# GenoBank.io https://genobank.io/ (please refer to website for general overview and goals of the project) ## GDPR compliant secure encrypted sharing of genomic data using Blockchain technology ### prerequisites - **Pseudonymous identity** : can be created using public/private keypairs that are compatible with the underlying blockchain cryptography. They are free to generate for anyone and do not require any registration. In fact they can be generated off-line. Their goal is to identify the actors in the system and provide encryption- and decryption keys for the data in a later stage. - **DNA biosample**: Using the GenoBank.io saliva kit, your DNA is sequenced and delivered to you as a digital file. - **DNA donor**: this is the data subject. A user wants to share a digital DNA biosample with other people (such as research institutes) - **BioNFT token**: a "biospecimen permission token" is a Non Fungible Token for managing the usage rights on data is a smart contract which is signed by an identity (the owner of the data) to grant usage of a DNA biosample for a certain period of time. It grants the researcher (or any receiving party) the right to use this DNA sample. - **Blockchain notary**: a blockchain notary is a notary service (and smart contract with a fixed agreed upon address on the blockchain ) that keeps track of state-changes in the system. Most notably it will notarize the NFT tokens on the blokchain - so every observer can irrefutably verify that a certain state change happended at a certain point in time. Since it is written on a public blockchain - it is immmutable and observable for all. Since we only store the hash of the data - only those with access to the data itself can do the verification. ## Architecture of the solution People who want to exchange DNA (Genomic) data in a GDPR compliant way will use a PC that holds and synchronizes data, and has software installed on it (software package) that executes the rules of the protocol. The goals of the hardware solution is - provide a solution to store the DNA data in an encrypted form - provide a decentralized solution of storing data (aka not in a data center, but in the home of the user itself.) - provide a convenient user interface to manage the usage rights (BioNFT tokens) on their data - do the re-encryption of data for recepients if a "biosample permission token" (BioNFT) token has been created and delegated. - Make sure that the re-encrypted data is made available ('pinned') in the data-store - securely exchange messages with the receipients of the data - comply with state-changes in the BioNFT tokens issued. Most notably to remove (destroy and blocklist) datasets that they have on their system that has its license revoked or expired a some point in time. ## The data-exchange protocol There are different actors in this protocol **Issuer**: The owner of the DNA data. He/she will manage the usage rights of their DNA data through the app. **Recipient** : The researcher - or research institute that likes to receive the data for analysis. **Notary**: a smart contract on the blockchain that can be used to notarize data, thus giving it a public timestamp ("Proof Of Existence") - that can be publicly verified by outside observers, anyone who has the original data can prove that the data was notarized. There are 3 flows in the protocol ### 1. Issue right to use DNA data ```sequence Recipient->Issuer: Ask for permission Issuer->Notary: Issue BioNFT token Notary->Recipient: notification of issuance Issuer->Recipient: Send encrypted data Note over Recipient: has data + usage rights ``` ### 2. Extend right to use DNA data ```sequence Recipient->Issuer: Ask for extension Issuer->Notary: Issue new BioNFT token Notary->Recipient: notification of issuance Note over Recipient: has data + usage rights ``` ### 3. Revoke right to use DNA data ```sequence Issuer->Notary: revocation BioNFT token Notary->Recipient: notification of revocation Note over Recipient: removes data + blacklists ``` ## GOAL The overall goal of GenoBank.io is to build a network of people that can participate in a network that allows self-sovereign sharing of DNA data using their boxes in a GDPR compliant way (through a GDPR certification or a GDPR audit) Question is how we combine an identity (ID) + Biospecimen + Wet Lab (DNA extraction & Sequencing) + IPFS + Non-fungibles (biosample permission token) to digitally enforce/program the 4 main rights of the GDPR: 1. Right to know 2. Right to Port (Own) data 3. Right to be forgotten. 4. Not to be discriminated ## Future R+D 1. Would this approach reverse the roles of "GDPR data processor" - in the sense that we give the users the power to decide who they share their data with + make the user basically his OWN data processor? 2. Implementing the biosamples permission platform into a user-friendly product. 3. Legal applicability of promissory estoppel or similar legal theory to allow anonymous owners of property to make claims against permitees. ## External links [https://jbba.scholasticahq.com/article/13164-privacy-laws-genomic-data-and-non-fungible-tokens](https://) [https://eips.ethereum.org/EIPS/eip-721](https://) [https://github.com/Genobank/biosample-permission-token](https://github.com/Genobank/biosample-permission-token) [https://vimeo.com/443861785](https://) [https://fulldecent.blogspot.com/2020/07/biosample-permission-token-with-non.html](https://) [https://0xcert.org/](https://)