Second layer data governance for permissioned blockchains: the privacy management challenge
Paulo Henrique Alves, Isabella Z. Frajhof, Fernando A. Correia, Clarisse de Souza, Helio Lopes
OOctober 2020
Second layer data governance forpermissioned blockchains: the privacymanagement challenge
Paulo Henrique ALVES a , Isabella Z. FRAJHOF b , Fernando A. CORREIA a ,Clarisse DE SOUZA a and Helio LOPES aa Department of Informatics, PUC-Rio, Brazil b Law Department, PUC-Rio, Brazil
Abstract.
Data privacy is a trending topic in the internet era. Given such impor-tance, many challenges emerged in order to collect, manage, process, and publishdata. In this sense, personal data have got attention, and many regulations emerged,such as GDPR in the European Union and LGPD in Brazil. This regulation modelaims to protect users’ data from misusage and leakage and allow users to requestan explanation from companies when needed. In pandemic situations, such as theCOVID-19 and Ebola outbreak, the action related to sharing health data betweendifferent organizations is/ was crucial to develop a significant movement to avoidthe massive infection and decrease the number of deaths. However, the data subject,i.e., the users, should have the right to request the purpose of data use, anonymiza-tion, and data deletion. In this sense, permissioned blockchain technology emergesto empower users to get their rights providing data ownership, transparency, andsecurity through an immutable, unified, and distributed database ruled by smartcontracts. The governance model discussed in blockchain applications is usuallyregarding the first layer governance, i.e., public and permissioned models. How-ever, this discussion is too superficial, and they do not cover compliance with thedata regulations. Therefore, in order to organize the relationship between data own-ers and the stakeholders, i.e., companies and governmental entities, we developeda second layer data governance model for permissioned blockchains based on theGovernance Analytical Framework principles applied in pandemic situations pre-serving the users’ privacy and their duties. From the law perspective, we based ourmodel on the UE GDPR in regard to data privacy concerns.
Keywords. privacy, governance, blockchain, regulation, public health
1. Introduction
Data privacy and data protection became one of the most critical concerns in the digitalera. In order to regulate how data can be collected and used, many data protection regu-lations emerged to set rules to organize this environment. In Brazil, just recently, a gen-eral data protection regulation was enacted in 2018, becoming effective in September of2021 (Law n. 13.709/2018, Lei Geral de de Protec¸ ˜ao de Dados Pessoais - LGPD). Thisregulation aims to provide rights and duties for both users and companies, whenever theprocessing of personal data is taking place. Thus, data protection norms also applies, and a r X i v : . [ c s . C Y ] O c t ctober 2020 are extremely important in this scenario, when the processing of sensitive health data istaking place.However, some scenarios allow the use of sensitive health data collection withoutthe user’s consent, since other legal provision can be applied; the pandemic scenariois one example . Data sharing and communication among health institutions, public orprivate, and state entities are vital to the decision making process and the definition ofpublic policies in order to contain further disease spread [1]. Moreover, the communityengagement is also crucial to provide “ information delivery, consultation, collabora-tion in decision-making, empowering action in informal groups or formal partnerships,healthcare delivery and promotion, interaction with various stakeholders ” [2]. Previouspandemic outbreak experience like influenza, MERS-CoV, Zika , and now COVID-19,showed that data sharing between health institutions and other stakeholders worldwideare fundamental to fight against the broad contamination. The outbreak of other regionaldiseases in Brazil, such as Dengue, together with COVID-19, in 2021, will make thepublic health situation even more tricky and complex [3], once they present the sameclinic and laboratory characteristics [4].From the law perspective, in Brazil, the LGPD puts forward a set of rules and obli-gations that regulates the use of personal data by public and private entities. Thus, in thepandemic scenario, controllers and processors, must evaluate which of the legal basisforeseen in law authorizes the collection of users’ data (article 7 and 11 of the LGPD). Inthis sense, it must be remarked that the Brazilian data protection regulation establishesthat individual consent is only one of the legal basis authorizing data processing. Fur-thermore, data controllers must abide to the law’s principles, rights, safeguards and act ingood faith. Therefore, the authorization to process data does not imply in permission touse, process, and share personal data indiscriminately. There must be a purpose for pro-cessing data, that must be legitimate, specific, explicit and previous informed to the datasubject (known as the purpose principle - art. 6, I, LGPD) From a technology perspec-tive, data privacy management is challenging. Data must be processed and kept in a saferuled-base environment, and looks forward to a transparent and secure environment [5].In this sense, the blockchain technology emerges as a possible solution to builda unified, distributed, trusted database. Firstly, the data immutability provided by theconsensus mechanisms ensures the unified storage of historical information. Secondly,the data distribution among the worldwide network participants guarantees high dataavailability. Last but not least, the cryptography used in most of blockchain platformshave performed satisfying results in regards to data storage and transaction security [6].Therefore, regarding data governance, there are two main groups of blockchain plat-forms; the permissioned and the non-permissioned (public). The latter is broadly used forcryptocurrency applications. This model is basically full-public, i.e., anyone can read theblockchain data, and everyone can insert data since validated by the consensus protocol.The former is regarded as the best option for second layer governance for enabling datafeed and access by permissioned politics. Permissioned blockchains allow personalized European Commission.
COMMUNICATION FROM THE COMMISSION: Guidance on Apps supportingthe fight against COVID 19 pandemic in relation to data protection (2020/C 124 I/01) . Available at: https://ec.europa.eu/info/sites/info/files/5_en_act_part1_v3.pdf
Accessed at: 09/20/2020. Data Sharing in Public Health Emergencies. Available at:
Accessed at: 10/21/2020 ctober 2020 data sharing; the users are able to set access rules and set which data should be public,private, or accessed under case by case authorization.To do so, we propose a second layer of governance in permissioned blockchains so-lutions to fill this gap. We developed an architecture based on Hyperledger Fabric [7] toinstantiate the proposed governance in the COVID-19 pandemic scenario. We base ourmodel on the Governance Analytical Framework (GAF) [8] principles defining the Prob-lem (such as the purpose limitation), Actors (data subject and data controller and pro-cessor), Social Norms (regulations), Process (data processor methodologies), and NodalPoints (technology used to connect stakeholders) based on the pandemic scenario.
2. Background
The constant and intense collection of personal data by a myriad of services and goods,and the pan-optical vigilance exercised over our behaviour when analyzing this collecteddata, highlights the importance of ensuring ways to protect our personal data. Due toBrazilian lack of tradition in this subject, it is important to provide society acculturationand awareness of the importance of protecting personal data in general.In Brazil, the LGPD puts forward a set of rules and obligations that regulates the useof personal data by public and private entities. Thus, in the pandemic scenario, controllersand processors, must evaluate which of the legal basis foreseen in law authorizes thecollection of users’ data (article 7 and 11 of the LGPD). In this sense, it must be remarkedthat the Brazilian data protection regulation establishes that individual consent is onlyone of the legal basis authorizing data processing. In any case, data controllers mustabide to the law’s principles, rights, safeguards and act in good faith.In this sense, we have highlighted four fundamental ideas from the LGPD, whichwill be applied to the scenario that we will discuss in the next sections. Firstly, the pur-pose limitation principle, which imposes that data processing must be legitimate, spe-cific and explicitly informed to the data subject. Further processing is only allowed ifcompatible with the initial informed purpose (art. 6, I, LGPD). Secondly, the data min-imization principle, meaning that it should only be used the strictly necessary data toattend to the intended and informed purpose. Thirdly, the law strongly recommends theuse of anonymization or pseudonymization techniques as a governance and good prac-tice measure to ensure data security and to protect one’s privacy (arts. 12, 13, 46 and6, VII and VIII, LGPD). Fourth, data processing must happen in a transparent manner,with the disclosure of clear, precise and easily accessible information related to the dataprocessing activity and the controller and processor (art. 6, VI, LGPD). Furthermore,the law establishes different legal basis, beyond consent (arts. 7 and 11, LGPD), thatauthorizes the legitimate processing of personal data and sensitive data (which includeshealth data). Regardless of the legal basis used to process data, all data controllers andprocessors shall comply with the law’s principles and other safeguards.In the pandemic scenario, as well as COVID-19 outbreak, the compliance with dataprotection norms is of the utmost importance [9]. Such regulations do not forbid the useof personal data in such a context, but establishes the rules and legitimate uses that mustbe observed in pandemic scenarios. Such compliance provides that society as a whole ctober 2020 can benefit from the uses of such data: it protects individual’s privacy and data, at thesame time as it allows for data utility. In this sense, contact tracing apps [10–12] are beingimplemented as a manner to allow public health institutions to track the infection move-ment and potential infected people. Some of the apps use smartphone bluetooth sensorsto identify nearby devices of people that have been in contact with an infected person.In other cases, geolocation data are being being collected, although privacy concerns hasbeen being raised. This implies the monitoring, storing and communication of the col-lected information, which includes sensitive information (i.e. health data). Therefore, thechallenge is how to manage data privacy and comply with data protection regulationsprovisions.
Blockchain technology emerged initially as separated concepts, block and chain, as pil-lar bases for creating the Bitcoin [13]. This technology allowed the exchange of values,assets, cryptocurrencies, and tokens between different parties without a central author-ity to regulate the environment. For instance, banks are not necessary anymore; peopleare able to do transactions peer-to-peer. Moreover, the consensus protocol delivers dataimmutability and empowers users to participate in the decision-making process.Furthermore, blockchain technology also enabled the development of smart con-tracts. Nick Szabo presented this concept in 1996 [14] proposing the creation of con-tracts using a computer programming language with simple if-then-else logic. In 2014,Buterin [15] developed a blockchain platform that implemented the concept presentedby Szabo and explored the transparency, immutability, trust, and decentralization pro-vided by the blockchain technology. Therefore, smart contracts are immutable contractswritten in programming language code that, after deployed in a blockchain environment,could be used by anyone, according to the platform data governance model.There are two main models of first layer blockchain governance: (i) the public(permissionless), and the (ii) private, or hybrid, (permissioned) blockchain. The formerpresents full data transparency, and anyone can participate in the consensus protocol [16].Moreover, anyone can do transactions since the consensus protocol validated them. Thereare some popular public blockchain platforms with different application domains suchas: (i) Bitcoin for cryptocurrency; (ii) Ethereum for smart contracts and tokens [15], and(iii) EOS for smart contracts and games, for instance.The latter enables second layer data governance by the creation of policies for dataaccess and write [17]. For this reason, the permissioned blockchains are usually appliedfor the corporative and governmental environments. The smart contracts created in suchenvironment allow users to share their data under a pre-established agreement. In con-sequence, permissioned solutions are more compatible with data regulations worldwide.Many industries have exploring the permissioned blockchains and smart contracts, suchas health [18], insurance [19], supply-chain [20], oil and gas sector [21] and so on. Itshows how the blockchain adoption has been growing in the last years in many differentsectors. EOS platform. Available at: https://eos.io
Accessed at: 09/20/2020. ctober 2020
3. Data governance model
In general, the data governance concept is related to big companies and how they managea high volume of data. According to Khatri and Brown [22], governance is related to“ what decisions must be made to ensure effective management and use of IT and whomakes the decisions. ” Thus, data management is vital for influencing both operationaland strategic decisions directly. They are crucial to the interaction and decision-makingbetween parties that have to resolve a mutual problem.Even though the World Health Organization (WHO) has publicly disclosedCOVID-19 data, the transparency and traceability concepts have not been respected,since it is not possible to access who inserted the data, whether the data was properlyanonymized, whether the patient has given informed consent, etc. Moreover, central-ized platforms are subject to data unavailability for internet connection causes or hackerattack. In the pandemic outbreak, data unavailability is especially worrying and maypresent severe consequences to the control and management of disease spread.Many authors discuss the challenges and opportunities in the pandemic scenario[23–25], highlighting the importance of data quality. They argue that information qualitydepends on excellent data management, and it involves data standardization and high dataavailability. In summary, we selected five critical factors responsible for guaranteeinggood governance in the pandemic scenario. [22]: • Accountability : related to who is the data controller, how s/he evaluated the data,and what access roles were created in regards to data management. • Standards : related to data storage and access standards. • Partnership : related to sharing data between organizations. • Strategic points of control : related to data validation and data quality assurance. • Compliance monitoring : related to data auditing.Furthermore, there is a well-known approach called Governance Analytical Frame-work (GAF) [8]. The GAF is based on five principles: (i) problems, (ii) actors, (ii) socialnorms, (iv) processes, and (v) nodal points. This framework proposes deconstructing so-cial problems by decomposing them on these five principles and reconstructing them bymodeling the governance. This approach was used to model COVID-19 data governancescenario. Table 1 presents the association between the COVID-19 scenario and the GAFprinciples.This mapping helps people to identify the purpose of limitation accurately by verify-ing the Problem principle. The actors and norms involved can also be checked, so peopleare able to trigger, or even suite, the organization that broke any user’s rights. Moreover,by checking the processes and nodal points, people can request how they were collectedand processed. From the traceability perspective, the called “ contact tracing ” apps canbe modeled by the GAF principles as well. This mapping should also help health institu-tions to not only to elaborate explanation regarding which data will be collected, in whichscenarios, in which time range, but also to guarantee data anonymization. To improve thedata governance models [26], we proposed a user-centric model depicted in Figure 1. World Health Organization. Available at:
Accessed at: 09/20/2020. ctober 2020
GAF Principle COVID-19 Instantiation
Problem Health data management honoring user privacy right.Actors Actors are entities that require, or manage, the data. They are (i) data subjet (citizens)and (ii) data controller and processor (health institutions) - private and public entities.Social Norms Social Norms are roles that define who is able to insert, update, and request data.They are: (i) data subject, whom is able to request data anytime, explanations,corrections, and validations, and (ii) data controller and processor are able to insert data,but not exclude any information. They must provide the data subject’ answers.Processes Processes are related to data controller and processor mechanisms applied to collectand process data.Nodal Points Nodal Points are gateways that connect data subject to data controller and data processor.
Table 1.
COVID-19 GAF principles.
Figure 1.
User-centric model.
The user-centric model was based on one of the GDPR legal basis. There is six legalbases in this regulation and, even though the consent is one of them, it is one of themost important related to data privacy. The model highlights the actors and the consentrequirements in favor of the data subject. The Collection requirement informs that theconsent must be freely given.
Purpose limitation tells that the data processor and thedata controller must specify how circumstances the data will be used, and the
Data Min-imization defines the minimum data to attend the expected purpose.
Information requiresthe action to inform who collects and processes the data in an intelligible form, using astraightforward language.
Impartial Behaviour defines that no pre-ticked box, silence, orinactivity should constitute consent. Last but not least,
Revocation means that the datasubject should be able to revoke his/her consent as easy as was when it was requested.This model was proposed to enable further evolution, i.e., Entities, Requirements andthe Legal Basis used can be modified to represent other regulations or focus on otherconcerns. GDPR Consent Requirements. Available at: https://gdpr.eu/gdpr-consent-requirements/
Ac-cessed at: 09/20/2020. ctober 2020
In this sense, blockchain technology was proposed as an enabler that can provideprocess transparency, data traceability, and empower people to be aware of the use oftheir data and to assert their rights. Furthermore, the permissioned blockchain also en-ables data sharing customization without compromising this trustful environment.
4. Blockchain data governance
In general, blockchain governance refers to technical specifications and management.The consensus mechanisms specification, block size and block creation time are usuallydiscussed by the developers’ community in order to create different governance mod-els. Such models are usually applied for a particular purpose, such as cryptocurrency,tokenization, digital identity, etc. However, Panian [26] defined governance as “the pro-cesses, policies, standards, organizations and technologies required to manage and en-sure the availability, accessibility, quality, consistency, auditability, and security of datain an organization” and this concept may surpass the technical aspects (first layer) anddrives to the society discussion, in particular, data regulations (second layer).In order to present a complete solution to the pandemic outbreak scenario, we chosethe Hyperledger Fabric permissioned blockchain to support the instantiation of the de-veloped governance model based on the user-centric model. Permissioned blockchainsfit with all the presented concepts because it allows the creation of governance rules tomanage entities and data. Figure 2 depicts the GAF definitions applied to this technology.Blockchain technology provides transparency, traceability, data immutability, andavailability. Moreover, permissioned blockchain adds a role layer that allows data man-agement between selected entities. In this sense, such technology can be used to storeand share pandemic data, not only as a transparent link between data subjects, data con-trollers, and processors, but also as a data tracker and data provider to people or anyother interested entity. Through permissioned blockchain, data can be audited and beused as a data source for research purposes. Self-enforcement smart contracts enhancetrust between the data subject and the data controller and processor.From the user-centric design perspective, the smart contracts can be used to guaran-tee: (i) the consent collection by requesting this information by default, (ii) purpose lim-itation by ensuring that such purpose will not be changed, (iii) the historical informationin regards who is asking for collection and processing, (iv) the creation of standards forsilence, or inactivity, data subject behavior, and (v) the timestamp of revocation date.Therefore, blockchain smart contracts play a vital role in this environment; theyare responsible for roles assignment and can be used as a snapshot of activated normsin a specific moment. They are also crucial for feeding data on the blockchain. Figure2 presents the permissioned blockchain architecture based on the GAF instantiation inthe pandemic scenario. We based the architecture on the Hyperledger Fabric platformconcepts from the blockchain technology perspective, as did by Alketbi, Nasir, and Talib[27]. The presented governance architecture was developed based on GAF principles: Actors.
Represented by red boxes, they are: HealthInstitution (data controller andprocessor) and Citizen (data subject), that inherit Organization properties. The HealthIn- Timestamp definition: “A record in printed or digital form that shows the time at which something happenedor was done.”
Available at: https://dictionary.cambridge.org/dictionary/english/timestamp
Accessed at: 09/20/2020. ctober 2020
Figure 2.
GAF implementation in a permissioned blockchain architecture. stitution is responsible for feeding health data to the blockchain and process them to beconsumed by Citizen.
Nodal points.
Represented by brown boxes, they are ExternalInterface and Chain,which interacts directly, or indirectly, with HealthInstitutions and Citizens. They are dataaccess points; the former can apply graphical analysis, and the latter presents the rawdata.
Social Norms.
Purple boxes represent social norms; they are Smart Contracts andDataPipeline. Both boxes set up and verify the rights to access and write data. Moreover,smart contracts allow citizens to check the data collected regarding the data minimizationprinciple presented by LGPD.
Processes.
They are identified by the blue boxes, and they are represented by Trans-action, Block, and ConsensusProtocol entities. These boxes manage data in order tocheck the primary attributes, such as timestamp and id, which are used to create the linkbetween the blocks.
Problem.
This principle is represented by the LegalProse orange box, which is usedto describe the scenario context in high abstraction level on the smart contract. TheLegalProse also represents the purpose limitation principle foreseen in the LGPD, whichmeans that data shall only be used to a specific purpose, previously informed and abidedby the data subject, being prohibited further processing that is out of the declared scope.In this sense, the permissioned blockchain technology structured under the GAFgovernance allows the second layer data governance to deal with data accountability andtrustworthy data sharing by requirements in pandemic situations. Through the permis-sioned blockchain, people can access data from the source and verify data integrity. Ac-cording to the access rules agreement on the permissioned blockchain, the data avail-able to public consult allows researchers and governments to provide fast response in apandemic outbreak and enables new solutions based on the user’s consent. Furthermore,unified governance will enable institutions to share data following previously agreedrules. The data provenance is available for citizens, researchers, government, and healthinstitutions, which may improve the identification of data inconsistency worldwide byinformation comparison. ctober 2020
5. Related Work
This section aims to present the works related to contact-tracing applications, privacymanagement models, and blockchain technology application in the health environment.Contact tracing apps are also useful data sources for disease contamination tracking.The DP-3T initiative uses the Bluetooth signal to identify contaminated people or peoplethat have been in touch with someone contaminated [28]. Such solution is controversialfrom both privacy and medical viewpoint. First, not only the infected person would behighlighted to the authorities that he/she is sick, but also people that had been in touchwith him/her. Second, from the medical perspective, at least 60% of the population wouldhave the app installed to be effective. Therefore, to preserve the user’s privacy and guar-antee the necessary transparency to get people’s confidence to use this kind of app, all thedata should be anonymized and decentralized. In this turn, the permissioned blockchainplays a significant role in this scenario.Panian [26] argues that companies and government organizations should define stan-dards, policies, and processes for data management. The author presents the application-centric and process-centric models for data governance. However, the presented modelsdo not present the concerns related to privacy and consent management required not onlyby the GDPR, but usually required in many other data regulations.The authors in [18] proposed a blockchain-based application for electronic medicalrecords management to deal with heavy regulations in the health sector. The blockchainsmart contracts allow data sharing in this private peer-to-peer network. Even though thissolution gives the immutable log, distributed information, and Accountability, they didno association with any data regulations.As a result, the presented works showed essential concepts and applications regard-ing personal data collection and management. However, the junction of privacy manage-ment, governance model concepts, and the usage of blockchain technology applicationto provide a safe environment for data sharing has not been explored yet. Therefore, ourproposal of second layer data governance for permissioned blockchain offer a promiseof an environment for data sharing and privacy management.
6. Conclusions
The pandemic scenario requires collaboration between citizens and public health institu-tions worldwide. In this sense, people must trust in the data-sharing ecosystem and theirpolitics. The second layer data governance for permissioned blockchains aims to deliversuch confidence to people feel free to give their consent. Thus, they can share their datato contribute to define the diagnosis and evaluate methods to contain further spread.In this paper, we proposed a new data governance for privacy management in thepermissioned blockchain platforms. To do so, we used the COVID-19 outbreak scenarioto apply the GAF principles to identify and define actors (data subject, controller, andprocessor), problems (LGPD rules), social norms, processes, and nodal points. More-over, the LGPD rules guided our development towards compliance with data protectionregulations. Such definitions were used to develop the user-centric model. This modelaims to detail the concerns related to the usage of personal data maintaining compliancewith data protection regulations. ctober 2020
In order to apply the developed governance model, we added it as a second layerdata governance in a permission blockchain technology using the Hyperledger Fabric asa platform. This technology promise to support the data subjects giving the tool to decideabout sharing their data depending on the purpose limitation. Even though the permis-sioned blockchain is also promising to empower data subjects enabling the full controlof data sharing settings, it should be deeply explored in regards to the right of rectifica-tion. As an immutable database, the rectification aspects are a big challenge as well asthe right to revoke data access. These challenges are fundamental to respond to the pri-vacy concerns and should be addressed carefully considering the available cryptographymethods.
References [1] Cori, A., Donnelly, C. A., Dorigatti, I., Ferguson, N. M., Fraser, C., Garske, T., Jombart, T., Nedjati-Gilani, G., Nouvellet, P., Riley, S., Van Kerkhove, M. D., Mills, H. L., and Blake, I. M., “Key data foroutbreak evaluation: Building on the ebola experience,”
Philosophical Transactions of the Royal SocietyB: Biological Sciences , vol. 372, no. 1721, 2017.[2] Musesengwa, R., Chimbari, M. J., and Mukaratirwa, S., “Initiating community engagement in an eco-health research project in southern africa,”
Infectious diseases of poverty , vol. 6, no. 1, p. 22, 2017.[3] Lorenz, C., Azevedo, T. S., and Chiaravalloti-Neto, F., “Covid-19 and dengue fever: A dangerous com-bination for the health system in brazil,”
Travel Medicine and Infectious Disease , 2020.[4] Chen, N., Zhou, M., Dong, X., Qu, J., Gong, F., Han, Y., Qiu, Y., Wang, J., Liu, Y., Wei, Y., and oth-ers,, “Epidemiological and clinical characteristics of 99 cases of 2019 novel coronavirus pneumonia inwuhan, china: a descriptive study,”
The Lancet , vol. 395, no. 10223, pp. 507–513, 2020.[5] Karac¸am, D. A., “Privacy and monopoly concerns in data-driven transactions.,” in
JURIX , pp. 145–150,2019.[6] Kosba, A., Miller, A., Shi, E., Wen, Z., and Papamanthou, C., “Hawk: The blockchain model of cryptog-raphy and privacy-preserving smart contracts,” in ,pp. 839–858, IEEE, 2016.[7] Cachin, C. and others,, “Architecture of the hyperledger blockchain fabric,” in
Workshop on distributedcryptocurrencies and consensus ledgers , vol. 310, 2016.[8] Hufty, M., “Investigating policy processes: the governance analytical framework (gaf),”
Research forsustainable development: Foundations, experiences, and perspectives , pp. 403–424, 2011.[9] Bradford, L. R., Aboy, M., and Liddell, K., “Covid-19 contact tracing apps: A stress test for privacy, thegdpr and data protection regimes,”
Journal of Law and the Biosciences , 2020.[10] Ferretti, L., Wymant, C., Kendall, M., Zhao, L., Nurtay, A., Abeler-D¨orner, L., Parker, M., Bonsall,D., and Fraser, C., “Quantifying sars-cov-2 transmission suggests epidemic control with digital contacttracing,”
Science , vol. 368, no. 6491, 2020.[11] Cho, H., Ippolito, D., and Yu, Y. W., “Contact tracing mobile apps for covid-19: Privacy considerationsand related trade-offs,” arXiv preprint arXiv:2003.11511 , 2020.[12] van Kolfschooten, H. and de Ruijter, A., “Covid-19 and privacy in the european union: A legal perspec-tive on contact tracing,”
Contemporary Security Policy , pp. 1–14, 2020.[13] Nakamoto, S., “Bitcoin: A peer-to-peer electronic cash system,” tech. rep., Manubot, 2019.[14] Szabo, N., “Smart contracts: building blocks for digital markets,”
EXTROPY: The Journal of Transhu-manist Thought,(16) , vol. 18, no. 2, 1996.[15] Buterin, V. and others,, “A next-generation smart contract and decentralized application platform,” whitepaper , vol. 3, no. 37, 2014.[16] Crosby, M., Pattanayak, P., Verma, S., Kalyanaraman, V., and others,, “Blockchain technology: Beyondbitcoin,”
Applied Innovation , vol. 2, no. 6-10, p. 71, 2016.[17] Vukoli´c, M., “Rethinking permissioned blockchains,” in
Proceedings of the ACM Workshop onBlockchain, Cryptocurrencies and Contracts , pp. 3–7, 2017.[18] Ekblaw, A., Azaria, A., Halamka, J. D., and Lippman, A., “A case study for blockchain in health-care:“medrec” prototype for electronic health records and medical research data,” in
Proceedings ofIEEE open & big data conference , vol. 13, p. 13, 2016. ctober 2020 [19] Gatteschi, V., Lamberti, F., Demartini, C., Pranteda, C., and Santamar´ıa, V., “Blockchain and smartcontracts for insurance: Is the technology mature enough?,”
Future Internet , vol. 10, no. 2, p. 20, 2018.[20] Korpela, K., Hallikas, J., and Dahlberg, T., “Digital supply chain transformation toward blockchainintegration,” in proceedings of the 50th Hawaii international conference on system sciences , 2017.[21] Alves, P. H., Paskin, R., Frajhof, I., Miranda, Y. R., Gabriel, J., Jardim, J. J. B. C., Tress, E. H. H.,da Cunha, R. F., Nasser, R., and Robichez, G., “Exploring blockchain technology to improve multi-party relationship in business process management systems,” in
Proceedings of the 22nd InternationalConference on Enterprise Information Systems - Volume 2: ICEIS, , pp. 817–825, INSTICC, SciTePress,2020.[22] Khatri, V. and Brown, C. V., “Designing data governance,”
Communications of the ACM , vol. 53, no. 1,pp. 148–152, 2010.[23] Alhassan, I., Sammon, D., and Daly, M., “Data governance activities: an analysis of the literature,”
Journal of Decision Systems , vol. 25, no. sup1, pp. 64–75, 2016.[24] Tallon, P. P., Ramirez, R. V., and Short, J. E., “The information artifact in it governance: toward a theoryof information governance,”
Journal of Management Information Systems , vol. 30, no. 3, pp. 141–178,2013.[25] Hagmann, J., “Information governance–beyond the buzz,”
Records Management Journal , 2013.[26] Panian, Z., “Some practical experiences in data governance,”
World Academy of Science, Engineeringand Technology , vol. 62, no. 1, pp. 939–946, 2010.[27] Alketbi, A., Nasir, Q., and Talib, M. A., “Novel blockchain reference model for government services:Dubai government case study,”
International Journal of System Assurance Engineering and Manage-ment , pp. 1–22, 2020.[28] Fagherazzi, G., Goetzinger, C., Rashid, M. A., Aguayo, G. A., and Huiart, L., “Digital health strategiesto fight covid-19 worldwide: challenges, recommendations, and a call for papers,”