Exploring Blockchain for Consent and Privacy Data Management
The objective of this project is to explore blockchain technology and experiment with it for enhanced data security and personal information management for individuals, corporations, government entities, and public institutions. The vision is to design and develop a platform where data can be easily and securely contextually shared across systems, with individuals as the owners of their data and control the flow of their personal information. The proposed blockchain-based platform would reduce the risk of unauthorized access and data manipulation, and benefit everyone from private and public sector organizations to clinical trials, and Canadian citizens no longer need to spend time filling out forms with information they have provided many times already. The project will create awareness of privacy issues and promote best practices for protecting personal information of Canadians through a set of application programming interfaces, and will produce a proof of concept prototype of the proposes platform.
Principal investigator: Dr. Qusay H. Mahmoud
As consumers have become increasingly interested in protecting their personal data and governments have started implementing regulations to ensure that consumers still retain control over their data, consent management has become an important topic of discussion. Consent management is the process of gaining a user’s permission before their data is collected and stored . Blockchain is a technology that provides a reliable and secure ledger of transactions. This consists of blocks chained together, with each block containing some data, the timestamp as well as a hash of the previous block  . This concept was first devised by myterious Satoshi Nakamota, the creator of Bitcoin. To this end, the goal of this project is to develop a blockchain-based solution to enable the monitoring of access to personal data.
The solution that we are proposing not only supports a traditional consent management system where consumers approve any data collection, but also allows consumers to have full control of their data. Blockchain technology is leveraged for integrity and security of the consent management. We have also implemented privacy by design  throughout the design and architecture of this solution to ensure that data privacy is at the front and centre of this solution. We have worked on a solution where data privacy is the default setting and implemented a preventative approach to privacy concerns. Users can sign up for this consent management system and provide their personal information. This information is securely stored in an encrypted database and can be deleted upon the user’s request, this ensures respect for user privacy as outlined in the privacy by design principles  . Once a user grants an organization to access their personal data, an organization can then access the relevant data in the consent management system. However, each access is logged and visible for the user to see, this applies the visibility and transparency principle of privacy by design  . Organizations may not store or directly pass on this information to other organizations. If an organization must pass a user’s data to another organization, they may pass only the user’s email address, which the second organization can use to request access to the user’s information from the user themselves through the consent management system. User’s have the ability to revoke data access for a specific organization at any time.
In the proposed solution, we have a permissioned blockchain – so an administrator (or a group of admins) will need to approve adding data to the blockchain. The blockchain admin can be a third party organization / hospital / government agency. In our proof of concept implementation, there is a single administrator who is the maintainer of this blockchain and approval of adding data to the blockchain is automatic as implemented by APIs called by authorized clients.
This solution uses centralized Hyperledger Fabric blockchain to keep track of access to personal data. The personal data itself will reside on a database. Each access to the database itself will be logged on to the blockchain. End users will be able to view the blockchain itself and view who accessed their data and when it was accessed. Figure 1 shows the overall design and architecture of this solution.
As shown in Figure 2, users can register for the service using the end user portal. This will allow users to send their data to the API which will then securely store it in a DynamoDB table on AWS.
Once a user is signed up on the platform, an organization has the ability to request access to the users data. Generally, this will be done when a user signs up on the organization’s platform. Rather than giving their personal information directly to the organization, users will give the organization their email address. Once the organization requests access to the user’s data, the user can log into the portal and view the request. The user has the option to approve or reject this request. Approving the request will then allow the organization to access the data. This entire process is shown in Figure 3.
Once the organization has been granted access to the user’s data, they have the ability to access it at any point. As shown in Figure 4, when the organization accesses a user’s data, an access log is automatically generated and written to the blockchain. This automatic logging ensures high accountability.
 IBM Knowledge Center, www.ibm.com/support/knowledgecenter/SSWSR9_11.6.0/com.ibm.mdmhs.overview.doc/conse ntmanagementoverview.html.
 Javed, I., Alharbi, F., Margaria, T., Crespi, N., Qureshi, K.N. “PETchain: A Blockchain-Based Privacy Enhancing Technology.” IEEE Access, vol. 9, 2021, pp. 41129–41143., 10.1109/access.2021.3064896.
 Cavoukian, A. “Privacy by Design: the 7 Foundational Principles.” Available online. Accessed on Dec 23, 2019.
Note: The blockchain demo, which was running on AWS, has been shut down due to increasing monthly expenses.
If you would like to see a demonstration of our proof of concept implementation, please visit https://demo.consentblock.ca and create a new account, or use the guest accounts below.
Test User Login Information
User Email: JohnDoe@consentBlock.ca
User Password: !ConsentBlock1
Test Organization Login Information
Organization Email: consentBlock@consentblock.ca
Organization Password: @ConsentBlock1
PublicationA Systematic Review of Blockchain for Consent Management
Related PapersDesign and Implementation of a Blockchain-Based E-Health Consent Management Framework
Blockchain Technology in Healthcare: A Systematic Review
Design and Implementation of a Blockchain-based Consent Management System
If you have any questions about this project, please contact Dr. Q. Mahmoud
Email: qusay.mahmoud AT ontariotechu.ca