🤖 AI Summary
Ensuring dynamic regulatory compliance in cross-organizational, multi-domain data processing—particularly in healthcare—is challenging due to heterogeneous legal constraints, contractual obligations, and evolving individual consents, requiring simultaneous privacy preservation, accountability distribution, and policy adaptability.
Method: We propose a decentralized policy fragmentation framework enabling autonomous agents to generate, propagate, and dynamically compose local policy fragments to justify data operations—without requiring a global policy view. We introduce the first logic-programming–based justifiable action model, integrated with a distributed gossip protocol and externally synchronized configuration.
Contribution/Results: The framework achieves reproducible authorization, auditable accountability, and verifiable governance under weak centralization. Evaluated in the Brane healthcare system, it demonstrates robust compliance assurance, seamless cross-domain interoperability, and audit traceability with full reproducibility.
📝 Abstract
Inter-organisational data exchange is regulated by norms originating from sources ranging from (inter)national laws, to processing agreements, and individual consent. Verifying norm compliance is complex because laws (e.g., GDPR) distribute responsibility and require accountability. Moreover, in some application domains (e.g., healthcare), privacy requirements extend the norms (e.g., patient consent). In contrast, existing solutions such as smart contracts, access- and usage-control assume policies to be public, or otherwise, statically partition policy information at the cost of accountability and flexibility. Instead, our framework prescribes how decentralised agents justify their actions with policy fragments that the agents autonomously create, gossip, and assemble. Crucially, the permission of actions is always reproducible by any observer, even with a partial view of all the dynamic policies. Actors can be sure that future auditors will confirm their permissions. Systems centralise control by (re)configuring externally synchronised agreements, the bases of all justifications. As a result, control is centralised only to the extent desired by the agents. In this paper, we define the JustAct framework, detail its implementation in a particular data-processing system, and design a suitable policy language based on logic programming. A case study reproduces Brane - an existing policy-regulated, inter-domain, medical data processing system - and serves to demonstrate and assess the qualities of the framework.