Re: DPV TOM extension with more PETs from Harshvardhan Pandit on 2026-03-27 (public-dpvcg@w3.org from March 2026)

From: Harshvardhan Pandit <me@harshp.com>
Date: Fri, 27 Mar 2026 18:04:32 +0000
To: Freek Dijkstra <freek.dijkstra@surf.nl>
Cc: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Message-ID: <b8c7e53b-5f65-4a88-9661-96a525329052@harshp.com>
Hi.
I'm not aware of any single document from ISO or ENISA that would have 
all of these, but following may be relevant as starting points:

- ISO 27002 security controls (rich source for adding TOMs in DPV)
- ENISA NIS2 implemnentation guide, which not about PETs, gives useful 
infra concepts also needed for EHDS 
https://www.enisa.europa.eu/sites/default/files/2025-06/ENISA_Technical_implementation_guidance_on_cybersecurity_risk_management_measures_version_1.0.pdf

Regards,
Harsh

On 27/03/2026 11:24, Freek Dijkstra wrote:
> Hello Harsh,
> 
> Thanks you for your reply.
> 
> I agree that it would be good to align with other standardization 
> bodies. I did search for a few keywords of privacy enhancing 
> technologies on both ISO and ENISA websites, but could not find them 
> right away. Perhaps I overlooked it, or the search only shows 
> publications, not workgroup drafts. Would you or anyone else know of 
> some direct pointers?
> 
> Regards,
> Freek
> 
> On 26-03-2026 22:49, Harshvardhan Pandit wrote:
>> Hi Freek, Beatriz.
>> I'm okay for you to continue, though please keep me in loop re. proposed
>> concepts for TOMs as one of the open issues is about adding more
>> measures from ISO standards and ENISA, so I'd like to see if the
>> required concepts have a normative source and a hierarchy we should also
>> be adding.
>>
>> Thanks,
>> Harsh
>>
>> On 26/03/2026 16:26, Freek Dijkstra wrote:
>>> Hi Beatriz,
>>>
>>> Thanks for your offer! I've mailed you off-list with a few options.
>>> If anyone else likes to join, please contact either of us directly.
>>>
>>> Regards,
>>> Freek
>>>
>>> On 26-03-2026 16:16, Beatriz Gonçalves Crisóstomo Esteves (UGent-imec)
>>> wrote:
>>>> Dear Freek,
>>>>
>>>> Thanks for reaching out to the DPVCG. It is super nice to see that
>>>> SURF is looking at the work we do in DPV.
>>>>
>>>> I would be very happy and interested to work with you on these topics.
>>>> Maybe we should have a follow up call to discuss it in more detail?
>>>>
>>>> Best regards,
>>>> Beatriz Esteves
>>>> Postdoctoral Researcher
>>>> IDLab, Ghent University - imec
>>>>
>>>> ------------------------------------------------------------------------
>>>> *De:* Freek Dijkstra <freek.dijkstra@surf.nl>
>>>> *Enviado:* Thursday, March 26, 2026 11:01:48 AM
>>>> *Para:* public-dpvcg@w3.org <public-dpvcg@w3.org>
>>>> *Assunto:* DPV TOM extension with more PETs
>>>> Dear DPV CG members,
>>>>
>>>> We are looking for ways to describe conditions when making sensitive
>>>> data available for re-use.
>>>> For the access control, we are likely to use the DUO (digital usage
>>>> ontology) by GA4GH.
>>>>
>>>> However, that does not cover the technical measures that a data 
>>>> provider
>>>> takes when making sensitve data available.
>>>> Usually, this boils down to a set of privacy enhancing technologies
>>>> (PETs) like pseudonimization, filtering the data, and only making the
>>>> data available for analysis, but not for download.
>>>>
>>>> The DPV TOM module describes some of these PETs, like pseudonimyzation,
>>>> synthetic data, secure MPC, and (fully) homomorphic encryption.
>>>> However, some others are missing. In particular algorithm-to-data and
>>>> federated machine learning.
>>>>
>>>> Would there be interest to add these concepts as technological measures
>>>> to future versions of DPV?
>>>> If not, would anyone be able to recommend other ontologies that
>>>> describes these concepts, prefable one that works will with DPV and/or
>>>> ODRL.
>>>>
>>>> The main concept we're interested in is algorithm-to-data: rather than
>>>> making sensitive data available for download, the data provider runs 
>>>> the
>>>> analysis requested by a researcher and only makes the result of that
>>>> analysis available. There are a few variants, but a variant were the
>>>> data is made available in a secure environment is now referred to as a
>>>> "Trusted Research Environment" (TRE) in academic context. We and 
>>>> some of
>>>> our partners are offering such an environment, and we like to describe
>>>> this in a machine-readable format.
>>>>
>>>> Wih kind regards,
>>>> Freek Dijkstra
>>>
>>> -- 
>>> Freek Dijkstra
>>> | SURF Innovation Lab |
>>> | M +31 6 4484 7459 |
>>> | Available on Mon, Tue, Wed, Thu |
>>>
>>> SURF is the collaborative organisation for ICT in Dutch education and 
>>> research
>>>
>>>
>>
>> -- 
>> ---
>> Harshvardhan J. Pandit, Ph.D
>> Research Fellow @ AI Accountability Lab
>> Trinity College Dublin, Ireland
>> https://harshp.com/
>>
> 

-- 
---
Harshvardhan J. Pandit, Ph.D
Research Fellow @ AI Accountability Lab
Trinity College Dublin, Ireland
https://harshp.com/
Received on Friday, 27 March 2026 18:04:40 UTC