2017-10-20 http://purl.org/adaptcentre/people/harshvardhan_pandit gdprov 0.4 The GDPR Provenance ontology http://purl.org/adaptcentre/people/dave_lewis 2017-08-01 The upcoming General Data Protection Regulation (GDPR) requires justification of data activities to acquire, use, share, and store data using consent obtained from the user. Failure to comply may result in significant heavy fines which incentivises creation and maintenance of records for all activities involving consent and data. Compliance documentation therefore requires provenance information outlining consent and data lifecycles to demonstrate correct usage of data in accordance with the related consent provided and updated by the user. GDPRov (pronounced GDPR-Prov) is a linked data ontology for expressing provenance of consent and data lifecycles with a view towards documenting compliance. GDPRov is an OWL2 ontology that extends PROV-O and P-Plan to model the provenance. http://purl.org/adaptcentre/openscience/ontologies/gdprov# GDPRov is an OWL2 ontology to express provenance metadata of consent and data lifecycles towards documenting compliance for GDPR. PROV and P-Plan extension for representing provenance of consent and data lifecycles. Created by Harshvardhan J. Pandit and Dave Lewis. https://creativecommons.org/licenses/by/4.0/ https://openscience.adaptcentre.ie/ontologies/gdprov/v/gdprov.0.4.owl Archives the consent into some entity archives consent as Links data obtained (collected) by the step/activity that acquired it collectsData Indicates that an DataAnonymisationStep transforms a Data object into AnonymisedData generatesAnonymisedData Generates ConsentAgreement which is a the consent granted by the user based on the ConsentAgreementTemplate through a ConsentAcquisitionStep generatesConsentAgreement produces data generatesData Indicates the anonymity level of an AnonymisedData object using instances of the AnonymityLevel class hasAnonymityLevel isAnonymisedByStep isConsentAgreementTemplateForStep isDataCollectedByStep isDataGeneratedByStep isGeneratedByStep isJustificationForDataStep justifies use of data by step through specified consent agreement isJustifiedUsingConsentAgreement isTermsAndConditionsForStep isUsedByStep Indicates sharing of Data through a DataStep sharesData Shares data with a third party sharesDataWithThirdParty uses Consent Agreement entity uses Consent Agreement links a Consent Acquisition Step with the Consent Agreement Template used to acquire consent usesConsentAgreementTemplate links step with data used usesData Links a Consent Acquisition Step with the Terms and Conditions presented to the user when acquiring Consent usesTermsAndConditions Is an activity that acquires consent. Acquire Consent Activity Is an activity that anonymises data. Anonymisation Activity Represents data that has been Anonymised at some level reflected by the hasAnonymityLevel object property AnonymisedData Is an entity where personal data has been anonymised to some extent. Anonymised Data Entity Provides a way to express the Anonymity Level of AnonymisedData objects through the object property hasAnonymityLevel AnonymityLevel Reflects the process(es) used to appoint processors Appoint Processor An activity that archives given/acquired consent for storage. Archive Consent Activity ConsentAcquisitionStep deals with acquiring consent from the user. It uses Terms and Conditions along with the appropriate Consent Model as the basis of obtaining consent from the user. The output of this step is the consent object agreed upon by the user. Consent Acquisition Step Is an activity dealing with consent. Consent Activity ConsentAgreement reflects the consent provided by the user based on the provided Terms and Conditions and Consent Agreement Templates. It is the set of permissions the user has specifically provided or refused to provide. This consent is useful to provide justification of activities that use user data. ConsentAgreement This is a template for consent requested from the user. ConsentAgreementTemplate ConsentArchivalStep archives acquired consent to form a record of the consent given by the user. Consent Archival Step ConsentModificationStep deals with modifications to the consent by the user. It invalidates the previous consent object and produces a new updated consent object that represents the modified consent. Consent Modification Step A ConsentStep acts/interacts with/uses Consent Consent Step A ConsentWithdrawalProcess deals with the withdrawal of consent by the user and the corresponding activity carried out within the system Consent Withdrawal Process ConsentWithdrawalStep deals with withdrawal of consent Consent Withdrawal Step A ThirdPartyDataController is a Third Party entity that acts as a Data Controller Controller A Representative of the Controller Controller Representative Reflects cross-border transfer of data Cross-border Data Transfer Is an activity that transfer data across borders (as defined in the GDPR). Cross Border Transfer Activity The Data Protection Officer appointed to an organisation. Data Protection Officer (DPO) Represents class of data collected or generated through various activities Data A DataAccessProcess corresponds to the request made by an user for access to their data within the system. This process is responsible for handling the request process and providing the appropriate data to the end user. Data Access Process Is an activity involving data. Data Activity DataAnonymisationStep anonymises data by transforming it from one form to another along the anonymisation chain. Anonymisation can be represented as a spectrum going from raw user data to pseudo-anonymised data that can be de-anonymised by the same agent/organisation to pseudo-anonymous data that cannot be deanonymised internally, but may be done by external agents who have access to other data, and finally to completely anonymised data. Data Anonymisation Step Is an activity that archives data. Archival is transformation of data into some form for storage. Data Archival Activity A DataArchivalProcess describes the process of data archival Data Archival Process DataArchivalStep archives data by transforming it and storing it Data Archival Step Is an activity dealing with data breach. Data Breach Activity A record of a data breach. Data Breach Record Step representing an action associated with data breach. Data Breach Step Is an activity that collects or acquires data. Data Collection Activity DataCollectionStep collects data from the user Data Collection Step DataDeanonymisationStep deanonymises data by transforming it from one form to another along the anonymisation chain. Data Deanonymisation Step Is an activity that deletes or erases data. Data Deletion Activity DataDeletionStep deletes data from within the system; The deletion is expressed as prov:invalidated over the dataset. Data Deletion Step Represents a data entity. Data Entity A DataErasureProcess is responsible for handling the data erasure of a data subject. Data Erasure Process A DataRectificationProcess describes the process of data rectification, which is the correction of data already present within the system Data Rectification Process Is an activity that shares data. Data Sharing Activity DataSharingStep shares data with another agent/organisation. These may be internal or external entities. Data Sharing Step A DataStep deals with data Data Step Is an activity that stores data. Data Storage Activity DataStorageStep stores data within the system Data Storage Step An individual or entity Data Subject Is an activity that transforms data. Data Transformation Activity DataTransformationStep transforms data from one form into another. Data Transformation Step Is an activity that uses data. Can also be termed as 'Processing' of data. Data Usage Activity A DataUsageStep is a DataStep that uses existing data present within the system Data Usage Step Is an activity that deanonymises data. DeAnonymisation Activity Direct Marketing where the marketing is done directly to the data subject. Direct Marketing Represents the given consent by the data subject. Given Consent Is the template used to obtain the given consent. Given Consent Template A process that defines the actions that should be undertaken in event of a data breach HandleDataBreachProcess The process or series of steps that handle the right of data portability. Handle Right of Data Portability The process or series of steps that handle the right of erasure. Handle Right of Erasure The process or series of steps that handle the right to access personal data. Handle Right to access Personal Data The process or series of steps that handle the right to basic information about processing. Handle Right to basic information about Processing The process or series of steps that handle the right to not be processed automatically. Handle Right to not be evaluated through Automated Processing The process or series of steps that handle the right to object to direct marketing. Handle Right to Object to Direct Marketing The process or series of steps that handle the right to object to processing. Handle Right to Object to Processing The process or series of steps that handle the right to rectification of personal data. Handle Right to Rectification The process or series of steps that handle the right to restrict processing. Handle Right to restrict Processing The process or series of steps that handle the right to transparency. Handle Right to Transparency Impact Assessment for the organisation Represents the process or collection of steps representing the Impact Assessment. Impact Assessment A Joint Controller is where two or more controllers jointly determine the purposes and means of processing. Joint Controller(s) Marketing as a process or collection of steps. Marketing Is an activity that modifies given consent. Modify Consent Activity The process of monitoring compliance as mandated by the GDPR. Monitor Compliance Step that notifies the controller of data breach. Notify Controller Is an activity that notifies controller about data breach Notify Controller Activity Step that notifies the Data Protection Authorities of a data breach. Notify Data Protection Authority Is an activity that notifies data protection authorities about data breach Notify DPA Activity Step that notifies the data subject of data breach. Notify Data Subject Is an activity that notifies data subjects about data breach Notify Data Subject Activity PersonalData is any data pertaining to the user which can contain personally identifiable information or a data set generated by the system using personally identifiable information acquired through direct or indirect means PersonalData Represents a personal data entity. Personal Data Entity A Process describes a 'Plan' of action for carrying out a particular activity that uses or is related to Data or Consent Process A ThirdPartyDataProcessor is a Third Party entity that acts as a Data Processor Processor A representative of the Processor. Processor Representative A step that provides the data subject with a copy of their personal data. Provide copy of Personal Data Rectifies existing data Rectify Data Is an activity that recitifies data. Rectify Data Activity The process of reporting after a data breach has taken place. Report Data Breach Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Sensitive Personal Data Is an entity containing sensitive personal information. Sensitive Data Entity A Processor appointed under or by another Processor is a Sub-Processor. Sub-Processor Terms and Conditions of usage as provided to the user in agreement of provided service TermsAndConditions Represents the Terms and Conditions entity. Terms and Conditions Entity A ThirdParty is any external entitiy associated with some internal activity ThirdParty An UserIdentifier is a specific way to identify the user through a unique ID or a combination of other attributes UserIdentifier Is an entity acting as the user identifier. Or contains an identifier. User Identifier Entity Is an activity that withdraws given consent. Can also term it so as to depict withdrawal as a modification of consent. Withdraw Consent Activity Anonymised represents the Anonymisation level where the data cannot be de-anonymised to retrieve personally identifiable information. Anonymised DeAnonymised represents the Anonymisation level where the data is completely de-anonymised and contains directly accessible personally identifiable information. DeAnonymised PseudoAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is NOT accessible to the data-holding organisation to retrieve personally identifiable information. PseudoAnonymised PseudoOrganisationalAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is accessible to the data-holding organisation to recreate the de-anonymised information. PseudoOrganisationalOrganised