these methods are separation of data, Anonymous, Pseudo anonymous, Block-chain based solution, K-Anonymity algorithm, and so on [14][15][16][17]. However, current methods of data privacy fortifications are behind to provide an adequate outcome to reduce the data breach complications [18,19].
A comprehensive investigation of data privacy by design was presented in our previous paper [6]. We had critically and identified the extensive restrictions of data privacy in the healthcare sector by using a systematic literature review (SLR). Besides, a comparative analysis based on seven existing privacy by design frameworks was conducted. Our prior research had suggested sustainable future research and development direction as the existing frameworks are behind to control and reduce the rate of data breaches around the world [6]. The aim of this research is to develop a conceptual framework by using fundamental mechanisms of Privacy by Design (PbD) to safeguard patients' health records.
The novelty of this work presented here lies in the fact that the proposed framework is not a single entity but a collaboration of globally verified components such as fundamental principles of Privacy by Design (PbD) by Ann Cavoukian, privacy design strategies by Hoepman Jaap-Henk, suitable standards, and best practices, and Privacy Impact Assessment (PIA) to ensure a comprehensive privacypreserving environment in healthcare system design. An extensive analysis of existing frameworks supports this research to identify the key components and their limitations. Seven data privacy frameworks are nominated to conduct a comparative analysis that helps our research to determine the key components of personal data privacy. Existing frameworks are further investigated to understand their integrity and effectiveness towards the confidentiality of personal and sensitive user data. Based on the comparative analysis we identified that the existing frameworks are not entirely incorporated these key components to construct their privacy context, therefore the potentiality of these frameworks are inadequate towards the confidentiality of personal information. Our research combines the key components which are globally verified and compulsory mechanisms to design a privacy-preserving framework especially for the personal and sensitive data of the patients to ensure maximum defence. In addition, seven fundamental Privacy by Design (PbD) principles by Ann Cavoukian are combined into four healthcare principles (HPs) to simplify and guarantee the data privacy contexts as a design pattern in the PRMS. The proposed healthcare principles (HPs) are applied to each layer of the healthcare data processing system to safeguard patient's sensitive data while collecting and processing.
The compatibility of our proposed framework with two bench-mark standards APPs and GDPR is established that presents the proposed healthcare principles (HPs) are completely in compliance with these standards. Besides, the implementation of the proposed key components into the PRMS are elaborately presented to determine the performance. Research initiatives that combine all of the key components to fully support the confidentiality of patients' health records are hard to find, especially concerning the proven data privacy mechanisms to develop an entirely protected PRMS. The contribution of this research is to develop a conceptual framework that incorporates the key limitations of the existing studies as well as ensures maximum privacy in each layer of personal data while processing them in the healthcare system. This work will guarantee the compliance of comprehensive data privacy by design mechanisms to achieve a superlative outcome of personal data protection.

II. STRUCTURE OF THE PAPER
The rest of the paper is structured as follows: information about Patients' health records are presented in Section III, the necessary background studies are analysed in Section IV. This section also provides a comparative analysis of the existing privacy by design frameworks. Section V has an in-depth explanation of the proposed framework along with planning, assessment, and implementation phases; and finally, Section VI concludes the paper and future works are presented in Section VII. sensitive data are rather scant, despite that, the following section analysed some of the closely related works to address the key aspects to design prolific privacy by design framework.
Bari and O'Neill [22] suggested that patients' health records are collected by different platforms such as social media, pregnancy and mental health apps, depression and smoking cessation apps, wearable fitness trackers. All these platforms are joined to medical records and can be shared with third parties for advertising and other purposes, often without any consent from the individual using the applications. The range and volume of patient data that are in digital form are rapidly growing [22]. The Health Insurance Portability and Accountability Act of 1996 is known as HIPAA that outlines the legal use and disclosure of health information [25]. The European General Data Protection Regulation (GDPR) [26] and the California Consumer Privacy Act (CCPA) [27] are two data protection laws that use a similar conceptual approach to permit and prohibit the use of personal information and rights and obligations of access and control [28]. HIPAA and GDPR contain similar patterns for patient and users consent for use or disclosure and rules to analysed ensure that individuals are notified if any data breach occurs [28]. This research recommended that modernizing HIPAA by comparing the models HIPAA and GDPR. Moreover, their research extended and adapted the HIPAA framework and suggested five areas to preserve the privacy of patient's information by using new data-driven tools to manage their healthcare. The areas are health data in scope, regulated entities, permitted use of personal health data, security standards, breach notification requirements [22]. The limits of HIPAA framework are almost a quarter century old. Public may not trust the appearance of repeated scandals without clear guidelines. Therefore, the potentiality to adopt HIPAA is challenging to ensure confidentiality for digital health data [22].
Sahi et al. [29] suggested that e-healthcare provides benefits to the patients' and healthcare providers, however, the services are not fully developed and has lacked widely implemented obligatory facilities such as confidentiality, integrity, privacy and user trust. The quality of healthcare services and patient trust are the primary features of any healthcare operation. Trusts of the patients are dependent on the issues of confidentiality, authenticity and data management. Ensuring privacy is one of the biggest obstacles to achieve the success of the healthcare solution in winning the trust of the patients [30]. Privacy requirements are compounded by the fact that the healthcare data managing is extremely personal and private in nature, consequently, the misconduct either intentionally or by mistake can seriously affect the patient as well as the organizational prospects. Privacy concerns are identified in this research that focuses on certain failure parts of the healthcare organization to address all the aspects of privacy. Their research gradually alters the e-healthcare enterprise controls from an organizational level to the level of patients while doing the implementation. In this way, patients have more control over decision making to protect their healthcare information. Their investigation requires more efforts to do this assessment for altering to patients' level control from the e-health enterprise control. Moreover, their existing research is divided based on techniques used such as anonymization/pseudonymization and access control for the privacy of stored data that supports the privacy requirements (accountability, integrity, identity management) [15]. Their research mainly reviews existing related studies to find out if their proposals have any possibilities to the privacy requirements and concerns of the patients [29].
Shenoy and Appel [31] recommended that electronic health records (EHRs) support facilitated communication, ease of transferability and decrease rate of medical errors. While legal protections have been employed, EHRs still unable to ensure the privacy of patient's data and can face data breaches, therefore, the confidentiality of patient's health data is still a significant concern [31]. Keshta and Odeh [32] mentioned that medical professionals, patients and healthcare services can have many benefits if they adopt electronic health records for their healthcare organization. Besides, electronic health data management is a big concern particularly privacy and security of patient data in the healthcare organization. Their investigation mainly presented the privacy and security concerns of healthcare organizations and examine the available solutions. Effective encryption schemes to the patients' health records and multidisciplinary team, e.g. telecommunication, instrumentation and computer science to efficiently manage the electronic health records are recommended [32].
George and Bhila [33] suggested that keeping up confidentiality is the most crucial factor to maintain privacy in the healthcare sector. Professionals who do communicate with patients and have access to patient's health data must keep them confidential. Privacy towards personal data especially associated with health is significant for any human being. This research used an interpretive methodology that helps to identify the reality in health sectors with a face to face communications. Their investigation identified that the common threats of data loss and theft are dependent on certain disclosure types mostly unintentional and by third parties, hence, safeguarding confidentiality and privacy from breaches is obligatory [23]. Consequently, consent must be collected from patients in writing or electronically about medical data and this consent must be signed by the patient or authorised member. The patient must be aware of what kind of data is collected, where the collected data will be disclosed and the expiry of the consent. Correspondingly, the healthcare organization must ensure privacy by securing their database and can only disclose the data to the healthcare management team who have obligation to protect the data. Their study mainly discovers the issues related to confidentiality and privacy in healthcare and its value to the patients and associated sectors [33].
The above investigations identified the critical data privacy areas, still, complete solutions are missing towards the construction of a data privacy framework. In the following section, we will investigate existing data privacy frameworks that have critically considered personal information protection for healthcare and similar environments. We critically analysed the below frameworks to identify the necessary components as well as their key limitations to establish a competent data privacy solution.
A privacy protection framework for public sector organizations is suggested by the Victorian public sector based on the context of privacy by design [34]. The purpose of this framework is to entirely safeguard personal data while collecting and managing it within the system. Besides, this framework offers embedded privacy into the design and architecture of the system from the commencement. An additional community dimension added by Privacy by Design (PbD) is to recognize that privacy contributes to the creation of public value, though privacy is considered an individual right. Privacy impact assessment is mentioned as the most useful tool to implement privacy by design. This tool is a point-in-time process to identify and evaluate privacy solutions by mitigating the risks. The potentiality of this framework is uncertain; therefore, privacy design strategies need to be considered in parallel with privacy by design principles to safeguard data leakages efficiently [34][35][36].
Moncrieff et al. [37] suggested a framework for the design of privacy-preserving in the healthcare sector. The objective of this framework is to eliminate enormous obstructions to set up a ubiquitous healthcare system by detecting the issues through technology acceptance. A built-in information process flow is represented by this framework to achieve the objectives [37]. The outcome of the data fortification should be emphasized as the structure of this framework does not mention the information if any verified method had been used to construct this framework, for example, if any privacy by design standards, principles, and tools, etc. have been incorporated or not [38]. Moreover, patients' health data sensitivity and its surroundings are further limitations that can have a massive impact on the adaption of this framework [39].
'PReparing Industry to Privacy-by-design by supporting its Application in REsearch' (PRIPARE) is a privacy by design framework that incorporates standards, contemporary practices, and studies on privacy engineering [40]. Subsequently, a method of system development phases is proposed by this framework. International Organization for Standardisation (ISO) 29100 is incorporated to establish the operational process of PRIPARE, the process is divided into seven phases and an additional one was assigning with organizational structure [41]. Privacy impact assessment is incorporated in parallel with one of the phases named analysis. Yet, privacy by design principles should be considered with privacy design strategies as they are fundamental components to outline the organizational and technical requirements [42].
Shrestha et al. [43] recommended a framework of 'Enhanced e-Health for privacy and security in the healthcare system'. This framework proposes to detect unauthorized user access to the patient's health records by following the privacy by design principles. Multi-authority-based access control is suggested by this study to defend unauthorized access of patient's personal data as the administrator of the system can misuse them while accessing the system and patients' health records are often exposed to third parties for healthcare purposes [30,44]. Accordingly, the sensitive data should be retrieved by the doctor's consent or in some cases by the patient's consent to overcome this problem. While storing the data in the cloud, the pseudonymization technique is a preference to safeguard the privacy of personal data [45,46]. Authorization and authentication are enhanced data privacy techniques that regulate the strategy to improve the effectiveness of the e-health system privacy. However, to ensure a competent privacy-preserving environment in the system, there is no attention to significant components e.g. privacy design strategies, privacy impact assessment which need to be measured appropriately [43].
'Privacy by design framework for assessing Internet of Things (IoT) applications and platforms' is suggested by Perera et al. [47]. Privacy by design fundamental principles and privacy design strategies are the core foundation of this framework. Privacy competencies and limitations of the current IoT applications are assessed in this study. Data breach threats are not measured by IoT applications [47]. Risk assessment should be considered, to do so privacy impact assessment should be explicitly considered by the IoT applications. Due to the insufficiency of systematic approaches, the intention of designing privacy for the software development measures in IoT is comparatively behind [48,49].
Foukia et al. [50] suggested a method that mainly validates the data sources with privacy sensitivity and the data trail controller and delivers rights for third-party data processing during their application. This framework is termed as 'PISCES' which means privacy incorporated and securityenhanced system. One of the main functionalities of this framework is the separation between the data controller and the provider, where the provider manages the privacy of the data and the controller manages the privacy fortification of the provided data [51,52]. This framework incorporates privacy protection from the initiation and during the operation of the information system which supports the fundamental principles of privacy by design [52,53]. PISCES should incorporate with privacy by design components such as privacy design strategies and/or any security management tools that will be adverse to this framework to ensure an effective privacyfriendly system [54].
Privacy by design objectives are combined with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 29110 to construct a framework named 'ISO/IEC 29110 basic profile privacy by design in the healthcare sector' [55]. The goal of this framework is to provide direction to project management and software implementation to improve the quality of information systems. While developing this framework, fundamental principles of privacy by design are incorporated as a standard and privacy design strategies are unified as the functionality of the framework [56]. The consequences of adopting this framework may not be widespread as privacy impact assessment should be considered while developing this framework [57].
The key contexts of privacy by design are identified and discussed in this in-depth analysis. Detailed comparative analysis suggested by existing researches on data privacy frameworks had been highlighted in our previous research [6]. Based on the analysis key parameters of contemporary privacy by design frameworks are revealed to identify the limitations of each of the frameworks. These parameters are divided into categories such as Ann Cavoukian's seven fundamental principles of privacy by design, privacy design strategies, privacy impact assessment (PIA). We came to an assumption that the listed privacy by design key parameters is quite generic, thus the potentiality of developing the research towards building a framework is rather promising. Likewise, the available practices for dealing with data breaches are not the ultimate effective approach as has been mentioned and therefore a more comprehensive methodology is required to consider the several perspectives of the problem.

FIG. 1: Relations of Patient Record Management System (PRMS)
In this research, we identified the Hospital Management System (HMS) and its associated information systems that are holding patient's sensitive information presented in Fig. 1. The HMS is focused primarily on the operations management of the hospital. Two broad systems make up the Hospital Management System. They are the Patient Care Information System (PCIS) and Managerial Information System (MIS). The divisions of the Hospital Management System into these two broad systems are theoretical [20,24].

a. PATIENT CARE INFORMATION SYSTEM (PCIS)
PCIS involves patient's personal and medical information, which are collected, managed, and released by this system. PCIS mainly consists of three sub-systems as outlined below [24].

i. PATIENT RECORD MANAGEMENT SYSTEM (PRMS)
PRMS is a sub-system of PCIS and consists of applications that enable care providers to keep track of individual or groups of patients in a fast, responsive, flexible, and friendly manner with efficient use of available resources. The PRMS consists of mainly three applications; Patient Registration Application (PRA), Client-Resource Management Application and Charging, Billing and Payment Application [20,24]. Patient Registration Application (PRA) mainly managed the registry of the healthcare facility clients. Enlisting a new person as a patient in a healthcare institution is performed by this application. The functions include the collection of personal identification and demographic data, preserve the patient's personal record, maintain a permanent register of patients. Client-Resource Management Application mainly supports appointments, scheduling, allocation of the resources, patient tracking, creation of worklists, availability of resource tracking. Based on the needs of the patients, this application assigns the correct resources to a patient such as services of care provider, physical site (room/bed), etc. The Charging, Billing and Payment Application support the charging of actual assignment, bill calculation, e.g. payment made, credit balances, accounts receivable, etc. The design of this application is dependent on the policy as this is completely a business function [58,59].

ii. CLINICAL INFORMATION SYSTEM (CIS)
CIS facilitates patient care directly such as activities for care providers primarily doctors. nurses and medical professionals [59]. Healthcare professionals get support and assistance from CIS to perform their daily work, e.g. planning for care, clinical data entry, data storage, provision of clinical decision support, quality control, data retrieval and display. All of this collected information is stored in the database [24,58].

iii. CLINICAL SUPPORT SYSTEM (CSS)
CSS provides services to perform tests and provide supplies based on the tests. Care providers request these facilities through the CSS. Results of the test are submitted to the database of CSS from where they are made available. Supplies such as drugs, food, blood products and setline supplies are distributed to the responsible persons or units requesting them by CSS. The delivery details and the receipts are stored in the database [24,58].

b. MANAGERIAL INFORMATION SYSTEM (MIS)
Managerial Information System (MIS) consists of several applications and sub-systems. MIS supports the hospital management team primarily for business operations, physical facilities and hospitality services. The components of MIS are wide-ranging and complex [24]. The business operations such as general administrative, hospitality management activities and facility activities are facilitated by MIS. The business operations are associated with Administration Information System, Accounting System, Human Resource Management System, Finance and Budgetary System and Purchasing and Inventory System. Physical facilities that support the hospital management are consists of Facility Engineering System, Equipment Maintenance System, Environmental Health, Safety and Waste Management System. The hospitality services are facilitated by Bed Management and Food-Beverage Order-Supply System. MIS is not within the scope of this research, however, mentioned as this is a sub-system of HMS [20,24,[58][59][60].
Since our goal is to safeguard privacy designed for personal data collected from the patients, therefore this research focuses mainly on the protection of PRMS. PRMS principally collect, manage, store and release the sensitive information related to the patients. In this research, the Patient Registration Application (PRA) of PRMS is selected to plan and execute our proposed framework. As we highlighted in our study that certain core mechanisms are missing in the current frameworks, hence, a sophisticated and enhanced framework is anticipated by integrating the obligatory mechanisms into the system architecture of PRMS.

V. The Proposed Framework
Multiple data privacy components such as strategies, principles, tools have been measured in the construction of the proposed framework. In this section, a detailed discussion on each of the subprocesses of the complete framework is carried out. A design science methodology is taken into consideration as no comprehensive method is presented by the existing studies to interpret privacy by design into system requirements. A literature review from our existing work is correspondingly used to outline the requirements [6]. Based on ISO/IEC 29100 [41,55], the personal data privacy components are listed and mapped to design the proposed framework. Privacy standards and best practices and privacy impact assessment are measured in the delivery of a comprehensive privacy-preserving environment in the system design. The proposed framework has three main phases P1, P2, and P3 which are constructed based on ISO/IEC 15288 [61][62][63]. An overview of the phases is described below.

A. P1 -PLANNING PHASE
In this phase, privacy issues are acknowledged so they can be addressed in the implementation phase. Characterize the system from privacy perception is the key objective. The limitations of contemporary privacy by design frameworks and suitable standards and best practices are identified here to safeguard the confidentiality of patients' health records.

P 1.1 COMPARATIVE ANALYSIS ON EXISTING PRIVACY BY DESIGN FRAMEWORKS
The key parameters of seven existing privacy by design frameworks are identified and presented in Table 1. A comparative analysis has been established based on the existing frameworks to highlight the limitations for each of them. There are several components suggested in existing studies, however, three globally verified components are relatively common. These components are selected by theoretical analysis in our research to identify the key limitations of existing studies. The selected components are seven fundamental principles of Privacy by Design (PbD) by Ann Cavoukian, privacy design strategies by Hoepman Jaap-Henk and privacy impact assessment (PIA). Seven fundamental principles of Privacy by Design (PbD) by Ann Cavoukian are applied as an essential component of fundamental privacy protection for personal information such as medical data. Privacy design strategies support privacy by design in the system development life cycle.
Eight privacy design strategies deliver patterns for designing a privacy-friendly system. Privacy impact assessment identifies the impact of the proposed framework by applying systematic assessment on individuals' privacy. PIA works as a vital component in privacy protection and part of overall risk management. The success of the proposed framework depends on whether it meets the privacy expectation of the community and legislative privacy expectations. As the proposed framework will safeguard personal data, seven core elements of PIA are considered to design the privacy assessment to address the risks and their mitigation plan. A systematic literature review was conducted on our previous research which supports in parallel to detection the key parameters of data privacy frameworks. Therefore, these selected verified components are significant towards developing the proposed framework.  The key limitations of existing frameworks are identified based on a comparative analysis of seven existing privacy by design frameworks [6]. As we can see, the selected frameworks are not copiously included at least one or more of the key components to archetype the privacy contexts of their systems. Therefore, the potentialities of their proposed studies are crucial to the success of personal data privacy.
To construct the proposed framework, we considered all the three globally verified key components to ensure maximum privacy-preserving environment to patients' health records. The selected key components are mentioned as follows: • Seven fundamental principles of privacy by design by Ann Cavoukian. • Privacy by design strategies by Hoepman Jaap-Henk.

SELECTING STANDARDS AND BEST PRACTICES
We selected suitable standards and best practices to structure this framework such as covering the process and lifecycle stages, a set of controls to process personally identifiable information, identify the privacy requirements in the system, etc. The standards and best practices considered to construct the proposed framework are outlined in Table 2.

B. P2 -ASSESSMENT PHASE
The assessment phase outlines the components and architecture to satisfy the requirements of the proposed framework. In this phase, seven fundamental principles of privacy by design by Ann Cauvokian are assessed. Privacy design strategies suggested by Jeep-Hank Hoepman and privacy impact assessment is respectively considered to achieve the best consequences. By using the key components of privacy by design, necessary data protection and privacy requirements are acknowledged for the healthcare system in Fig. 2. In the assessment phase, the first step does the function of assuring and coordinating compliance with the verified seven fundamental principles of privacy by design (PbD) suggested by Ann Cavoukian [35]. Based on the fundamental principles of PbD, four healthcare principles (HPs) have been introduced to safeguard the personal data flow of patients. Seven fundamental PbD principles are defined as follows [36,64].

PbD 1 PROACTIVE, NOT REACTIVE; PREVENTATIVE NOT REMEDIAL
This principle commands that the privacy by design approach is considered proactive rather than reactive behaviour. In this technique, privacy-invasive events can be predicted and prevented before they even occurred. PRMS does not require waiting for a data breach to occur nor after it has occurred as the goal of this principle is to avoid the threats from happening.

PbD 2 PRIVACY AS THE DEFAULT
This principle assures that the privacy of personal data is protected automatically in any system by its default. Users of the PRMS don't need any type of action to protect their privacy as this principle ensures the privacy of personal data as its default operation. Thus, privacy by design principles enables the highest level of data fortification in healthcare systems.

PbD 3 PRIVACY EMBEDDED INTO DESIGN
This principle ensures the integration of data privacy through the development of the PRMS. The core functionality is assimilated into privacy as an essential component of the PRMS without diminishing its functionality. PRMS is set up with this principle comprehensively and holistically throughout the system architecture. This principle, therefore, estimates the impact of privacy and reduces the data breach of PRMS through usage, error, or misconfiguration with potential measurements.

PbD 4 FULL FUNCTIONALITY-POSITIVE-SUM NOT ZERO-SUM
This principle accommodates the objectives and legitimate concerns in a positive-sum and rejects which are redundant such as availability vs privacy or security. The full functionality approach is significant to evade while any unnecessary trade-offs of privacy occur between the user and the system.

PbD 5 END TO END SECURITY -LIFECYCLE PROTECTION
This principle guarantees that privacy is integrated throughout the PRMS life-cycle process in a constant manner and data is erased at the end of the process promptly. Privacy by design is embedded in PRMS before the initial information is processed towards the end of the lifecycle.

PbD 6 VISIBILITY AND TRANSPARENCY
All stakeholders involved in business practice or the technologies with PRMS are assured by this principle that all actions need to remain visible and transparent to the providers and the users. This principle assures that PRMS can operate as per its goals and promises with autonomous verification.

PbD 7 RESPECT FOR USER PRIVACY
To keep the individuals' uppermost interest, privacy by design offers noticeable principles to the processes by offering robust privacy measurement as default. This principle offers user-friendly options to the users of PRMS with appropriate notices and possibilities while collecting personal data intended for keeping the system user centric.
We combined the seven fundamental privacy by design principles with four healthcare principles (HPs) to simplify the design process. Implementing the HPs as a design framework allows to feature data privacy by default.
The proposed HPs will ensure strong privacy and personal control over sensitive information for a justifiable competitive benefit to healthcare organizations. The proposed HPs function as follows.

HP1. PRIVACY AND DATA SHARING NOTICES
HP1 delivers strong confidentiality and data sharing notices to let users know how the personal data are storing, using, sharing and deleting. This principle delivers a brief description of the data once the user will submit them and notify if the data will be stored in a database or sent to a third party and the time boundary of data storage. Based on the requirements of the specific healthcare organization, the notices will be designed. HP1 is founded on PbD 1 Proactive not reactive; preventative not remedial & PbD 2 Privacy as the default (Fig. 3 (a)).

HP2. TRANSPARENCY AND TRUST WITH THE USERS
HP2 provides notices with an advanced layer of information privacy that work by demonstrating a quick message to the specific fields as soon as a user is about to enter their personal information in a registration form. This notice delivers the purpose of the collection of specific data fields such as a medical report, laboratory or diagnosis purposes, etc. HP2 is based on PbD 3 Privacy embedded into design & PbD 6 Visibility and transparency ( Fig. 3 (b)).

HP3. ALLOWING USERS TO MANAGE PERSONAL DATA
HP3 authorizes the users to accomplish a dynamic character in the management of their data by requesting them to tick a checkbox to accept that they've read through the terms and conditions of the collection of their personal or sensitive information. As per HP3, checkboxes are not pre-ticked, and users must agree with the terms and conditions to continue. HP3 is based on PbD 3 Privacy embedded into the design, PbD 4 Full functionality-Positive-Sum Not Zero-Sum & PbD 7 Respect for user privacy (Fig. 3 (c))

HP4. DATA COLLECTION MINIMIZATION
HP4 minimizes data collection amount by reviewing the reason for which this system is accumulating them as well as anonymize, pseudonymize or encrypt them to ensure the privacy of the collected data. HP4 is grounded on PbD 2 Privacy as the default with PbD 3's Privacy & PbD 5's Endto-end security -Lifecycle Protection (Fig. 3 (d)) embedded into its design.
Healthcare principles work as core assumptions whereas privacy design strategies are guidelines that function throughout the behaviour and development of the PRMS. In the following step, privacy design strategies are evaluated to be comprised in the system development during the implementation phase.

P 2.2 IMPLEMENTING PRIVACY DESIGN STRATEGIES
Hoepman Jaap-Henk [65] suggested privacy design strategies that are applied in this step to establish a privacy defensive environment in the PRMS. Privacy design strategies assess the privacy impact of the available systems and suggest possible design patterns to establish an entirely preserved system through suitable privacy methods. During the concept development, design strategies support system architects to evaluate the privacy of personal data in the software development life cycle [65]. Privacy design strategies are divided into two parts.

a: DATA-ORIENTED STRATEGIES i. MINIMIZE
In this proposed framework, the most elementary dataoriented strategy is the minimize as it offers the assurance of a limited amount of personal data collection. This strategy recommends that only essential data needs to be collected from the patients to provide medical services, therefore, the chances are less for data theft, accidental data leakage, and misuse of personal data [65]. Moreover, individual users have the right to take decisions by choosing the options to process or obliterate their data while using the system. Anonymisation is a design pattern for this strategy [66].

ii. HIDE
This strategy delivers restrict access to personal data by preserving properly protected data collection by masking them from plain view to evade a variety of misuses. Hide allocates the data away from other parties while collecting and processing legitimately by a single unit. This strategy suggests that the information that requires privacy must not be comprehensible in plain sight particularly their interrelationships. Personal data masking from plain view helps to avoid data exploitations. This strategy keeps the data secure from other parties while the data is collected and administered legitimately within a single entity [65]. The Hide strategy mainly ensures the confidentiality of the patients' health data in PRMS. The design pattern recommended by this strategy is the pseudonymization technique that will de-link connections such as attributebased credentials [67,68] iii. SEPARATE This strategy provides data separation by data property perception where data is collected and processed anonymously wherever possible. Information contents enclosed within them are categorized while collecting and forming in the system [65]. This strategy enhances the personal information privacy to any type of patients' health data including non-stored data in the database such as emails, reports, system logs. Patients' health data that are stored in transactional and analytical systems of PRMS may result in privacy violations if accessible by unauthorized people [65]. Encryption is a design pattern recommended by this strategy. Using the encryption method strongly reduces the probability of exposure to private information [69,70].

iv. AGGREGATE
In this strategy, the capacity of personal information within the group of attributes is controlled and managed with minimum feasible details and a maximum level of combination to make them less sensitive [65]. A limited number of data are authorized to the individual patient as the data group sizes are extensive, despite the fact, the data are uneven for protecting privacy [71,72]. Data encryption is a design pattern that allows users to encrypt the entire database to secure the data in the database [73].

b: PROCESS-ORIENTED STRATEGIES iv. INFORM
This strategy resembles the concepts of data transparency and ensures up-to-date data subjects while processing personal data. Patients will be notified about categories of data and the purpose of processing the data when uses the PRMS. Besides, if any information is required to share with the third parties that will be informed to the patient or authorized receipts while necessary [65]. The data access privileges are informed to the users and the behaviours to exercise those privileges. This strategy is applied via healthcare principle 1 (HP1). Informing the users of PRMS from the understanding of human-computer interfacing is a design pattern of this strategy that stimulates the diversity of data privacy design [35].

v. CONTROL
While processing personal data, mandatory measurements are encouraged by the users by this strategy. In some cases, users have the right to control their personal information while data protection legislation is in place. Inform strategy and control strategy are compatible with each other. The system will request permission from the users to control specific information to get them processed [65]. This strategy is executed by healthcare principle 3 (HP3) that will ask the users to select the checkbox option for authorizing the terms and conditions of personal data collection. Control applies the rights to the data protection, therefore, data quality will increase as users will be able to control error correction [35].

vi. ENFORCE
Enforce confirms privacy policy with legal obligations is in place in a precise manner. This strategy assures the privacy measurement in place during the operation of PRMS and the policies will be imposed when necessary [65]. Healthcare principle 4 (HP4) works as a design pattern for this strategy that will be executed by access control and minimization of personal data [35].

vii. DEMONSTRATE
This strategy supports by controlling the compliance of privacy policy and the public key infrastructure. Data controllers are required by this strategy to regulate that it is in control. In case of any issues, users can directly assess any viable data breach [65]. Healthcare principle 2 (HP2) is applied as a design pattern for this strategy over auditing, management of privacy, and logging practice. Strong privacy and security technique implementation are additional support while embedding the public key infrastructure in healthcare systems [35].

P 2.3 DATA PROTECTION USING PRIVACY IMPACT ASSESSMENT (PIA)
This step does data fortification by measuring the privacy impact of the proposed healthcare principles. Privacy impact assessment (PIA) is a critical part of the assessment phase. To overcome substantial and undesirable privacy impacts, PIA is undertaken early enough to influence the implementation. To do the impact analysis of privacy, guidelines of PIA suggested by the Office of the Australian Information Commissioner are applied. This assessment does ensure that privacy is put into consideration throughout the process of planning [74]. The PIA being used consistently does avoid and mitigate the risks and minimizes the privacy issues within the entity. Seven core elements of privacy impact assessment are used in parallel to frame this assessment plan. The purpose of the seven core elements towards the privacy impact assessment is described here [57,[74][75][76].

a: INTEGRAL TO ORGANIZATIONAL GOVERNANCE:
The structure of the health organization governance is an integral part of the privacy impact assessment. This is one of the most effective elements while assessing privacy risks and develop the impact assessment report of the healthcare organization.

b: FIT FOR PURPOSE
According to the potential privacy risks, privacy impact assessment needs to be shaped. If low risks are identified with a preliminary assessment, a short PIA is adequate. A more extensive PIA is required if a high risk of privacy issues to sensitive information to a large number of individuals is identified.

c: COMPREHENSIVE
Privacy impact assessment covers the issues of information privacy and provides support to construct or regulate the plans of privacy management and policies of human resources when required.

d: AVAILABLE
A summary report on considered privacy issues will be available to search and notify for providing feedback or else a privacy impact assessment full report will be publicly available for the feedback.

e: ENABLES COMPLIANCE
Privacy impact assessment addresses all privacy obligations containing obligations under privacy requirements for movement of health information for instance healthcare principles (HPs) and PIA guidelines.

f: ONGOING
A constant review mechanism is considered to estimate privacy issues during the lifecycle of the proposed system. If any substantial changes to how the personal information is managed, then a further privacy impact assessment will be undertaken.

g: CONSTRUCTIVE
The privacy impact assessment contributes to the success and includes value to the privacy culture of the healthcare organization by managing the privacy risks of the proposed healthcare system.

3.2
Is the sensitive or personal data in the system that require the user's authorization to be used or disclosed for the primary purpose for which it has been collected? Risk identifier: If any of the above answers are NO then this will need to address the risk appropriately in the 'Privacy Risk Mitigation' in Table 4. Users will not be notified if the information has been collected from another source, e.g., other clinics/hospitals.

High Medium Medium
If the patient is incapable to provide information, a healthcare organization may collect data from another source to provide urgent medical services. In this case, an authorized 'next to kin' will be notified to continue the treatment.

4.3
Users will not have the option to be unidentified themselves or use a pseudonym when dealing with the data.

Medium Low Medium
As this information will be collected for medical purposes, so the users will not have the option to pseudonym themselves while getting their treatment. This proposed system will provide a high level of data privacy as no information will be disclosed anywhere without the consent of the user.

Low
The privacy implications are assessed concerning the proposed healthcare principles (HPs) in Table 3. As this is a preliminary privacy impact assessment, therefore the assessment is not static, more privacy implications can be included if necessary. PIA Guidance from the Office of the Australian Information Commissioner is used for examples of potential risks while doing the following assessment [57,74]. Based on the assessment, the identified risks are analysed, and a risk mitigation plan is established for individual risks in Table 4. The outcome of the privacy risk assessment is low; therefore, the proposed framework is highly potential to do the implementation.

a: COMPATIBILITY OF THE PROPOSED PRINCIPLES AND AUSTRALIAN PRIVACY PRINCIPLES (APPS):
The Australian Privacy Principles (APPs) control the collection and use of personal information within Australia [77]. Correspondingly, The General Data Protection Regulation (GDPR) regulates how personal information can be managed by the European Union (EU). Table 5 highlighted that the principles of the proposed framework are compatible with the Australian Privacy Principles (APPs) [77].

Purpose of APPs
Compatibility with the principles of the proposed framework APP 1 Open and transparent management of personal information This principle consists of an advanced and clearly expressed privacy policy to ensure that personal information is managed openly and transparently.

HP2
APP 2 Anonymity and pseudonymity APP 2 provides individuals with the opportunity of not disclosing their identification and supports with anonymity and pseudonymity.

APP 3 Collection of solicited personal information
This principle ensures higher privacy while collecting the personal and sensitive information of an individual.

HP1 APP 4 Dealing with unsolicited personal information
This principle outlines how the unsolicited personal information will be dealing with.

HP1
APP 5 Notification of the collection of personal information APP 5 provides notification to an individual while collecting their personal information.

HP1
APP 6 Use or disclosure of personal information APP 6 outlines the circumstances while using and disclosing personal information.

HP2
APP 7 Direct marketing Organizations should ask permission from individuals while using or disclosing personal information for marketing purposes.
HP3 APP 8 Cross-border disclosure of personal information APP 8 provides the stages that must take to protect while the information requires to disclose to overseas.
HP3 APP 9 Adoption, use or disclosure of government related identifiers APP 9 outlines the conditions when government-related identifiers are assumed of an individual as its own or disclose or use of governmentrelated identifiers.

HP2
APP 10 Quality of personal information App 10 ensures with reasonable steps that the collected personal information is correct, up to date and complete. This principle also ensures the information it uses is correct, relevant and up to date.

APP 11 Security of personal information
This principle ensures personal information is protected from misuse, loss and unauthorized access or disclosure without the user's permission. The General Data Protection Regulation (GDPR) enforced by the EU is a landmark in the evolution of the European privacy framework. Seven data protection principles are supported by GDPR that provide organizations with guidance on collecting, processing and storing individual's personal data and achieve compliance with GDPR [26]. The purpose of GDPR is to deliver a set of data protection laws across all the members of the EU. GDPR provides the general people to understand the use of their data and raise any complaints if required. The compatibility of the proposed principles and GDPR are outlined in Table 6 [78].

APP 12 Access to personal information
This principle outlines the obligations to provide access to individuals' requests to access personal information.

HP3 APP 13 Correction of personal information
App 13 provides obligations when it is necessary to correct individuals' personal information.

HP3, HP4
The General Data Protection Regulation (GDPR) Purpose of GDPR Compatibility with the principles of the proposed framework 1 Lawfulness, fairness and transparency This principle provides full transparency for all EU data subjects when collected. The organizations must let the individual know about the collection, processing and disclosure of personal data in accordance with the law.

HP1, HP2
2 Purpose limitation Personal information must be collected and processed for a legitimate reason. Without the consent of the individual, personal data must not be processed for any other reason. This principle ensures the personal data can only be used for a nominated purpose.

HP3, HP4
3 Data minimization A minimum amount of data should be collected that is necessary for the purposes they are processed. This principle assures that only related, adequate and limited personal data should be collected and managed by the organizations.

HP4 4 Accuracy
The collected personal data must be accurate and up to date. The collected data should be reviewed in a timely manner and inaccurate data should be amended and if necessary, deleted by the responsible organizations. Individuals should have the right to rectify and erase their inaccurate and incomplete data to improve compliance and ensure up-to-date databases.

HP3 5
Storage limitation An organization must delete the personal data if no longer needed for the purpose it was collected for. GDPR does not provide the time framework for holding personal data, it depends on the policy of the organization. Organizations should review the collected data to preserve the necessary and up-to-date data to ensure compliance.

HP4 6 Integrity and Confidentiality
This principle ensures that appropriate measures should be in place to secure the collected personal data from internal threats, e.g. accidental loss or damage, unauthorized use and external threats, e.g. malware, phishing. Organizations should provide appropriate levels of security to address the risks while processing personal data.

HP1, HP4
7 Accountability This principle ensures that organizations must be in compliance with the other principles and take responsibility for the data they are managing with the necessary steps.

HP2, HP3
Our research is based in Australia, thus the compatibility of the proposed framework principles and Australian benchmark standard Australian Privacy Principles (APPs) have been accomplished. In addition, General Data Protection Regulation (EU) (GDPR) is broadly applicable, widely considered and comprehensive privacy legislation permitting the value of personal data globally. GDPR is a European Union ruling while has profound significance on all organizations worldwide. Both APPs and GDPR are the standards to be measured while collecting, processing and storing personal data, hence, our research considered both APPs and GDPR to measure compliance with the proposed framework. Based on the analysis shown in Table 5 and Table 6, we identified that our proposed principles have comprehensive compatibility with the two benchmark standards that supports us to guarantee maximum privacy as a result of achievement in patients' health records.

P 3.1 IMPLEMENTATION OF THE SELECTED REQUIREMENTS INTO THE HEALTHCARE SYSTEM
The healthcare principles (HPs), privacy design strategies, and privacy mechanisms extracted from the assessment phase are implemented into the PRMS to prevent privacy-invasive events before happening. We have particularly selected the Patient Registration Application (PRA) of the PRMS to determine the execution of the implementation phase. The data flow diagram in Fig. 4 illustrates the entire process involved between the 'user' and the 'database' in the PRA. The data flow diagram shows where the proposed healthcare principles (HPs) and privacy design patterns are implemented in PRA to collect user data with the user's consent and acceptance. The PRA has collected the necessary user registration details such as personal details, emergency contact, allergies, and medical information, insurance details, payment details, etc. Patient registration details are constructed as per the Client Registration Policy -Ministry of Health, NSW Australia [79]. Based on HP1, as the user enters into the registration page an agreement will be displayed providing a detailed description of the data collection and usage policy. Based on the user's consent, upcoming web pages will be displayed or not displayed. The next page of the patient registration application uses HP2 measures to display "just-in-time notices" alongside specific data fields or attributes that require an extra layer of privacy while presented on the web pages. HP2 applies to specific attributes that will display pop-up notices to the users while collecting the information. All attributes with and without HP2 are mentioned in Fig. 4. At each step, as the user enters the data into the entry fields it is sent to temporary storage called "cache memory". After collecting all the required user details, the system is designed to apply HP3 that will allow users to manage their information by requesting user consent and acknowledgment. Obtaining 'user consent' is an important step in the data flow of the PRA because it will let the users know and manage the data collection, usage, sharing, and storage policy of the system. The user consent is authorized using a "One-Time Password" (OTP) that is sent to the mobile number provided by the user.
After successfully authorizing that the user has accepted the terms and conditions, the system will ask the user for 'acknowledgment' before sending the entered details into the 'cache memory'. Cache memory allows the system to store the entered details temporarily in the memory so that the footprint of the real data is not stored anywhere and can be removed easily after entering the database encrypted or hidden. HP4 measures are applied to the data that are presented in the cache memory. HP4 is used to apply Dynamic Data Masking (DDM) and Transparent Database Encryption (TDE) on the user data before storing it into the database to ensure privacy and security for the user data [80,81]. After successfully storing the processed data into the database, the real data in the cache memory is removed forever, as observed in Fig. 4. If the user does not acknowledge the terms and conditions, the data present in the cache memory will be removed.
After collecting and storing the user-provided details in the cache memory, attribute splitting is performed to separate the real data in the cache memory into 'attributes for full masking', 'attributes for partial value blurring', 'email blurring', and 'attributes for random masking function' to apply the Dynamic Data Masking Methods before storing the processed data into the database, as shown in Fig. 4. Fig. 5 shows the application of dynamic data masking on the real data attributes that are collected in the cache memory and transparent database encryption procedure to secure the database by creating certificates and privileges for the employees accessing the database. This allows the PRMS to protect the user data and to only provide access to people based on the decided policy measures [80,82].

a: DYNAMIC DATA MASKING (DDM)
With the unprecedented increase in the collection of sensitive information from users, many organizations want to put security 'close to the data [81]. Security in terms of encryption, network firewalls, etc. This research has utilized the use of dynamic data masking methods to hide the data that is collected from the users, when storing it (data) in a database so that no unauthorized users can access the data. Dynamic data masking (DDM) allows the applications to simplify the design and coding of security [80,83]. It also allows the data owners to decide 'how much data to reveal?' to the users based on their permissions. DDM method provides full masking, partial value blurring, email blurring, and random masking functions. These functions are used to mask the data in the database. With the implementation of DDM only designated users can access sensitive information [80].

FIG. 5: Application of Dynamic Data Masking (DDM) & Transparent Database Encryption (TDE)
After collecting the information from patients, as seen in Fig. 5, the collected attributes are split into 'attributes for full masking', 'attributes for partial value blurring'', 'email blurring', and 'attributes for random masking functions'.

Example SQL Syntax: [First Name] [nvarchar](n) MASKED WITH (FUNCTION='default()') NOT NULL
Using the above syntax applies the default() function on the attribute 'First Name' and fully mask the values with 'XXXX'. Similarly, all the attributes showcased in Fig. 6 are applied with default() function to fully mask them when storing them in the database. Table 7 provides examples of masking using the default () function.  Fig. 7 shows the attributes that are selected for partial value blurring. Partial value blurring is applied using the Custom String function, a custom padding string can be added between the prefix and suffix of a value, only exposing the first and last letters. Using the above syntax applies a custom string on the attributes selected for partial value blurring. This syntax only key keeps the prefix and suffix in the attribute value and replaces the middle part with XXXXX. Different custom strings can be created for different attributes. Table  8 provides the example of custom string function used for partial value blurring. iii: EMAIL BLURRING Using the Email function, the email addresses can be masked directly. This function will only expose the first letter of the email and the constant suffix ".com" in the addresses.

Example SQL Syntax: [Email] [nvarchar](n) MASKED WITH (FUNCTION='email()') NOT NULL
This syntax by default will only expose the first letter and the suffix (i.e., aXXX@XXX.com).   Table 9 provides an example of random function. SQL allows the administrator to grant various types of permissions to the users. The SELECT permission allows the user to see the table data with masked data in the masked columns. WITHOUT LOGIN allows the user to view the data without login. The public view can be created using this. The users can see the original values of only those data columns that are publicly available. Pseudocode 3 provides SQL code for granting SELECT permission to a user, whereas pseudo code 4 provides SQL code for granting UNMASK permission to a user. UNMASK allows the users to retrieve data from the database that is masked and then unmask it based on required accessibility. Permissions granted to users can be removed using REVOKE function (i.e., REVOKE UNMASK TO [<Username>]).

b: ENCRYPTION FOR THE WHOLE DATABASE
Encrypting the whole database will make the data in the database unreadable without proper keys for decryption. To encrypt the dataset, this research will be used Transparent Database Encryption (TDE) method to encrypt the "data at rest" in the database [84]. Fig. 5 illustrates the process involved in the TDE method to encrypt the database [45,69]. To apply TDE to the database various 'certificates' will be created and encrypted with a 'master key'. These certificates will be created for various employees in the organization that will be accessing the database. Certificates will be used to set user privileges and control mechanisms for people accessing the database. After creating the certificates, Database Encryption Keys (DEKs) will be created for various users of the system to encrypt the entire database so that only users with the correct credentials can access the data in the database. The issued certificates will be used to encrypt the DEKs, so those different users can access different attributes in the database (Example: Doctors require access to different attributes/columns than the nurses and vice versa). Finally, the encrypted DEKs will be used to encrypt the database [70].

c: 3-TIER ARCHITECTURE (.NET FRAMEWORK, SQL SERVER, DATABASE)
To implement the proposed procedure discussed in the above sections this research will use .NET Core entity framework 4.5 [85], Visual Studio 2015 [86], C# and Entity Framework Database First [87], Bootstrap and MS SQL Server 2008 [88,89]. Fig. 9 illustrates the functional process involved between the user, server, and the database. This research utilizes a 3-tier architecture to illustrate the functional process logic, data access and storage methods, and user interfaces used for the system design of the PRMS. The architecture consists of a presentation layer, business and service layer, and data access layer. These layers are used to pass the HTTP requests and responses. The presentation layer is built on top of the ASP.NET WebAPI framework to provide user interface and access to the application services for the users in the form of ASP.NET web forms, web user controls, and service gateways. The business and service layer accepts the HTTP requests made by the user and forwards them to the ASP.NET CORE components through the ASP.NET CORE web server. The accepted HTTP request is passed through the middleware and filter pipelines to extract the controllers and actions for invocation. The data access layer is independent of the presentation and business layers. It consists of an SQL Server and access to resources. SQL Server is used to communicate with the database and consists of resources such as HTML generators. Using the data generated from the database and the HTML page generated, an HTTP response is sent to the web browser of the user using the same path followed by the HTTP request.
The information validation will be compatible with the features of the .NET core framework if any external resources are required for PRMS. To keep track of the services, a microservice application will be an option to use to allow the schedule, monitoring, and performance review of PRMS. Developing the proposed system with .NET Core application can support and improve health service features and external resources, e.g., additional applications, health check services, and middleware have capabilities to benefit from information validation. Besides, this framework provides a front-end application setup that will collect the personal information of healthcare system users [90]. Authentication and authorization are two key features of information protection that are built-in features within the .NET Core framework. Likewise, the user's credential validation approves the access to specific resources of PRMS that provides additional data protection by this framework [85,91]

VI. CONCLUSION
The proposed framework is constructed with an accumulation of privacy by design fundamental principles, privacy design strategies, standards, and privacy impact assessment that deliver an extensive privacy-preserving environment in PRMS. The healthcare systems which employed the existing frameworks are behind to provide an entirely privacy-protected system, as desirable data privacy mechanisms are not properly consumed by the existing frameworks. A systematic activity is carried out in the proposed framework through three identified phases of system design named the planning phase, assessment phase, and implementation phase. The purpose of the proposed framework is to incorporate the necessary data privacy mechanisms in one place while collecting, managing, and storing personal information, thus the healthcare system can ensure maximum privacy to the personal data. Besides, the identified limitations that have been acknowledged in our work will be eliminated. The anticipated framework will ensure a sophisticated healthcare system incorporating privacy contexts compatible with the .NET Core framework. Implementing each of the proposed requirements will facilitate overcoming the gaps with complete privacy protection to achieve the desired outcome. The resulting framework will guarantee the integrity and confidentiality of PRMS while delivering high-level integration and allocation of personal data to decrease data breaches globally.

VII. Future Work
In our future endeavour, we intend to propose a PRMS by employing the proposed framework where patients' health data will be managed with maximum privacy assurance. The privacy by design framework produced an analysis of the core mechanisms in this study, which is immensely good, but some degrees of risk are still there until we design the system to measure the potentiality of our framework. In this way we will have more chance and confidence to shield patients' information in the system, resulting in more consistent outcomes tailored to ensure the privacy of patients' health data. We will implement user testing to evaluate the potentiality of the proposed system. We will explore and analyse the privacy assurance of the users when interacting with the system [92,93]. Moreover, we will incorporate necessary policies and mechanisms to assure data privacy for the distributed patient record management system and service delivery. This accumulation will provide scalability and flexibility of the PRMS in distributed environments where different healthcare organizations will collaborate for delivering perfect services by ensuring the privacy and security of the patients' sensitive data. Additionally, we plan to construct Security Incident Management (SIM) [94,95] for information security management as this is one of the critical information security controls for organizations recommended by ISO/IEC 27001 [96,97]. SIM will support the PRMS by notifying them of information security incidents or vulnerabilities. Besides, SIM will propose an immediate response to the vulnerabilities within a method that will protect affected users. Moreover, we will incorporate necessary policies, mechanisms to ensure patients' data privacy for the distributed patient record management system and service delivery.