ABOUT THE PROJECT

PS-SDA: Provenance services with Smart Data Agreement 

iGrant.io is a MyData Operator platform for human-centric personal data management, enabling a transparent and regulatory compliant data exchange. Every data exchange has an associated auditable and verifiable Data Agreement (DA) that records conditions for an organization to process personal data in accordance with GDPR {{1, 2}}. The DA is mutually signed by the organisation and the individual and is based on open specification published via the W3C (e.g. DID:mydata).

In this proposal, the DA specification is extended with data provenance metadata and is stored in a chain and can be resolved independently. Data exchange between two organisations is facilitated by a smart contract that guarantees creation of DAs, enforcing GDPR compliance. When the data moves from a Data Source to any Data Using Service, individual sign off is ensured and the DA is updated with provenance data, adding to the history of data usage from its inception and beyond.

This proposal addresses one of the key issues of data governance by enabling data provenance and enforcing GDPR requirements via a smart contract. This allows organisations to audit and resolve DAs to attain legitimacy in processing personal data and to be transparent in their use of personal data. The key activities include:

  1. Specify and extend the existing DA protocol suite to enable data provenance to trace and record the origins of data and its movement between data processing organisations.
  2. Develop associated APIs and SDKs to perform DA CRUD operations to enable data exchange between organisations, guaranteed through a smart contract.
  3. Propagate data updates across the chain including revoking the DAs across all intermediaries in the chain.
  4. Contribute to ISO standardisation (for consents) with provenance requirements.

 

References:

{{1}} Automated Data Agreement Project Page

{{2}} Data Agreement Specification: Linquist, J., Lundin, L and Chandran, L

 

 

Use Case 1

 

 

Use case 2

 

 

 

Motivation for the project:

Trust in the use of personal data is a fundamental currency of an advanced digital economy. Adequate governance framework with data provenance is essential to build the requisite trust in a highly governed data economy, and must cater to the needs of the individual, organisations and auditors. 

Generic use case description:

Use case related to the creation of a provenance trail for personal data exchange. With this, we aim to achieve the following:
- Organisations can prove legitimate rights to the use of personal data
- Individuals are able to stay in control of their data
-  Auditors can independently verify.

Essential functionalities:

In this proposal, we extend the existing DA protocol with data provenance metadata and make it available on ONTOCHAIN. Further, we convert the DA into a smart contract to enforce GDPR compliance during a personal data exchange between companies.

How these functionalities can be integrated within the software ecosystem:

In PS-SDA, smart contracts will be used to connect on-chain data to off-chain data. When a smart contract function is executed, the blockchain oracle will execute an external API to retrieve the requested data. Smart contracts also guarantee the contracts executing exactly as per the associated DA. 

Gap being addressed:

The primary challenge addressed is the lack of an immutable provenance trail with regard to the exchanged personal data where both organisations’ and individuals’ needs with regards to regulatory compliance and monetization are met. 

Expected benefits achieved with the novel technology building blocks:

Project PS-SDA focuses on enhancing auditability and provenance of any personal data transaction to strengthen, trust and transparency in a data exchange. It helps organizations to continue leveraging data and provides individuals control on how their data is used.  

Potential demonstration scenario:

The project will demonstrate exchange of data between two organisations while ensuring the provenance trail on how the data has been exchanged, apart from being able to ensure GDPR compliance for all organisations involved.

 

 

 


PROJECT OUTCOMES

The PS-SDA project brings forth the Data Exchange Agreement (DEXA) protocol suite that is a key component for developing and deploying trustworthy decentralised data applications across domains. 

The DEXA protocol suite helps organisations exchange personal data (both Data Sources (DS) and Data Using Services (DUS)) to ensure that all data transactions are lawful, scalable and verifiable. It brings in the requisite trust and governance to establish a ubiquitous data exchange marketplace. All organisations need to ensure that they are on the right side of the law (e.g. the GDPR) when consuming personal data (risk management) and to establish the digital trust needed for individuals to say yes to sharing their data.

The key values provided by the DEXA components include

  • tamper-proof mechanisms to prove a data exchange transaction, provenance trail of a B2B data exchange agreements and transactions

  • compliance enforcement to data regulations for any DUS

  • highly scalable, lawful mechanisms for entering into data sharing agreements in an automated manner.

The agreements record the conditions for an organisation to process personal data following privacy regulations captured in a signed receipt given to the individual. By automating the agreement handling process and ensuring immutability through the use of DLT, the scalability of the data exchange and the auditability of the same are ensured.

 

Demo:
The feature can be applied in a real data space, as showcased here in a real-life health data space. In this demo, the PS-SDA components are used to power a Data4Diabetes decentralised app via healthcare data exchange using Self-Sovereign Identity (SSI) and DEXA protocols. The solution was voted the most innovative solution to solve a fundamental problem dealing with diabetes data in Sweden.
 

 

Repositories:

data-exchange-agreements: http://data-exchange-agreements

dexa-protocol (DEXA ACA-Py Plugin): https://github.com/decentralised-dataexchange/dexa-protocol

dexa-sdk: https://github.com/decentralised-dataexchange/dexa-sdk

dexa-smart-contract: https://github.com/decentralised-dataexchange/dexa-smartcontracts

aries-playground: https://github.com/decentralised-dataexchange/aries-playground

 

Documentation:

Data Exchange Agreement Specifications: https://github.com/decentralised-dataexchange/data-exchange-agreements

iGrant.io data exchange docs: https://docs.igrant.io/docs/

APIs are hosted at: https://ds-agent.igrant.io/api/doc 

 

More details:

Impact

Automated data exchange agreement handling between organisations, device manufacturers and individuals as part of a decentralised digital data exchange marketplace.

Customer engagement

Primarily today in Healthcare, Banking & Finance and the Public sector.

Usecase example: Powers a Data4Diabetes decentralised app via healthcare data exchange using Self-Sovereign Identity (SSI) and DEXA protocols. More info here: https://youtu.be/nt7VZBoXsvQ. The solution was voted the most innovative solution to solve a fundamental problem dealing with diabetes data in Sweden.

Monetisation

Is tied to a subscription, and personal data transactions.

Use case Scenario

Here is how it works for organisations (Both DS and DUS) as well as for individuals. 

For organisations (Data Sources):

Step 01:  A DS can expose their data, e.g. in data space (aka “data marketplace”). Here the DS creates a DDA (Data Disclosure Agreement) and agrees to be published to a data space..

Step 02: The DS is now available as a Data Source in the Data Space with a connect and register option.

For organisations (Data Using Services):

Step 03: Any organisation wanting to consume data as a DUS visits the data space, searches for the data they wish to consume, and views the organisation providing the data. They view and sign the agreement (DDA). 

Result: The DS and DUS are now connected, and DUS can fetch data via the individuals. 

For Individuals: 

Step 04: Using their Data wallets or DUS/DS data portals, they sign a Data Agreement (DA) from the relevant organisations to exchange data. If the DA is based on consent, individuals can consent to or agree with any DS to share their personal data. 

Step 05: The DUS service receiving the data can automatically check its authenticity and regulatory compliance with proof.

Step 06a (Optional): Individuals can view the signed DA for particular data exchange, including the data exchange provenance.

Step 06b (Optional): Individuals can revoke (opt-out) their existing data exchange agreement from a DS towards any DUS in bulk or individually.

For Auditors:

Any auditor can view and audit the transaction in disputes. They can also ensure the DS complies with the law, such as Article 5-30 GDPR.

For Decentralised app developers:

Can dynamically make data contracts with data sources and build applications using their data while staying human-centric. Every data processing is based on auditable signed data agreements.

 
Semantic content and content transfer

For any data that is exchanged, it will have the following:

  • What data?

  • Who is the DS (issuer) or DUS (verifier)?

  • Events and agreement signatures 

  • DEXA specifications that include DDA and DA ontology

Ownership

Applications will be owned primarily by Data Intermediaries (as per the proposed EU Data Governance Act 2021).

Existing similar solutions/services

Haven’t identified similar solutions yet. Most are centralised API-centric solutions today that struggle to solve the key issue around access to the right data, enabling regulations at scale. 

ONTOCHAIN partners that support the scenario

MFSSIA - use PS-SDA for checking the legal compliance of used data for challenge/response-evaluation lifecycles

ONTOSPACE - Ontospace can be used as a secure data storage for verification and a guarantee of immutability.

 

TEAM

 

Lotta Lundin

Lotta Lundin (Project Lead, iGrant.io)

CoFounder iGrant.io, 22+ yrs in telecom industry, privacy professional and project manager.

 

Lal Chandran

Lal Chandran (Teach lead, iGrant.io)

CoFounder iGrant.io, 20+ years industry expertise in cloud, security, identity, data exchange, decentralised SW architecture including DLTs.

 

George Padayatti

George Padayatti (Blockchain and DevOps, iGrant.io)

DevOps, SW and Blockchain/DLT and SSI expert.

 

David Goodman

David Goodman (Product Manager, iGrant.io) 

SW and identity expert with over 30+ years industry experience. 

 

 

Jan Lindquist

Jan Lindquist (Standardisation, Linaltec Sweden)

With expertise in privacy, data engineering, SSI, blockchain and ISO standardisation.

 

Fredrik Lindén

Fredrik Lindén (MyData Sweden)

Will ensure that the solution adheres to the MyData principles, is interoperable with governance vetted with the MyData community.


ENTITIES

 

LCubed AB

LCubed AB

Swedish SaaS provider of iGrant.io. With iGrant.io, an organisation can address their data governance challenges through (verifiable) data exchange in a regulatory compliant and auditable manner.

https://igrant.io/

 

 

Linaltec AB

Linaltec AB

Swedish data privacy, science and engineering consultancy lead.

https://www.linaltec.com/

 

 

MyData Sweden

MyData Sweden

Non-profit organisation and watchdog for individual’s rights to self-determination with regards to how data is used.

https://mydata.org/sweden/

 

 

LCubed AB

Upstream Dream

Swedish healthtech company, empowering the patient through sustainable information sharing practices.

https://upstreamdream.com/