[raxxorrax]

I think this is a bad idea.

I developed software for medical devices and you have to do a risk analysis, formalize the software development process, declare qualifications of people, make it revision proof, have a formal testing process, ... everything is already accounted for.

Notified bodies ensure compliance. They have the problem that they cannot really evaluate the work of software engineers of course. Not even another software engineer could do that within feasible time limits. No software engineer can make sure there aren't exploits that could endanger user data. You can at most test if due diligence was ensured.

The manufacturer is responsible for ensuring safe operations of devices and yes, that includes keeping personal data safe.

But again, the problem wasn't the engineer at all, the problem is the wish for amassing data like this. Paper license or not, it rarely ensures competency and wouldn't have solved this problem.

Aside from legislative issues that ensures that user data belongs to the user the data is about, ensuring that companies don't sell and share medical data with "friends and family", ... this is probably the last step, if it is even required at all, which I would dispute. There are no guarantees if you amass data like it was done here.

[rapind]

Make it prohibitively expensive to leak data (compliance fines, lawsuits) and the problem will solve itself. Companies that collect data will then be begging for certification and regulation.

[dependenttypes]

It would be even better if people learned to refuse to give data irrelevant to the service that they are seeking and/or if there was some sort of regulation about this (I should not have to give my name and address when returning a product for example).