Controlling Personal Data Flow: An Ontology in the COVID-19 Outbreak using a Permissioned Blockchain

Data protection regulations emerged to set rights and duties in managing personal data. Hence, they have created a new challenge. Systems must comply with legal obligations whenever the processing of personal data takes place. From the controller's perspective, attending to such norms can be defying, as it demands a detailed and holistic knowledge of the data processing activity. From the data subject point of view, controlling and following the data flow is also complex, as many entities can be authorized to access and use one's personal data. To mitigate information asymmetry and comply with data protection regulations, we developed an ontology to identify the entities involved in personal data processing. The ontology aims to build relationships between them and to share a common understanding of rights and duties proposed by the Brazilian Data Protection Law under the COVID-19 pandemic context. Moreover, the permissioned blockchain technology emerged as a solution to manage privacy concerns and to allow the compliance to such Law. We also developed a conceptual model using such technology and provided a data governance approach to set a standard so that the reuse becomes more accurate.