Re: DPV TOM extension with more PETs from Freek Dijkstra on 2026-04-02 (public-dpvcg@w3.org from April 2026)

From: Freek Dijkstra <freek.dijkstra@surf.nl>
Date: Thu, 2 Apr 2026 21:49:29 +0200
To: Matthias Löbe <matthias.loebe@imise.uni-leipzig.de>
Cc: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Message-ID: <80905011-c3d7-4e5c-bdd7-2207a7076fe5@surf.nl>
Hi Matthias,

Thank you for taking time to reply. Both pointers are very useful.

Right now, most of my project originate from the social science and 
humanities (SSH) domain, but we also have contacts with EHDS-related 
projects, so it would be great if that aligns.  I was aware of TEHDAS2, 
but not following it closely. HL7 was new to me.

Even if these concepts can not be easily integrated with DPV/ODRL, 
re-using some of the terminology or perhaps even some definitions would 
be very useful.

I'll have something to read over the Easter weekend. Thanks!

Freek




On 02-04-2026 19:08, Matthias Löbe wrote:
> Hello Freek,
>
> The TEHDAS2 guidelines currently in preparation might address a lot of 
> these issues :https://tehdas.eu/public-consultations/ (below "Second 
> public consultation").
>
> Also, HL7 FHIR Terminology might cover some concepts you need in 
> Provenance
> - ProvenanceActivityType 
> <https://hl7.org/fhir/R4/valueset-provenance-activity-type.html>
> - ProvenanceParticipantType 
> <https://hl7.org/fhir/R4/valueset-provenance-agent-type.html>
> - SecurityRoleTyp 
> <https://hl7.org/fhir/R4/valueset-security-role-type.html>
> - ProvenanceEntityRole 
> <https://hl7.org/fhir/R4/valueset-provenance-entity-role.html>
>
> None of these can be easily integrated with DPV/ODRL, but we could 
> steal concepts from them. We also tried DUO, but it covers only small 
> parts of what we would like to express. I'm interested in further 
> discussion, especially with looking into EHDS.
>
> Regards,
> Matthias
>
>
>
>
> Am Fr., 27. März 2026 um 19:05 Uhr schrieb Harshvardhan Pandit 
> <me@harshp.com>:
>
>     Hi.
>     I'm not aware of any single document from ISO or ENISA that would
>     have
>     all of these, but following may be relevant as starting points:
>
>     - ISO 27002 security controls (rich source for adding TOMs in DPV)
>     - ENISA NIS2 implemnentation guide, which not about PETs, gives
>     useful
>     infra concepts also needed for EHDS
>     https://www.enisa.europa.eu/sites/default/files/2025-06/ENISA_Technical_implementation_guidance_on_cybersecurity_risk_management_measures_version_1.0.pdf
>
>     Regards,
>     Harsh
>
>     On 27/03/2026 11:24, Freek Dijkstra wrote:
>     > Hello Harsh,
>     >
>     > Thanks you for your reply.
>     >
>     > I agree that it would be good to align with other standardization
>     > bodies. I did search for a few keywords of privacy enhancing
>     > technologies on both ISO and ENISA websites, but could not find
>     them
>     > right away. Perhaps I overlooked it, or the search only shows
>     > publications, not workgroup drafts. Would you or anyone else
>     know of
>     > some direct pointers?
>     >
>     > Regards,
>     > Freek
>     >
>     > On 26-03-2026 22:49, Harshvardhan Pandit wrote:
>     >> Hi Freek, Beatriz.
>     >> I'm okay for you to continue, though please keep me in loop re.
>     proposed
>     >> concepts for TOMs as one of the open issues is about adding more
>     >> measures from ISO standards and ENISA, so I'd like to see if the
>     >> required concepts have a normative source and a hierarchy we
>     should also
>     >> be adding.
>     >>
>     >> Thanks,
>     >> Harsh
>     >>
>     >> On 26/03/2026 16:26, Freek Dijkstra wrote:
>     >>> Hi Beatriz,
>     >>>
>     >>> Thanks for your offer! I've mailed you off-list with a few
>     options.
>     >>> If anyone else likes to join, please contact either of us
>     directly.
>     >>>
>     >>> Regards,
>     >>> Freek
>     >>>
>     >>> On 26-03-2026 16:16, Beatriz Gonçalves Crisóstomo Esteves
>     (UGent-imec)
>     >>> wrote:
>     >>>> Dear Freek,
>     >>>>
>     >>>> Thanks for reaching out to the DPVCG. It is super nice to see
>     that
>     >>>> SURF is looking at the work we do in DPV.
>     >>>>
>     >>>> I would be very happy and interested to work with you on
>     these topics.
>     >>>> Maybe we should have a follow up call to discuss it in more
>     detail?
>     >>>>
>     >>>> Best regards,
>     >>>> Beatriz Esteves
>     >>>> Postdoctoral Researcher
>     >>>> IDLab, Ghent University - imec
>     >>>>
>     >>>>
>     ------------------------------------------------------------------------
>     >>>> *De:* Freek Dijkstra <freek.dijkstra@surf.nl>
>     >>>> *Enviado:* Thursday, March 26, 2026 11:01:48 AM
>     >>>> *Para:* public-dpvcg@w3.org <public-dpvcg@w3.org>
>     >>>> *Assunto:* DPV TOM extension with more PETs
>     >>>> Dear DPV CG members,
>     >>>>
>     >>>> We are looking for ways to describe conditions when making
>     sensitive
>     >>>> data available for re-use.
>     >>>> For the access control, we are likely to use the DUO (digital
>     usage
>     >>>> ontology) by GA4GH.
>     >>>>
>     >>>> However, that does not cover the technical measures that a data
>     >>>> provider
>     >>>> takes when making sensitve data available.
>     >>>> Usually, this boils down to a set of privacy enhancing
>     technologies
>     >>>> (PETs) like pseudonimization, filtering the data, and only
>     making the
>     >>>> data available for analysis, but not for download.
>     >>>>
>     >>>> The DPV TOM module describes some of these PETs, like
>     pseudonimyzation,
>     >>>> synthetic data, secure MPC, and (fully) homomorphic encryption.
>     >>>> However, some others are missing. In particular
>     algorithm-to-data and
>     >>>> federated machine learning.
>     >>>>
>     >>>> Would there be interest to add these concepts as
>     technological measures
>     >>>> to future versions of DPV?
>     >>>> If not, would anyone be able to recommend other ontologies that
>     >>>> describes these concepts, prefable one that works will with
>     DPV and/or
>     >>>> ODRL.
>     >>>>
>     >>>> The main concept we're interested in is algorithm-to-data:
>     rather than
>     >>>> making sensitive data available for download, the data
>     provider runs
>     >>>> the
>     >>>> analysis requested by a researcher and only makes the result
>     of that
>     >>>> analysis available. There are a few variants, but a variant
>     were the
>     >>>> data is made available in a secure environment is now
>     referred to as a
>     >>>> "Trusted Research Environment" (TRE) in academic context. We and
>     >>>> some of
>     >>>> our partners are offering such an environment, and we like to
>     describe
>     >>>> this in a machine-readable format.
>     >>>>
>     >>>> Wih kind regards,
>     >>>> Freek Dijkstra
>     >>>
>     >>> --
>     >>> Freek Dijkstra
>     >>> | SURF Innovation Lab |
>     >>> | M +31 6 4484 7459 |
>     >>> | Available on Mon, Tue, Wed, Thu |
>     >>>
>     >>> SURF is the collaborative organisation for ICT in Dutch
>     education and
>     >>> research
>     >>>
>     >>>
>     >>
>     >> --
>     >> ---
>     >> Harshvardhan J. Pandit, Ph.D
>     >> Research Fellow @ AI Accountability Lab
>     >> Trinity College Dublin, Ireland
>     >> https://harshp.com/
>     >>
>     >
>
>     -- 
>     ---
>     Harshvardhan J. Pandit, Ph.D
>     Research Fellow @ AI Accountability Lab
>     Trinity College Dublin, Ireland
>     https://harshp.com/
>
>
>
>
>
> -- 
> Matthias Löbe, Inst. for Medical Informatics (IMISE), University of 
> Leipzig
> Härtelstr. 16, D-04107 Leipzig, +49 341 97 16113, 
> matthias.loebe@imise.uni-leipzig.de <mailto:loebe@imise.uni-leipzig.de>

-- 
Freek Dijkstra
| SURF Innovation Lab |
| M +31 6 4484 7459 |
| Available on Mon, Tue, Wed, Thu |

SURF is the collaborative organisation for ICT in Dutch education and research
Received on Thursday, 2 April 2026 19:49:38 UTC