A UML model of Authorisation is described, which was developed for an Electronic Medical Records application in collaboration with the UK NHS Information Authority. The model is an enhancement of the UK Healthcare Model (HcM), in that it provides extra classes for use with HcM classes. It provides powerful confidentiality specification capabilities, which can also be used in other applications.A Role (actually called AgentActivityType for consistency with the HcM) may be directly associated with an Accountability. An Accountability is an agreement where one Party commissions a second Party to undertake Activities under the authority of that Accountability.Four types of Confidentiality Permission are defined which allow access to data items (SubjectPhenomena), or to data items with specific types (SubjectPhenomenonType). Access can be granted to individual Agents, or to AuthorizedAgents acting in specified Roles. A model of override allows the Confidentiality Permissions to be overridden in a strictly controlled way. Override facilities are granted to Agents by establishing appropriate Accountabilities, and any use of override is logged.Access to data can be granted to groups of Agents, and to group of Roles. Establishing access rights for a group involves defining a set of Confidentiality Permissions for the group.The Authorisation Model is illustrated throughout the paper by examples from healthcare. In particular a demanding scenario (child abuse) is presented. In this scenario complex restrictions must be placed on the data, which might result in inappropriate actions if clinicians and other professionals are denied access to the data.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.