--- tags: - blog --- GDPR compliant secure encrypted sharing of genomic data using Blockchain technology GDPR compliant secure encrypted sharing of genomic data using Blockchain technology

GDPR compliant secure encrypted sharing of genomic data using Blockchain technology


Summary

The overall goal of GenoBank.io is to build a network of people that can participate in a network that allows self-sovereign sharing of DNA data using their boxes in a GDPR compliant way (through a GDPR certification or a GDPR audit)

Question is how we combine an identity (ID) + Biospecimen + Wet Lab (DNA extraction & Sequencing) + IPFS + Non-fungibles (biosample permission token) to digitally enforce/program the 4 main rights of the GDPR

GenoBank.io Logo Source

GDPR compliant secure encrypted sharing of genomic data using Blockchain technology

Prerequisites

  • Pseudonymous identity : can be created using public/private keypairs that are compatible with the underlying blockchain cryptography. They are free to generate for anyone and do not require any registration. In fact they can be generated off-line. Their goal is to identify the actors in the system and provide encryption- and decryption keys for the data in a later stage.
  • DNA biosample: Using the GenoBank.io saliva kit, your DNA is sequenced and delivered to you as a digital file.
  • DNA donor: this is the data subject. A user wants to share a digital DNA biosample with other people (such as research institutes)
  • BioNFT token: a “biospecimen permission token” is a Non Fungible Token for managing the usage rights on data is a smart contract which is signed by an identity (the owner of the data) to grant usage of a DNA biosample for a certain period of time. It grants the researcher (or any receiving party) the right to use this DNA sample.
  • Blockchain notary: a blockchain notary is a notary service (and smart contract with a fixed agreed upon address on the blockchain ) that keeps track of state-changes in the system. Most notably it will notarize the NFT tokens on the blokchain - so every observer can irrefutably verify that a certain state change happended at a certain point in time. Since it is written on a public blockchain - it is immmutable and observable for all. Since we only store the hash of the data - only those with access to the data itself can do the verification.

Architecture of the solution

People who want to exchange DNA (Genomic) data in a GDPR compliant way will use a PC that holds and synchronizes data, and has software installed on it (software package) that executes the rules of the protocol.

The goals of the hardware solution is

  • provide a solution to store the DNA data in an encrypted form
  • provide a decentralized solution of storing data (aka not in a data center, but in the home of the user itself.)
  • provide a convenient user interface to manage the usage rights (BioNFT tokens) on their data
  • do the re-encryption of data for recepients if a “biosample permission token” (BioNFT) token has been created and delegated.
  • Make sure that the re-encrypted data is made available (‘pinned’) in the data-store
  • securely exchange messages with the receipients of the data
  • comply with state-changes in the BioNFT tokens issued. Most notably to remove (destroy and blocklist) datasets that they have on their system that has its license revoked or expired a some point in time.

The data-exchange protocol

There are different actors in this protocol

Issuer: The owner of the DNA data. He/she will manage the usage rights of their DNA data through the app.
Recipient : The researcher - or research institute that likes to receive the data for analysis.
Notary: a smart contract on the blockchain that can be used to notarize data, thus giving it a public timestamp (“Proof Of Existence”) - that can be publicly verified by outside observers, anyone who has the original data can prove that the data was notarized.

There are 3 flows in the protocol

1. Issue right to use DNA data 

Created with Raphaël 2.2.0RecipientRecipientIssuerIssuerNotaryNotaryAsk for permissionIssue BioNFT tokennotification of issuanceSend encrypted datahas data + usage rights

2. Extend right to use DNA data

Created with Raphaël 2.2.0RecipientRecipientIssuerIssuerNotaryNotaryAsk for extensionIssue new BioNFT tokennotification of issuancehas data + usage rights

3. Revoke right to use DNA data

Created with Raphaël 2.2.0IssuerIssuerNotaryNotaryRecipientRecipientrevocation BioNFT tokennotification of revocationremoves data + blacklists

GOAL

The overall goal of GenoBank.io is to build a network of people that can participate in a network that allows self-sovereign sharing of DNA data using their boxes in a GDPR compliant way (through a GDPR certification or a GDPR audit)

Question is how we combine an identity (ID) + Biospecimen + Wet Lab (DNA extraction & Sequencing) + IPFS + Non-fungibles (biosample permission token) to digitally enforce/program the 4 main rights of the GDPR:

  1. Right to know
  2. Right to Port (Own) data
  3. Right to be forgotten.
  4. Not to be discriminated

Future R+D

  1. Would this approach reverse the roles of “GDPR data processor” - in the sense that we give the users the power to decide who they share their data with + make the user basically his OWN data processor?
  2. Implementing the biosamples permission platform into a user-friendly product.
  3. Legal applicability of promissory estoppel or similar legal theory to allow anonymous owners of property to make claims against permitees.

News & Updates

Get access to the latest insights, tips and trends in genetic research study