scholarly journals Designing a Distributed Ledger Technology System for Interoperable and General Data Protection Regulation–Compliant Health Data Exchange: A Use Case in Blood Glucose Data (Preprint)

2019 ◽  
Author(s):  
David Hawig ◽  
Chao Zhou ◽  
Sebastian Fuhrhop ◽  
Andre S Fialho ◽  
Navin Ramachandran
Keyword(s):  
Blood Glucose ◽  
Data Privacy ◽  
Data Exchange ◽  
Personal Data ◽  
Use Case ◽  
Concept System ◽  
General Data Protection Regulation ◽  
The Public ◽  
Distributed Ledger ◽  
General Data

BACKGROUND Distributed ledger technology (DLT) holds great potential to improve health information exchange. However, the immutable and transparent character of this technology may conflict with data privacy regulations and data processing best practices. OBJECTIVE The aim of this paper is to develop a proof-of-concept system for immutable, interoperable, and General Data Protection Regulation (GDPR)–compliant exchange of blood glucose data. METHODS Given that there is no ideal design for a DLT-based patient-provider data exchange solution, we proposed two different variations for our proof-of-concept system. One design was based purely on the public IOTA distributed ledger (a directed acyclic graph-based DLT) and the second used the same public IOTA ledger in combination with a private InterPlanetary File System (IPFS) cluster. Both designs were assessed according to (1) data reversal risk, (2) data linkability risks, (3) processing time, (4) file size compatibility, and (5) overall system complexity. RESULTS The public IOTA design slightly increased the risk of personal data linkability, had an overall low processing time (requiring mean 6.1, SD 1.9 seconds to upload one blood glucose data sample into the DLT), and was relatively simple to implement. The combination of the public IOTA with a private IPFS cluster minimized both reversal and linkability risks, allowed for the exchange of large files (3 months of blood glucose data were uploaded into the DLT in mean 38.1, SD 13.4 seconds), but involved a relatively higher setup complexity. CONCLUSIONS For the specific use case of blood glucose explored in this study, both designs presented a suitable performance in enabling the interoperable exchange of data between patients and providers. Additionally, both systems were designed considering the latest guidelines on personal data processing, thereby maximizing the alignment with recent GDPR requirements. For future works, these results suggest that the conflict between DLT and data privacy regulations can be addressed if careful considerations are made regarding the use case and the design of the data exchange system.

scholarly journals La responsabilidad proactiva de las Administraciones Públicas en la protección de datos personales.

2020 ◽  
pp. 138-153
Author(s):  
Aritz ROMEO RUIZ
Keyword(s):  
Public Administration ◽  
Data Protection ◽  
Main Idea ◽  
Personal Data ◽  
Practical Implementation ◽  
Organizational Changes ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Terms ◽  
General Data

Laburpena: Lan honen helburua da administrazio publikoak datu pertsonalen tratamenduan duen erantzukizun proaktiboaren printzipioaren analisia eskaintzea, eta ikuspegi juridikoa ematea praktikan errazago aplikatzeko. Lana lau ataletan egituratuta dago. Lehenengoan, datu pertsonalen babesa arautzen duen esparru berriaren aurkezpen orokorra egiten da; hau da, Datuak Babesteko Erregelamendu Orokorrak (EB) ezartzen duen araudi berria aurkezten da. Bigarren atala erantzukizun proaktiboari buruzkoa da, administrazio publikoek datu pertsonalak tratatzeko oinarrizko printzipio gisa. Hirugarrenak proposatzen ditu administrazio publikoek praktikan erantzukizun proaktiboaren printzipioa betetzeko kontuan har ditzaketen hainbat neurri. Azkenik, laugarren atalak gogoeta egiten du antolamendu-aldaketak egiteko beharrari buruz, Erregelamendu Orokorraren printzipioak betetzen dituztela ziurtatzeko eta herritarrek eskubideak balia ditzaten ziurtatzeko; horrez gain, aipamen berezia egiten dio datuak babesteko ordezkariaren figurari. Ondorioztatzen den ideia nagusia da garrantzitsua dela administrazio publikoek datuak babesteko politika bat diseinatzea, lehenetsita aplikatuko dena, eta ez bakarrik erantzukizun politikoak dituztenei, baizik eta sektore publikoan lan egiten duten pertsona guztiei eragingo diena. Resumen: El presente trabajo tiene como objetivo ofrecer un análisis del principio de responsabilidad proactiva en el tratamiento de datos personales por parte de la administración pública, y pretende aportar una visión jurídica para facilitar su aplicación en la práctica. El trabajo está estructurado en cuatro apartados. En el primero de ellos se presenta, en términos generales, el nuevo marco regulador de la protección de datos personales, que es consecuencia del Reglamento (UE) General de Protección de Datos. El segundo apartado está dedicado a la responsabilidad proactiva como principio básico del tratamiento de datos personales por las administraciones públicas. El tercero propone una serie de medidas que las administraciones públicas pueden tener en cuenta para cumplir con el principio de responsabilidad proactiva en la práctica. Finalmente, el apartado cuarto aporta una reflexión sobre la necesidad de introducir cambios organizacionales para asegurar el cumplimiento de los principios del Reglamento General de Protección de datos y del ejercicio de derechos por la ciudadanía, con una especial mención a la figura del delegado o delegada de protección de datos. La principal idea que se concluye es la importancia de que las administraciones públicas diseñen una política de protección de datos que se aplique por defecto, e implique, no sólo a quienes ejercen responsabilidades políticas, sino a todas las personas que trabajan en el sector público. Abstract: The present work aims to offer an analysis of the principle of proactive responsibility in the treatment of personal data by the public administration, and aims to provide a legal vision to facilitate its practical implementation. The work is structured in four sections. The first of these presents, in general terms, the new regulatory framework for the protection of personal data, which is a consequence of the General Data Protection Regulation (EU). The second section is dedicated to proactive responsibility as a basic principle of the processing of personal data by public administrations. The third proposes a series of measures that public administrations can take into account to comply with the principle of proactive responsibility in practice. Finally, the fourth section provides a reflection on the need to introduce organizational changes to ensure compliance with the principles of the General Data Protection Regulation and the exercise of rights by citizens, with special reference to the figure of the Data Protection Officer. The main idea that is concluded is the importance for public administrations to design a data protection policy that is applied by default, and involves not only those who exercise political responsibilities, but also all those who work in the public sector.

scholarly journals Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

2021 ◽  
Vol 11 (22) ◽  
pp. 10574
Author(s):  
Sung-Soo Jung ◽  
Sang-Joon Lee ◽  
Ieck-Chae Euom
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Audit ◽  
General Data ◽  
Data Controller ◽  
Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

USE OF PASSENGER LOCATION CARDS IN THE ERA OF THE COVID-19 PANDEMIC, AND THE PROCESSING OF PERSONAL DATA OF AIR PASSENGERS

2021 ◽  
Vol 57 ◽  
pp. 2-2
Author(s):  
Katarzyna Biczysko-Pudełko
Keyword(s):  
Personal Data ◽  
The State ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
The Subject ◽  
The Republic ◽  
Questionnaire Method ◽  
General Regulation

Purpose. The aim of the article is to analyse the processing of personal data of air passengers during the SARS-CoV-2 pandemic in the context of doubts that have arisen in connection with the need for these passengers to provide their personal data as part of filling out the Passenger Location Card questionnaire. Method. The research method used in this study is case study. Findings. In the study, it was showed that firstly, the data of air passengers processed in relation to the application of the Passenger Location Card by the State Border Sanitary Inspectorate in Warsaw should be protected under the provisions of the General Regulation on the protection of personal data. Furthermore, their controller, i.e. the State Border Sanitary Inspectorate in Warsaw, did not fulfil its obligations in this regard. This, in effect, justifies the conclusion that the processing process not in accordance with the law on the protection of personal data. Research and conclusions limitations. The analysis concerned only passengers of aircrafts arriving and/or departing from airports located on the territory of the Republic of Poland. Practical implications. The analysis carried out in this study may provide a solution to the issues that have arisen in the public sector with regard to the processing of personal data collected from air passengers on the basis of the Passenger Location Card questionnaire and thus, the conclusions may prove useful for data controllers who should be aware of such problems, but also for air travellers as data subjects who should be protected by the General Data Protection Regulation and their rights in this regard. Originality. This analysis, if only for the reason that it is an analysis of a problem that has come to light relatively recently (March 2020), has so far, only been the subject of consideration in press articles.

Anonymization, tokenization, encryption. How to recover unrecoverable data

2018 ◽  
Vol 0 (6/2017) ◽  
pp. 9-13
Author(s):  
Olga Dzięgielewska
Keyword(s):  
Risk Analysis ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
Insider Threat ◽  
General Data Protection Regulation ◽  
Analysis Phase ◽  
Data Layer ◽  
General Data ◽  
Financial Consequences

The data privacy is currently vastly commented topic among all the organizations which process personal data due to the introduction of the European Union’s General Data Protection Regulation. Existing methods of data protection are believed to be sufficient as they meet the risk-based approach requirements in every mature organization, yet the number of publicly known data breaches confirms that this assumption is false. The aftermath of such incidents in countless cases prove that the risk-based approach failed as the reputational and financial consequences by far exceed the original estimations. This paper stressed the importance of the data layer protection from the planning, through design, until maintenance stages in the database lifecycle, as numerous attack vectors originating from the insider threat and targeting the data layer still sneak through unnoticed during the risk analysis phase.

scholarly journals Data Privacy Management in Public Environments

2020 ◽  
Author(s):  
Hugo Lopes ◽  
Valderi R. Q. Leithardt ◽  
Ivan Miguel Pires ◽  
Raúl García-Ovejero ◽  
María Navarro-Cáceres
Keyword(s):  
Mobile Devices ◽  
Data Privacy ◽  
Technological Evolution ◽  
Privacy Management ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
The Individual ◽  
Control And Management ◽  
Public Environment

The mobile devices caused a constant struggle for the pursuit of data privacy. Nowadays, it appears that the number of mobile devices in the world is increasing. With this increase and technological evolution, thousands of data associated with everyone are generated and stored remotely. Thus, the topic of data privacy is highlighted in several areas. There is a need for control and management of data in circulation inherent to this theme. This article presents an approach of the interaction between the individual and the public environment, where this interaction will determine the access to information. This analysis was based on a data privacy management model in public environments created after reading and analyzing the current technologies. A mobile application based on location via Global Positioning System (GPS) was created to substantiate this model, which it considers the General Data Protection Regulation (GDPR) to control and manage access to the data of each individual.

SEVERAL QUESTIONS REGARDING THE RULES FOR THE PROTECTION OF PERSONAL DATA IN KINDERGARTEN

2021 ◽  
Vol 12 (1) ◽  
pp. 261-268
Author(s):  
Angel Manchev ◽  
Keyword(s):  
Data Protection ◽  
Technological Progress ◽  
Data Exchange ◽  
Personal Data ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
The Core ◽  
General Data ◽  
The Republic

The protection of personal data is one of the core values of modern European societies. This protection is provided by the law of the European Union and by the national legislations of the Member States, to which the Republic of Bulgaria also belongs. As of May 25, 2018, the protection of personal data is being expanded and updated in response to technological progress and the increasingly accelerated data exchange. The reason for this is the entry into force of Regulation (EU ) 2016/679 (General Data Protection Regulation, GDPR) and the changes in our national law that it imposes. In the sense of what has been said so far, the issues of personal data protection in children’s institutions are especially relevant, because these organizations actively handle personal data at any level of children, parents, teachers and staff. In this article, we will try to give short answers to some of the most important questions regarding personal data and the rules for their protection, according to European and Bulgarian legislation.

An Ontology based Framework for E-Government Regulatory Requirements Compliance

2019 ◽  
Vol 11 (2) ◽  
pp. 22-42 ◽  
Author(s):  
M. Mahmudul Hasan ◽  
Dimosthenis Anagnostopoulos ◽  
George Kousiouris ◽  
Teta Stamati ◽  
Peri Loucopoulos ◽  
...  
Keyword(s):  
Personal Data ◽  
Service Development ◽  
Government Service ◽  
Regulatory Requirements ◽  
Regulatory Requirement ◽  
General Data Protection Regulation ◽  
The Public ◽  
Enormous Amount ◽  
General Data ◽  
Government Legislation

E-Government has gained an enormous amount of attention by researchers and practitioners interested in digitizing the public sector through enacting policies and regulations. Compliance of regulatory requirements from these policies and regulations is an important requirement in e-Government service development projects. However, the concepts of regulatory requirements compliance are still scattered around in developing e-Government services. This article presents an e-Government regulatory requirement compliance (eGRRC) ontology framework that describes the interrelated concepts of regulatory requirements compliance in e-Government service development. The proposed eGRRC ontology is then applied on the recently introduced general data protection regulation (GDPR) for personal data processing across European Union (EU) countries, in order to indicate how the concepts can be mapped to the defined entities. The contribution of this article is on introducing a framework for researchers and practitioners to explore regulatory requirements compliance and their interrelationships in e-Government service development. Furthermore, e-Government legislation can accordingly be modeled using on the eGRRC ontology, that serves as basis for queries to infer knowledge about the source of regulatory requirements, objectives of the regulation, various types of requirements, the services affected, orientation of regulatory rules in requirements, priorities, and amendments of regulations in e-Government service development.

Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (C.J.E.U.)

2021 ◽  
Vol 60 (1) ◽  
pp. 53-98
Author(s):  
Michael S. Aktipis ◽  
Ron B. Katwan
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
The United States ◽  
Transfer Mechanism ◽  
The European Union ◽  
Privacy Concerns ◽  
General Data Protection Regulation ◽  
General Data ◽  
The Eu

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its ruling in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, commonly known as Schrems II, invalidating the EU–U.S. Privacy Shield as a valid transfer mechanism under the EU's General Data Protection Regulation (GDPR) and creating significant legal uncertainty for the continued availability of another widely used transfer mechanism, Standard Contractual Clauses (SCCs), for transfers of EU personal data from commercial entities in the EU to the United States. The widely anticipated ruling marked the second time in five years that the CJEU had invalidated the legal foundation for such data transfers, which in both cases had been the result of a carefully negotiated compromise balancing European data privacy concerns with statutory and constitutional limitations of the U.S. system (see Schrems I).

scholarly journals An Exploration of Data Interoperability for GDPR

2018 ◽  
Vol 16 (1) ◽  
pp. 1-21 ◽  
Author(s):  
Harshvardhan J. Pandit ◽  
Christophe Debruyne ◽  
Declan O'Sullivan ◽  
Dave Lewis
Keyword(s):  
Personal Data ◽  
Use Case ◽  
Information Flows ◽  
Data Interoperability ◽  
General Data Protection Regulation ◽  
Data Formats ◽  
General Data ◽  
Strong Motivation ◽  
Data Portability ◽  
The Right

The General Data Protection Regulation (GDPR) specifies obligations that shape the way information is collected, shared, provided, or communicated, and provides rights for receiving a copy of their personal data in an interoperable format. The sharing of information between entities affected by GDPR provides a strong motivation towards the adoption of an interoperable model for the exchange of information and demonstration of compliance. This article explores such an interoperability model through entities identified by the GDPR and their information flows along with relevant obligations. The model categorises information exchanged between entities and presents a discussion on its representation using existing standards. An investigation of data provided under the Right to Data Portability for exploring interoperability in a real-world use-case. The findings demonstrate how the use of common data formats hamper its usability due to a lack of context. The article discusses the adoption of contextual metadata using a semantic model of interoperability to remedy these identified shortcomings.

Sign in / Sign up

Export Citation Format

Share Document