Normative control for data access in healthcare research

Data privacy regulations such as the General Data Protection Regulation(GDPR) of the European Union aim to give data subjects' control over their personal data and ensure accountability of organizations through compliance demonstration. Furthermore, such regulations enable organizations to collaborate while respecting data subject's rights unlocking insights that would otherwise remain in data silos. However, compliance with these regulations is not straightforward. Legal text tends to be ambiguous and coarse grained with broad interpretations making it challenging for the layman to translate into their technical implementation. Consequently, organizations tend to rely on manual compliance tasks, making compliance labor intensive, costly, and error-prone, resulting in potential violations. Given that the GDPR places hefty penalties for violations, automated enforcement mechanisms become crucial. One such mechanism is access control.
Access control is the process of mediating requests to data and services and determining if requests should be permitted or denied. Most conventional access control mechanisms are based on permitting or denying access. However, privacy regulations transform these decisions into complex processes that cannot be resolved with a permit or deny decision due to their dynamic behavior and the introduction of duties. In this case, duties are legal obligations associated with data access. Conventional access control systems have several limitations in handling these dynamic behaviors and the associated duties and providing formal compliance verification, making organizations vulnerable to violations. This challenge is particularly evident when data moves across organizations and jurisdictions that have different legal requirements, potentially requiring frequent policy updates.
In this research, we address these challenges by evaluating policy specification languages, mapping social policies to low-level system policies, implementing purpose-based access control mechanism, and duty lifecycle management systems. We evaluated the Open Digital Rights Language (ODRL), a language that expresses rights and duties through use cases and examples, and demonstrated its limitations in handling delegation scenarios, representing precise duty semantics and insufficient granularity in identifying parties. Our approach leverages eFLINT, a domain-specific language designed with the aim of specifying legal norms. Using the eFLINT language, we translate high-level social policies into enforceable access control rules for healthcare research networks, particularly the SIOPE DIPG/DMG registry, demonstrating how regulatory frameworks can be enforced in such domains.
This work introduces a novel Purpose-Based Access Control(PBAC) model derived from the GDPR's Purpose Limitation Principle. The model formalizes purpose hierarchies where specific purposes inherit permissions from general purposes and address the compatibility principle. This approach ensures that data is only processed for specific, explicit and legitimate purposes as per GDPR requirement. Finally, we introduce a duty lifecycle management system that tracks duties through multiple states, manages temporal constraints, including deadlines, and implements duty enforcement modules such as data retention notifications. This work is evaluated using the SIOPE DIPG/DMG registry, running different healthcare research workflows for data access. Finally, our research bridges the gap between legal norms and access control mechanisms and provides a foundation for access control systems that can address the complexity of legal norms.