EHDS Pilot Implementation proposes use of DPV from Harshvardhan J. Pandit on 2024-12-02 (public-dpvcg@w3.org from December 2024)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Mon, 2 Dec 2024 14:52:57 +0000
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <f41ce3c1-7a42-4e99-83d9-11f7f7fb258d@harshp.com>
Hi All.
tldr; the draft HealthDCAT-AP, an extension of DCAT-AP used in EU open 
data portals, has recommended use of DPV for modelling legal basis, 
purposes, and personal data categories. I propose we support this by 
providing an EHDS extension and work alongside the group to further 
support use of DPV.

## HealthDCAT-AP

The HealthData@EU project is a pilot version for implementing the 
European Health Data Space (EHDS) regulation which will enable secondary 
use of health data from EU organisations. The project is developing a 
specification called HealthDCAT-AP which extends the DCAT-AP 
specification currently used to register and manage datasets in the EU 
(and other national) open data portal. This means all health datasets 
being shared as part of the EHDS implementation will be required to 
utilise this specification in order to be accepted and reused through 
the health data portals.

The draft HealthDCAT-AP specification https://healthdcat-ap.github.io/ 
shows the current progress regarding these activity, and references DPV 
explicitly as part of its best practice recommendation.

Section 1.3 on use of DCAT-AP for secondary health data management 
states: "To effectively extend DCAT-AP, several best practices are 
recommended: ... Prioritizing vocabularies used in DCAT-AP for metadata 
property selection, ... as well as considering Data Privacy Vocabulary 
(DPV)"

Section 7.6 on the metadata properties for Datasets describes the use of 
dpv:hasLegalBasis, dpv:hasPersonalData, and dpv:hasPurpose.

Section 8.13 Legal Basis further states the use of dpv:hasJurisdiction 
and dpv:hasLaw.

Section 11.4.2 Personal Electronic Health Data states " Data holders are 
also further encouraged to detail the sensitive nature of the dataset: 
    This is achieved by utilising the personal data property and 
providing the list of key elements that represent an individual in the 
dataset. It is required to adopt the predefined classes listed in the 
extension of the Data Privacy Vocabulary (DPV) Specification "Extended 
Personal Data categories for DPV" (DPV-PD). The DPV-PD provides 
additional concepts regarding Personal Data categories. "

Section 12 contains RDF examples showing the use of DPV, though these 
only use DPV's properties and do not use DPV's taxonomy e.g. purpose is 
a string/text description and doesn't include DPV's purpose concepts.

## Proposal to support EHDS in DPV

Based on the above, it is clear that the DPV is desired and appreciated 
in the creation of specifications which must incorporate legally 
relevant metadata. Achieving this would be a fantastic impact given the 
scope and scale of the EHDS, and would also be instrumental in paving 
the way for similar reuses of DPV in other data exchange portals and 
specifications - especially those within the EU Data Spaces regime which 
will also be likely to use and extend the DCAT-AP.

To support this, I propose we explicitly support the EHDS 
implementation, in particular the HealthDCAT-AP, by creating an EU-EHDS 
extension that provides relevant concepts for legal basis, personal data 
categories, and purposes as defined in the regulation. Doing this would 
further justify the role and usefulness of DPV within the HealthDCAT-aP 
specification, and would show how powerful (and simple to implement) the 
DPV's modularity and extensibility are in practice.

I also propose working closely with the project to provide best 
practices and suggestions regarding the use of DPV's taxonomies within 
the HealthDCAT-AP as a suggestion so as to provide richer metadata and 
support data governance and regulatory compliance practices. For 
example, by tagging whether a purpose is specific diagnostic research or 
population health research, the appropriate approval mechanisms and 
compliance requirements can be derived and assessed based on the 
available metadata, as well as used in risk and impact assessments..

To express support or critique this proposal, or to discuss this further 
- please reply to this email - or use the associated GitHub issue: 
https://github.com/w3c/dpv/issues/201

Regards,
-- 
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/
Received on Monday, 2 December 2024 14:53:03 UTC