Compliance through Informed Consent: Semantic Based Consent Permission and Data Management Model

The General Data Protection Regulations (GDPR) imposes greater restrictions on obtaining valid user consents involving the use of personal data. A semantic model of consent can make the concepts of consent explicit, establish a common understanding and enable re-use of consent. Therefore, forming a semantic model of consent will satisfy the GDPR requirements of specificity and unambiguity and is an important step towards ensuring compliance. In this paper, we discuss obtaining an open vocabulary of expressing consent leveraging existing semantic models of provenance, processes, permission and obligations. We also present a reference architecture for the management of data processing according to consent permission. This data management model utilizes the open vocabulary of consent and incorporates the change of context into the data processing activity. By identifying and incorporating changes to the relational context between data controllers and data subjects into the data processing model, it aims to improve the integration of data management across different information systems specifically adhering to the GDPR and helping controllers to demonstrate compliance.

[1]  H. Nissenbaum A Contextual Approach to Privacy Online , 2011, Daedalus.

[2]  David W. Chadwick,et al.  An advanced policy based authorisation infrastructure , 2009, DIM '09.

[3]  Giovanni Russello,et al.  ACTORS: A Goal-Driven Approach for Capturing and Managing Consent in e-Health Systems , 2012, 2012 IEEE International Symposium on Policies for Distributed Systems and Networks.

[4]  David W. Chadwick,et al.  A Multi-privacy Policy Enforcement System , 2010, PrimeLife.

[5]  Siani Pearson,et al.  Setting the Context , 2019, Third Language Acquisition and Linguistic Transfer.

[6]  Stefan Decker,et al.  Mapping between RDF and XML with XSPARQL , 2012, Journal on Data Semantics.

[7]  María Adela Grando,et al.  Building and Evaluating an Ontology-based Tool for Reasoning about Consent Permission , 2013, AMIA.

[8]  Paul Greenfield,et al.  A Decentralised Approach to Electronic Consent and Health Information Access Control , 2005, J. Res. Pract. Inf. Technol..

[9]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[10]  Naranker Dulay,et al.  Consent-Based Workflows for Healthcare Management , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[11]  Wouter Joosen,et al.  Integrating Patient Consent in e-Health Access Control , 2011, Int. J. Secur. Softw. Eng..

[12]  Christophe Debruyne,et al.  A Semi-Automated Methodology for Extracting Access Control Rules from the European Data Protection Directive , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[13]  Sadie Creese,et al.  A Conceptual Model for Privacy Policies with Consent and Revocation Requirements , 2010, PrimeLife.

[14]  David W. Chadwick,et al.  Resolving Policy Conflicts - Integrating Policies from Multiple Authors , 2014, CAiSE Workshops.

[15]  Robert Meersman,et al.  DOGMA-MESS: A Meaning Evolution Support System for Interorganizational Ontology Engineering , 2006, ICCS.

[16]  Hong Zhao,et al.  Data Security and Privacy Protection Issues in Cloud Computing , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[17]  Tim Mather,et al.  Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[18]  Kaniz Fatema,et al.  Adding privacy protection to policy based authorisation systems , 2013 .

[19]  Robert Meersman,et al.  Data modelling versus ontology engineering , 2002, SGMD.