GDPR compliant secure encrypted sharing of genomic data using Blockchain technology


October 29, 2020

Summary

The overall goal of GenoBank.io is to build a network of people that can participate in a network that allows self-sovereign sharing of DNA data using their boxes in a GDPR compliant way (through a GDPR certification or a GDPR audit)

Question is how we combine an identity (ID) + Biospecimen + Wet Lab (DNA extraction & Sequencing) + IPFS + Non-fungibles (biosample permission token) to digitally enforce/program the 4 main rights of the GDPR

GDPR compliant secure encrypted sharing of genomic data using Blockchain technology

Prerequisites

  • Pseudonymous identity : can be created using public/private keypairs that are compatible with the underlying blockchain cryptography. They are free to generate for anyone and do not require any registration. In fact they can be generated off-line. Their goal is to identify the actors in the system and provide encryption- and decryption keys for the data in a later stage.
  • DNA biosample: Using the GenoBank.io saliva kit, your DNA is sequenced and delivered to you as a digital file.
  • DNA donor: this is the data subject. A user wants to share a digital DNA biosample with other people (such as research institutes)
  • BioNFT token: a “biospecimen permission token” is a Non Fungible Token for managing the usage rights on data is a smart contract which is signed by an identity (the owner of the data) to grant usage of a DNA biosample for a certain period of time. It grants the researcher (or any receiving party) the right to use this DNA sample.
  • Blockchain notary: a blockchain notary is a notary service (and smart contract with a fixed agreed upon address on the blockchain ) that keeps track of state-changes in the system. Most notably it will notarize the NFT tokens on the blokchain - so every observer can irrefutably verify that a certain state change happended at a certain point in time. Since it is written on a public blockchain - it is immmutable and observable for all. Since we only store the hash of the data - only those with access to the data itself can do the verification.

Architecture of the solution

People who want to exchange DNA (Genomic) data in a GDPR compliant way will use a PC that holds and synchronizes data, and has software installed on it (software package) that executes the rules of the protocol.

The goals of the hardware solution is

  • provide a solution to store the DNA data in an encrypted form
  • provide a decentralized solution of storing data (aka not in a data center, but in the home of the user itself.)
  • provide a convenient user interface to manage the usage rights (BioNFT tokens) on their data
  • do the re-encryption of data for recepients if a “biosample permission token” (BioNFT) token has been created and delegated.
  • Make sure that the re-encrypted data is made available (‘pinned’) in the data-store
  • securely exchange messages with the receipients of the data
  • comply with state-changes in the BioNFT tokens issued. Most notably to remove (destroy and blocklist) datasets that they have on their system that has its license revoked or expired a some point in time.

The data-exchange protocol

There are different actors in this protocol

Issuer: The owner of the DNA data. He/she will manage the usage rights of their DNA data through the app.
Recipient : The researcher - or research institute that likes to receive the data for analysis.
Notary: a smart contract on the blockchain that can be used to notarize data, thus giving it a public timestamp (“Proof Of Existence”) - that can be publicly verified by outside observers, anyone who has the original data can prove that the data was notarized.

There are 3 flows in the protocol

1. Issue right to use DNA data

Created with Raphaël 2.2.0RecipientRecipientIssuerIssuerNotaryNotaryAsk for permissionIssue BioNFT tokennotification of issuanceSend encrypted datahas data + usage rights

2. Extend right to use DNA data

Created with Raphaël 2.2.0RecipientRecipientIssuerIssuerNotaryNotaryAsk for extensionIssue new BioNFT tokennotification of issuancehas data + usage rights

3. Revoke right to use DNA data

Created with Raphaël 2.2.0IssuerIssuerNotaryNotaryRecipientRecipientrevocation BioNFT tokennotification of revocationremoves data + blacklists

GOAL

The overall goal of GenoBank.io is to build a network of people that can participate in a network that allows self-sovereign sharing of DNA data using their boxes in a GDPR compliant way (through a GDPR certification or a GDPR audit)

Question is how we combine an identity (ID) + Biospecimen + Wet Lab (DNA extraction & Sequencing) + IPFS + Non-fungibles (biosample permission token) to digitally enforce/program the 4 main rights of the GDPR:

  1. Right to know
  2. Right to Port (Own) data
  3. Right to be forgotten.
  4. Not to be discriminated

Future R+D

  1. Would this approach reverse the roles of “GDPR data processor” - in the sense that we give the users the power to decide who they share their data with + make the user basically his OWN data processor?
  2. Implementing the biosamples permission platform into a user-friendly product.
  3. Legal applicability of promissory estoppel or similar legal theory to allow anonymous owners of property to make claims against permitees.

News & Updates

Get access to the latest insights, tips and trends in genetic research study