The GDPR Provenance ontology http://purl.org/adaptcentre/people/harshvardhan_pandit http://purl.org/adaptcentre/people/dave_lewis 2017-08-01 2017-08-01 http://purl.org/adaptcentre/openscience/ontologies/gdprov# gdprov 0.1 https://openscience.adaptcentre.ie/ontologies/gdprov/gdprov.0.1.owl GDPRov is an OWL2 ontology to express provenance metadata of consent and data lifecycles towards documenting compliance for GDPR. PROV and P-Plan extension for representing provenance of consent and data lifecycles. Created by Harshvardhan J. Pandit and Dave Lewis. https://creativecommons.org/licenses/by/4.0/ The upcoming General Data Protection Regulation (GDPR) requires justification of data activities to acquire, use, share, and store data using consent obtained from the user. Failure to comply may result in significant heavy fines which incentivises creation and maintenance of records for all activities involving consent and data. Compliance documentation therefore requires provenance information outlining consent and data lifecycles to demonstrate correct usage of data in accordance with the related consent provided and updated by the user. GDPRov (pronounced GDPR-Prov) is a linked data ontology for expressing provenance of consent and data lifecycles with a view towards documenting compliance. GDPRov is an OWL2 ontology that extends PROV-O and P-Plan to model the provenance. Links data obtained (collected) by the step/activity that acquired it collectsData Indicates that an DataAnonymisationStep transforms a Data object into AnonymisedData generatesAnonymisedData Generates ConsentAgreement which is a the consent granted by the user based on the ConsentAgreementTemplate through a ConsentAcquisitionStep generatesConsentAgreement produces data generatesData 1 Indicates the anonymity level of an AnonymisedData object using instances of the AnonymityLevel class hasAnonymityLevel isAnonymisedByStep isConsentAgreementTemplateForStep isDataCollectedByStep isDataGeneratedByStep isGeneratedByStep isJustificationForDataStep justifies use of data by step through specified consent agreement isJustifiedUsingConsentAgreement isTermsAndConditionsForStep isUsedByStep Indicates sharing of Data through a DataStep sharesData Shares data with a third party sharesDataWithThirdParty links a Consent Acquisition Step with the Consent Agreement Template used to acquire consent usesConsentAgreementTemplate links step with data used usesData Links a Consent Acquisition Step with the Terms and Conditions presented to the user when acquiring Consent usesTermsAndConditions Represents data that has been Anonymised at some level reflected by the hasAnonymityLevel object property AnonymisedData Provides a way to express the Anonymity Level of AnonymisedData objects through the object property hasAnonymityLevel AnonymityLevel ConsentAcquisitionStep deals with acquiring consent from the user. It uses Terms and Conditions along with the appropriate Consent Model as the basis of obtaining consent from the user. The output of this step is the consent object agreed upon by the user. ConsentAcquisitionStep ConsentAgreement reflects the consent provided by the user based on the provided Terms and Conditions and Consent Agreement Templates. It is the set of permissions the user has specifically provided or refused to provide. This consent is useful to provide justification of activities that use user data. ConsentAgreement This is a template for consent requested from the user. ConsentAgreementTemplate ConsentArchivalStep archives acquired consent to form a record of the consent given by the user. ConsentArchivalStep ConsentModificationStep deals with modifications to the consent by the user. It invalidates the previous consent object and produces a new updated consent object that represents the modified consent. ConsentModificationStep A ConsentStep acts/interacts with/uses Consent ConsentStep A ConsentWithdrawalProcess deals with the withdrawal of consent by the user and the corresponding activity carried out within the system ConsentWithdrawalProcess ConsentWithdrawalStep deals with withdrawal of consent ConsentWithdrawalStep Represents class of data collected or generated through various activities Data A DataAccessProcess corresponds to the request made by an user for access to their data within the system. This process is responsible for handling the request process and providing the appropriate data to the end user. DataAccessProcess DataAnonymisationStep anonymises data by transforming it from one form to another along the anonymisation chain. Anonymisation can be represented as a spectrum going from raw user data to pseudo-anonymised data that can be de-anonymised by the same agent/organisation to pseudo-anonymous data that cannot be deanonymised internally, but may be done by external agents who have access to other data, and finally to completely anonymised data. DataAnonymisationStep A DataArchivalProcess describes the process of data archival DataArchivalProcess DataArchivalStep archives data by transforming it and storing it DataArchivalStep DataCollectionStep collects data from the user DataCollectionStep DataDeanonymisationStep deanonymises data by transforming it from one form to another along the anonymisation chain. DataDeanonymisationStep DataDeletionStep deletes data from within the system; The deletion is expressed as prov:invalidated over the dataset. DataDeletionStep A DataErasureProcess is responsible for handling the data erasure of a data subject. DataErasureProcess A DataRectificationProcess describes the process of data rectification, which is the correction of data already present within the system DataRectificationProcess DataSharingStep shares data with another agent/organisation. These may be internal or external entities. DataSharingStep A DataStep deals with data DataStep DataStorageStep stores data within the system DataStorageStep DataTransformationStep transforms data from one form into another. DataTransformationStep A DataUsageStep is a DataStep that uses existing data present within the system DataUsageStep A process that defines the actions that should be undertaken in event of a data breach HandleDataBreachProcess PersonalData is any data pertaining to the user which can contain personally identifiable information or a data set generated by the system using personally identifiable information acquired through direct or indirect means PersonalData A Process describes a 'Plan' of action for carrying out a particular activity that uses or is related to Data or Consent Process Terms and Conditions of usage as provided to the user in agreement of provided service TermsAndConditions A ThirdParty is any external entitiy associated with some internal activity ThirdParty A ThirdPartyDataController is a Third Party entity that acts as a Data Controller ThirdPartyDataController A ThirdPartyDataProcessor is a Third Party entity that acts as a Data Processor ThirdPartyDataProcessor An UserIdentifier is a specific way to identify the user through a unique ID or a combination of other attributes UserIdentifier Anonymised represents the Anonymisation level where the data cannot be de-anonymised to retrieve personally identifiable information. Anonymised DeAnonymised represents the Anonymisation level where the data is completely de-anonymised and contains directly accessible personally identifiable information. DeAnonymised PseudoAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is NOT accessible to the data-holding organisation to retrieve personally identifiable information. PseudoAnonymised PseudoOrganisationalAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is accessible to the data-holding organisation to recreate the de-anonymised information. PseudoOrganisationalOrganised