Consent Service Architecture for Policy-Based Consent Management in Data Trusts
Authors: 
Balambiga Ayappane, Rohith Vaidyanathan, Srinath Srinivasa, Santosh Kumar Upadhyaya, Srinivas VivekAuthors Info & Claims
Pages 155 - 163
Abstract
Data trusts handle data in a fiduciary capacity for data owners, allowing them to process, aggregate and share data with other stakeholders within an overarching legal and ethical framework. One of the primary challenges of data trusts is consent management. This paper characterizes the problem of consent management in data trusts and proposes a 4-layer architecture for a policy-based domain-agnostic consent management service, meant to operate within one or more regulatory frameworks. We address architectural questions of how to make data access legitimate, by providing a policy interpretation for each access, and how to prevent the data trust itself from accessing data that it stores, by overriding access policies.
References
[1]
NITI Aayog. 2020. Data Empowerment Protection Architecture (DEPA). https://www.niti.gov.in/sites/default/files/2020-09/DEPA-Book.pdf.
[2]
Rishav Raj Agarwal, Dhruv Kumar, Lukasz Golab, and Srinivasan Keshav. 2020. Consentio: Managing consent to data access using permissioned blockchains. In 2020 ieee international conference on blockchain and cryptocurrency (icbc). IEEE, 1–9.
[3]
Sweety Agrawal, Chinmay Jog, and Srinath Srinivasa. 2014. Integrity management in a trusted utilitarian data exchange platform. In OTM Confederated International Conferences" On the Move to Meaningful Internet Systems". Springer, 623–638.
[4]
Giuseppe Albanese, Jean-Paul Calbimonte, Michael Schumacher, and Davide Calvaresi. 2020. Dynamic consent management for clinical trials via private blockchain technology. Journal of ambient intelligence and humanized computing 11, 11 (2020), 4909–4926.
[5]
Muhammad Rizwan Asghar, TzeHowe Lee, Mirza Mansoor Baig, Ehsan Ullah, Giovanni Russello, and Gillian Dobbie. 2017. A review of privacy and consent management in healthcare: a focus on emerging data sources. In 2017 IEEE 13th International Conference on e-Science (e-Science). IEEE, 518–522.
[6]
Kris Gopalakrishnan Committee. 2020. Non-Personal Data Protection Bill Draft. https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf.
[7]
European Parliament and Council of the European Union. [n. d.]. Regulation (EU) 2016/679 of the European Parliament and of the Council. https://data.europa.eu/eli/reg/2016/679/oj
[8]
Kaniz Fatema, Ensar Hadziselimovic, Harshvardhan J Pandit, Christophe Debruyne, Dave Lewis, and Declan O’Sullivan. 2017. Compliance through Informed Consent: Semantic Based Consent Permission and Data Management Model.PrivOn@ ISWC 1951 (2017), 1–16.
[9]
Anne Josephine Flanagan and Sheila Warren. 2022. Advancing Digital Agency: The Power of Data Intermediaries. World Economic Forum Insight Report (February 2022). https://www3.weforum.org/docs/WEF_Advancing_towards_Digital_Agency_2022.pdf
[10]
Philippe Genestier, Sajida Zouarhi, Pascal Limeux, David Excoffier, Alain Prola, Stephane Sandon, and Jean-Marc Temerson. 2017. Blockchain for consent management in the ehealth environment: A nugget for privacy and security challenges. Journal of the International Society for Telemedicine and eHealth 5 (2017), GKR–e24.
[11]
Kimberly Houser and John W Bagby. 2022. The data trust solution to data sharing problems. Vanderbilt Journal of Entertainment & Technology Law, Forthcoming (2022).
[12]
ISPIRT. 2021. DEPA High-Level Architecture. https://github.com/iSPIRT/DEPA.
[13]
Chinmay Jog, Sweety Agrawal, and Srinath Srinivasa. 2015. Distributing a trust framework for utilitarian data exchanges in inter-organizational collaborations. In Proceedings of the Second ACM IKDD Conference on Data Sciences. 1–10.
[14]
Myong H Kang, Joon S Park, and Judith N Froscher. 2001. Access control mechanisms for inter-organizational workflow. In Proceedings of the sixth ACM symposium on Access control models and technologies. 66–74.
[15]
Sabrina Kirrane, Javier D Fernández, Piero Bonatti, Uros Milosevic, Axel Polleres, and Rigo Wenning. 2020. The special-k personal data processing transparency and compliance platform. arXiv preprint arXiv:2001.09461 (2020).
[16]
Anelia Kurteva, Tek Raj Chhetri, Harshvardhan J Pandit, and Anna Fensel. 2021. Consent through the lens of semantics: State of the art survey and best practices. Semantic WebPreprint (2021), 1–27.
[17]
Jingquan Li, Riyaz Sikora, Michael J Shaw, and Gek Woo Tan. 2006. A strategic analysis of inter organizational information sharing. Decision support systems 42, 1 (2006), 251–266.
[18]
Sean McDonald. 2019. Reclaiming data trusts. Centre for International Governance Innovation 5 (2019).
[19]
Gerome Miklau and Dan Suciu. 2003. Controlling Access to Published Data Using Cryptography. In Proceedings of 29th International Conference on Very Large Data Bases, VLDB 2003, Berlin, Germany, September 9-12, 2003, Johann Christoph Freytag, Peter C. Lockemann, Serge Abiteboul, Michael J. Carey, Patricia G. Selinger, and Andreas Heuer (Eds.). Morgan Kaufmann, 898–909. https://doi.org/10.1016/B978-012722442-8/50084-7
[20]
Franklin G Miller and Alan Wertheimer. 2010. Preface to a theory of consent transactions: Beyond valid consent. The ethics of consent: Theory and practice (2010), 79–105.
[21]
Franklin G Miller and Alan Wertheimer. 2011. The fair transaction model of informed consent: an alternative to autonomous authorization. Kennedy Institute of Ethics Journal 21, 3 (2011), 201–218.
[22]
Marco Casassa Mont, Vaibhav Sharma, and Siani Pearson. 2012. EnCoRe: dynamic consent, policy enforcement and accountable information sharing within and across organisations. HP Laboratories. Technical Report HPL-2012-36 (2012).
[23]
Kieron O’hara. 2019. Data Trusts: Ethics, Architecture and Governance for Trustworthy Data Stewardship. Project Report 10.5258/SOTON/WSI-WP001. https://eprints.soton.ac.uk/428276/
[24]
Siani Pearson and Marco Casassa-Mont. 2011. Sticky policies: An approach for managing privacy across multiple parties. Computer 44, 9 (2011), 60–68.
[25]
Konstantinos Rantos, George Drosatos, Konstantinos Demertzis, Christos Ilioudis, Alexandros Papanikolaou, and Antonios Kritsas. 2019. ADvoCATE: a consent management platform for personal data processing in the IoT using blockchain technology. In International Conference on Security for Information Technology and Communications. Springer, 300–313.
[26]
Bart W Schermer, Bart Custers, and Simone Van der Hof. 2014. The crisis of consent: How stronger legal protection may lead to weaker consent in data protection. Ethics and Information Technology 16, 2 (2014), 171–182.
[27]
Swapnil Shrivastava and TK Srikanth. 2023. A Comprehensive Consent Management System for Electronic Health Records in the Healthcare Ecosystem. In Information Security and Privacy in Smart Devices: Tools, Methods, and Applications. IGI Global, 194–233.
[28]
Srinath Srinivasa and Jayati Deshmukh. 2020. Legitimate Open-ended Dissemination of Personal Information. International Semantic Intelligence Conference (ISIC) 2021, New Delhi, India, February 25-27, 2021 (2020).
[29]
Dara Tith, Joong-Sun Lee, Hiroyuki Suzuki, WMAB Wijesundara, Naoko Taira, Takashi Obi, and Nagaaki Ohyama. 2020. Patient consent management by a purpose-based consent model for electronic health record based on blockchain technology. Healthcare Informatics Research 26, 4 (2020), 265–273.
[30]
Max-R Ulbricht and Frank Pallas. 2016. CoMaFeDS: Consent management for federated data sources. In 2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW). IEEE, 106–111.
[31]
Zhiyu Xu, Tengyun Jiao, Ziyuan Wang, Sheng Wen, Shiping Chen, and Yang Xiang. 2021. AC2M: An Automated Consent Management Model for Blockchain Financial Services Platform. In 2021 IEEE International Conference on Smart Data Services (SMDS). IEEE, 33–41.
[32]
Xiaosong Zhang. 2021. A commentary of Data trusts in MIT Technology Review 2021. Fundamental Research 1, 6 (2021), 834–835.
Index Terms
- Consent Service Architecture for Policy-Based Consent Management in Data Trusts
Recommendations
Consent Verification Monitoring
Advances in personalization of digital services are driven by low-cost data collection and processing, in addition to the wide variety of third-party frameworks for authentication, storage, and marketing. New privacy regulations, such as the General Data ...
The crisis of consent: how stronger legal protection may lead to weaker consent in data protection
In this article we examine the effectiveness of consent in data protection legislation. We argue that the current legal framework for consent, which has its basis in the idea of autonomous authorisation, does not work in practice. In practice the legal ...
The unbearable lightness of consent: mapping MOOC providers' response to consent
L@S '18: Proceedings of the Fifth Annual ACM Conference on Learning at ScaleWhile many strategies for protecting personal privacy have relied on regulatory frameworks, consent and anonymizing data, such approaches are not always effective. Frameworks and Terms and Conditions often lag user behaviour and advances in technology ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
January 2024
627 pages
ISBN:9798400716348
DOI:10.1145/3632410
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 January 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
CODS-COMAD 2024
CODS-COMAD 2024: 7th Joint International Conference on Data Science & Management of Data (11th ACM IKDD CODS and 29th COMAD)
January 4 - 7, 2024
Bangalore, India
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 267Total Downloads
- Downloads (Last 12 months)267
- Downloads (Last 6 weeks)51
Reflects downloads up to 30 Dec 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in