Skip to main content

A Data Disclosure Agreement (DDA) enables automated agreement handling for data exchange between a Data Source (DS) and Data Using Service (DUS). It helps organisations to continue leveraging their data assets while being transparent and legitimate in their data usage. Automated agreement handling is a requisite for a scalable and regulatory-compliant data marketplace… It also provides individuals control over how their data is used and exchanged.

It aims to enhance data governance to ​increase transparency and authenticity as ​critical elements for digital trust. This documentation describes the overall process how organisations can dynamically build trust in a dataspace or a data ecosystem, including the key actors involved.

Data Disclosure Agreement lifecycle actors

These actors are involved in the Data Disclosure Agreement lifecycle.

ActorDescriptionSSI Role / Other names
Data SourceThe organisation collecting personal data and storing itIssuer or Data producer
Data Subjectwho can manage their preferences and follow their data, should know who is consuming what, when and why.Holder
Data Using ServiceThe organisation processing personal data from one or more data sources to deliver a service.Verifier or Relying party or Data consumer

Additionally, there are two more actors participating in the data agreement lifecycle.

ActorDescription
AssessorThe individual who reviews the practices of an organisation (data source or a data using service), conducts a DPIA and drafts data agreements and inter-company agreements for third parties
AuditorThe individual who may be called in to review the data agreements and ensure they are in place in case of data breaches or regular inspection handled
Data marketplaceThe platform in a dataspace where organisations (DUS) can discover the data sources, and get into a trust relationship. Here the DS offers their data to potential DUS’.

Data Exchange Agreement overview

Figure 1 below illustrates a typical scenario where an organisation, Org. A, uses a DA to share data externally to Org B and Org C. Individual instances of the DA are signed by individuals X and Y. A DDA is used to govern the data exchange between Org A and Orgs B and C.

Figure 1. Data exchange and provenance scenarios

Data Exchange Agreement (DEXA) high-level workflow

As described in the background section, iGrant.io provides a decentralised data exchange service based on self-sovereign identity (SSI), OpenID Connect and OAuth protocols. The service enables organisations to exchange data in a transparent, secure and privacy-centric manner using verifiable data exchange agreements. The received data can be verified using SSI and X.509-based signatures. A DEXA workflow involves the following phases as illustrated below:

Figure 2. Different phases of DA and DDA lifecycle

These different phases are explained below:

  1. Definition: An existing agreement template is adopted as is or new ones are formulated in this phase. The template could be based on a particular industry and/or sector-specific practice. This can then be used by any organisation (DS or DUS) for a particular data usage purpose, in our case for enabling third party data exchange.

  2. Preparation: An organisation creates an agreement based on a DPIA or similar and shares it with relevant parties . For a DA, the relevant counterparty is the individual while for the DDA, it is a DUS.

  3. Capture: The counterparty signs the agreement in this phase. For a DDA, it is countersigned by the DUS while for a DA it’s the individual.

  4. Proof: Any organisation or individual is able to demonstrate that an agreement exists between the parties. Independent auditors can also check that records are in place proving that the individual's personal data may be processed (e.g. as per GDPR Article 30).

DEXA workflow enabling data provenance

The four phases described above are further elaborated in Figure 3 and explains how the DAs and DDAs are interlinked in the DEXA workflow. To ensure their compliance with data regulations, each organisation is encouraged to perform a privacy risk assessment or DPIA and ensure that risk mitigation measures are in place before collecting and processing personal data.

Figure 3: DA and DDA interlink within DEXA workflow

When a DDA is signed and personal data has been exchanged, the DS is not liable for the DUS's use of personal data. However, the obligation to monitor the individual’s consent to share data with a third party, in this case, the DUS, remains with the DS. The DUS is obliged to adhere to the terms laid out in the DDA. If the DUS does not adhere to the DDA, the DS can, upon finding out about the infringement, withdraw the DDA and consequently revoke all the DAs associated with the DDA.

Throughout the DA lifecycle, cryptographic proofs are generated detailing who created the DA during the preparation phase and who signed it during the capture phase [2]. This is based on a W3C (DID:mydata) specification [4] and realised via a Data Agreement DIDComm protocol [5] implementation.

The key activities and actors involved in each phase are summarised in the table below:

#ActivityPhaseActors
Assessment
1.0Perform DPIA or similar privacy assessment (external or self-assessment)

Output: DA template consisting of usage purpose, data attribute etc as per the DA schema

Definition and preparationAssessor, DS, DUS
For DS: Lawfully expose data and demonstrate provenance
2.1If the organisation wishes to expose personal data to a third party, it creates the DDA offer, If required, publishes to a data marketplace

Output: DDA is available and is ready for any DUS to sign.

Provenance: action to create an entity (DDA) by an actor (DS).

Definition and preparationDS
2.2Add DUS when they sign up

Output: DDA is updated with the DUS signatory info (during the DDA capture phase)

Provenance: action to update and sign off entity (DDA) by an actor (DUS)

CaptureDUS
2.3Any interested party can check the signed DDA proof of compliant data usage.

Provenance: Query to view provenance metadata

ProofAuditor, Individual, DS or DUS or any 3PP
2.4Automated enforcement of DDA

Provenance: query provenance metadata to ensure the signing of DDA is permitted

Proof,

Capture

DS, DUS
For DUS: Lawfully consume data and demonstrate provenance
3.1If the organisation (DUS) wishes to consume data, it checks the available DDA offers in the marketplace.Definition and PreparationDUS
3.2Organisation (DUS) signs up (Same as step 2.2)CaptureDUS
3.3DUS updates and register the DA based on the DDADefinition and PreparationDUS
3.4Any interested party can check the signed DA proof of compliant data usageProofAuditor, Individual, DS or DUS or any 3PP