by Carmela Gambardella, (Hewlett Packard Enterprise Italy), Ilaria Matteucci, and Marinella Petrocchi (IIT-CNR)
An electronic data sharing agreement (DSA) is a human-readable, yet machine-processable contract, regulating how organisations and/or individuals share data. Its smooth definition and fluid lifecycle management are key aspects for enabling data protection in various contexts, from e-government to the provision of business and healthcare services, for example.
Data sharing is becoming ever easier with the support of highly-connected ICT systems. Individuals, businesses and governments are increasingly choosing to use cloud infrastructure to store data, owing to recent reductions in cost and the functionalities provided by the cloud, such as easy sharing of data. Data sharing, however, poses several problems, including privacy and data misuse issues, as well as uncontrolled propagation of data. Thus, a secure and private way for data exchange, storage, and management is essential. The aim of the Coco Cloud project [L1] is to fulfill these security and privacy issues, by providing a framework that permits the exchange of data by enforcing privacy policies to access and use data in a controlled way. This is supported by the concept of data sharing agreement (DSA). DSAs specify policies that are applied for accessing the data to which they are linked.
Here, we introduce the Coco Cloud DSA system designed to manage different phases of DSA design, development, and use: DSA Authoring Tool, DSA Analysis and Conflict Solver Tools, and a DSA Mapper Tool, glued together by the DSA Lifecycle Manager :
- DSA Authoring Tool is in charge of creating and managing DSAs. The rules included in the DSA are created using a language called Controlled Natural Language for DSA , or, more concisely, CNL, which is based on specific dictionaries (ontologies). The tool is available as a web application that provides a user-friendly experience.
- DSA Analyser and Conflict Solver analyse the rules in a DSA and solve potential conflicts. A conflict exists when two policies simultaneously allow and deny an access request under the same contextual conditions. If a conflict is revealed, the conflict solver prioritises the rules to be enforced. The Analyser is available as a web service application and it exposes its functionalities through Application Program Interfaces (APIs).
- DSA Mapper translates the DSA policies from CNL into an enforceable XACML-based language. The mapping process takes as input the analysed DSA rules, translates them in the machine-processable language, and combines all rules in line with the conflict solver strategy. The outcome of this tool is an enforceable policy. The policy will be evaluated at each request to access and/or use the target data.
- DSA Lifecycle Manager orchestrates all the DSA System components. The DSA Lifecycle Manager provides the user with particular functionalities of the DSA System, according to the specific user’s role (described below). Thus, users do not interact directly with the DSA System components tools, but via the DSA Lifecycle Manager.
The DSA System allows different types of user to edit DSAs. Users can log into the DSA system under three different roles, each with specific features, goals, and functionalities :
- Law expert (for example, a lawyer) is familiar with legal and contractual perspective content of the agreement. Such a user is in charge of creating and managing the initial version of a DSA through the DSA Authoring Tool, instantiating legal rules.
- Policy expert is responsible for defining business policies and DSA metadata, for example a company policy expert that has to set up company specific agreements.
- End user can either extend, if requested, the DSA of the policy expert with her user-specific input or simply review and accept a DSA created by a policy expert for use with her data. An example of such a user is a patient in a hospital.
The Coco Cloud solutions to manage Data Sharing Agreements are assessed through the three project use cases, featuring the need for secure and private data sharing within the public administration, health care, and mobile scenarios.
Figure 1: The Coco Cloud Data Sharing Agreement (DSA) system designed to manage different phases of DSA design, development, and use: DSA Authoring Tool, DSA Analysis and Conflict Solver Tools, and a DSA Mapper Tool, glued together by the DSA Lifecycle Manager.
We acknowledge contributions to the design and development of the DSA system by Gianpiero Costantino, IIT CNR, Pisa, Italy, Mirko Manea, Hewlett Packard Enterprise Italy, Anil Ozdeniz, ATOS, Turkey, and Jose Francisco Ruiz, ATOS, Spain.
 J. Ruiz, et al: “The lifecycle of Data Sharing Agreements: how it works out”, Springer APF 2016, in press.
 I. Matteucci, M. Petrocchi, M. L. Sbodio: “CNL4DSA: a controlled natural language for Data Sharing Agreements”, ACM SAC 2010: 616-620.
 C. Caimi et al.: “Legal and Technical Perspectives in Data Sharing Agreements Definition”, Springer APF 2015: 178-192.