Consent Management Architecture for Secure Data Transactions

Jarkko Hyysalo, Harri Hirvonsalo, Jaakko Sauvola, Samuli Tuoriniemi


Digitalization of data intensive services presents several challenges, such as how to safely manage and use the multitude of personal data across various public, private and commercial service providers. Guaranteed privacy is especially critical in sensitive cases like health data management and processing. A key challenge and enabler for efficient data utilization is the need for an adequate consent management framework that meets the General Data Protection Regulation (GDPR). To facilitate sensitive secure data transactions where end-control always resides with the individual, a consent management architecture (CMA) is defined, utilizing the new MyData approach. The proposed CMA enables context-driven authorization of multi-sourced data for safe access by various health services. CMA proof-of-concept and experiences are described and discussed to concretize and evaluate the suggested architecture. Consent management and authorization topics are discussed as a service function of the MyData Operator. The technical APIs required for registering and authorizing data sources and data services via the Operator are demonstrated and analyzed to expedite development of this important area within the research and industrial communities.


  1. Al Ameen, M., Liu, J., Kwak, K., 2012. Security and privacy issues in wireless sensor networks for healthcare applications. Journal of Medical Systems, 36(1), 93-101.
  2. Archer, N., Fevrier-Thomas, U., Lokker, C., McKibbon, K. A., Straus, S., 2011. Personal health records: A scoping review. Journal of the American Medical Informatics Association, 18(4), 515-522.
  3. Blume, P., 2014. The myths pertaining to the proposed General Data Protection Regulation. International Data Privacy Law, 4(4), 269-273.
  4. De Hert, P., Papakonstantinou, V., 2012. The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, 28(2), 130-142.
  5. Ferreira, A., Ricardo, C.C., Antunes, L., Chadwick, D., 2007. Access Control: how can it improve patients' healthcare?. Medical and care compunetics, 4(4), 65.
  6. Gnesi, S., Matteucci, I., Moiso, C., Mori, P., Petrocchi, M., Vescovi, M., 2014. My data, your data, our data: Managing privacy preferences in multiple subjects personal data. In Privacy Technologies and Policy, 154-171. Springer International Publishing.
  7. Jin, J., Ahn, G.J., Hu, H., Covington, M.J., Zhang, X., 2011. Patient-centric authorization framework for electronic healthcare services. Computers & Security, 30(2), 116-127.
  8. Jovanov, E., Milenkovic, A., 2011. Body area networks for ubiquitous healthcare applications: Opportunities and challenges. Journal of Medical Systems, 35(5), 1245-1254.
  9. Kaye, J., Whitley, E.A., Lund, D., Morrison, M., Teare, H., Melham, K., 2014. Dynamic consent: A patient interface for twenty-first century research networks. European Journal of Human Genetics, 23(2), 141- 146.
  10. Koops, B.J., 2014. The trouble with European data protection law. International Data Privacy Law, 4(4), 250-261.
  11. Kuner, C., 2012. The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law. Bloomberg BNA Privacy and Security Law Report, 6, 1-15.
  12. Liu, C., Zhu, Q., Holroyd, K.A., Seng, E.K., 2011a. Status and trends of mobile-health applications for iOS devices: A developer's perspective. Journal of Systems and Software, 84(11), 2022-2033.
  13. Liu, L. S., Shih, P. C., Hayes, G.R., 2011b. Barriers to the adoption and use of personal health record systems. In Proceedings of the 2011 iConference, 363-370. ACM.
  14. Milenkovic, A., Otto, C., Jovanov, E., 2006. Wireless sensor networks for personal health monitoring: Issues and an implementation. Computer Communications, 29(13), 2521-2533.
  15. Pantelopoulos, A., Bourbakis, N.G., 2010. A survey on wearable sensor-based systems for health monitoring and prognosis. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, 40(1), 1-12.
  16. Poikola A., Kuikkaniemi K., Honko H., 2015. MyData-A Nordic Model for human-centered personal data management and processing. Ministry of Transport and Communications. 952-243-455-5.
  17. Steinbrook, R., 2008. Personally controlled online health data-the next big thing in medical care? New England Journal of Medicine, 358(16), 1653.
  18. Tene, O., Wolf, C., 2014. The Draft EU General Data Protection Regulation: Costs and Paradoxes of Explicit Consent. The Future of Privacy Forum.
  19. Traung, P., 2012. The Proposed New EU General Data Protection Regulation: Further Opportunities. Computer Law Review International, 2, 33-49.
  20. Tucker, T., Marra, M., Friedman, J.M., 2009. Massively parallel sequencing: The next big thing in genetic medicine. The American Journal of Human Genetics, 85(2), 142-154.
  21. Voss, W.G., 2014. Looking at European Union Data Protection Law Reform Through a Different Prism: The Proposed EU General Data Protection Regulation Two Years Later. Journal of Internet Law, 17(9).
  22. Yu, B., Wijesekera, D., Costa, P., 2014. Consent-based Workflow Control in EMRs. Procedia Technology, 16, 1434-1445.

Paper Citation

in Harvard Style

Hyysalo J., Hirvonsalo H., Sauvola J. and Tuoriniemi S. (2016). Consent Management Architecture for Secure Data Transactions . In Proceedings of the 11th International Joint Conference on Software Technologies - Volume 1: ICSOFT-EA, (ICSOFT 2016) ISBN 978-989-758-194-6, pages 125-132. DOI: 10.5220/0005941301250132

in Bibtex Style

author={Jarkko Hyysalo and Harri Hirvonsalo and Jaakko Sauvola and Samuli Tuoriniemi},
title={Consent Management Architecture for Secure Data Transactions},
booktitle={Proceedings of the 11th International Joint Conference on Software Technologies - Volume 1: ICSOFT-EA, (ICSOFT 2016)},

in EndNote Style

JO - Proceedings of the 11th International Joint Conference on Software Technologies - Volume 1: ICSOFT-EA, (ICSOFT 2016)
TI - Consent Management Architecture for Secure Data Transactions
SN - 978-989-758-194-6
AU - Hyysalo J.
AU - Hirvonsalo H.
AU - Sauvola J.
AU - Tuoriniemi S.
PY - 2016
SP - 125
EP - 132
DO - 10.5220/0005941301250132