Access & Usage Policies Enforcement

iSHARE provides a generic approach for delegations, including generic licenses. The data space can decide to provide better guidance or standards on the semantics of delegations (specifically for policy --> target) and to allow more detailed licenses.

DSSC Description

This building block aims to specify how to define and enforce access and usage policies within a data space and how participants define their policies in data spaces. It is of significant importance for every business operation and actual data transaction (sharing, processing) within a data space, and it is essential for enabling data sovereignty in data spaces.

The primary aspect of this building block is a policy, either an offer from the data provider or an agreement between the data provider and the data recipient. A policy is comprised of rules that specify the rights and duties of the parties concerning the policy. These rules can have different forms that indicate how these should be enforced during a data transaction:

1. Access Rules: Determines who can access data and under what conditions.

   • Who can access data: Defining conditions for access based on roles, attributes, or other criteria.

   • How data access is granted and controlled: Defining policy-based frameworks for determining who receives access permissions, under what conditions access is allowed, and how authorisation decisions are enforced.

   • Example: A healthcare provider can access the data usage policy only if they are a registered healthcare professional and have authorisation from the patient.

2. Usage Rules: Specifies what actions can be performed and which obligations are provided according to the policy once access is granted.

   • What actions can (not) be performed on data: Specifying permissible operations, such as analysis, modification, sharing, or deletion.

   • How usage is controlled: Setting rules to enforce the boundaries of allowed actions, ensuring compliance with the policy.

   • Example: A researcher can access patient data for analysis but cannot modify, share, or delete it without additional permissions.

3. Consent Management Rules: Manages consent and permissions for data usage, particularly when the data holder differs from the data subject. Determine and verify authorised consent providers (data subjects or representatives). Establishes explicit consent processes, including opt-in and opt-out mechanisms. Manages consent verification and revocation workflows and bridges relationships between data rights holders and data subjects.

   • Example: A data-sharing agreement between companies requires explicit consent from data subjects before sharing personal data.

These policies can be developed at the data space level as part of the rulebook, which all participants should adhere to. Still, every participant should also be able to exercise their data sovereignty, defining their own data access and usage policies. In this context, there are three primary considerations:

1. Policy negotiation constitutes the agreement on the compatibility between two policies.

2. The authorisation registry helps to enforce the organisation's policies.

3. Some domains may be affected by concrete regulations for the enforcement of policies. As part of this building block, we will also address the unique challenges of policy enforcement in the context of personal data, which usually involves the application of consent.

The complete description is available here.