Plenary 6: WGDST BoF Session Proposal

RDA Security and Trust BoF - Proposal
Stefan Pröll, Andreas Rauber, Vasily Bunakov, Mike Priddy, Jens Jensen
Draft from 19th June 2015
 
 
 
The RDA aims to promote and facilitate global data sharing across international, institutional
and technological boundaries. The exchange of information is based on a very fundamental
concept: mutual trust.
 
Trust is difficult to establish and easy to lose. In order to be able to trust each other, research
facilities, companies and institutions need to agree on and ensure minimum data protection
standards. This requires a verifiable layer of trustworthiness, which goes beyond paying lip
service. Only if the partners can agree on data authenticity and integrity standards, only if
they can show that the privacy of sensitive data meets the policy needs of the data owners
and if access can be granted and revoked based on valid criteria, trustworthy data exchange
is possible.
 
So far the topics of data security and trust are dealt with in isolation in the existing RDA
working groups, with some essential aspects potentially not covered. What we want is a
common arena for understanding and harmonizing various notions of data security and trust
across research domains,  which should facilitate common agreements on standards, best
practices and policies. This, in turn, should allow access to, and/or exchange, of sensitive
data without disclosure to unauthorised  parties and according to clearly defined and
verifiable protocols.
 
We expect that various stakeholders will benefit from the proposed working group. From
data reuse perspective, the group is going to cover the initial phases of data involvement in
research: before you get, aggregate, analyze or otherwise handle data, you have to access it
first, and ensure that it is trustworthy. For data owners and publishers, the group will develop
a body of knowledge about data security and establishing and maintaining trust in data
exchange. For regulators and research funding agencies, the security audit
recommendations should be a valuable output of the group activities.
 
It is clear that the RDA Working Group for Data Security and Trust (WGDST) cannot address
all relevant questions from the very start. Our aim is to focus on a few practical topics which
immediately allow to improve security and identify opportunities for the controlled sharing of
sensitive research data.  These topics initially include:
 
* Policies on data access and data release for research data that is deemed sensitive
because of privacy or commercial considerations, or other concerns  
* Authentication and authorisation protocols for data access  
* Protocols for data integrity and authenticity
 Further topics are the long term view of encryption standards, security audit of data
repositories and collaboration in research environments that involve sensitive data. A
challenging yet promising topic to explore can be the definition, the application and the
verification of machine­executable policies on data access and data release.
 
Our aim with this proposal of a BoF for Data Security and Trust is to gather the different
aspects of research data security and trust, then distil the common questions and issues that
are related to the protection and verification of data and the information it represents. We
want to learn what works for most of the participants and where they see deficits for the
security of their data or opportunities for the controlled sharing of sensitive data. We want to
identify the current best practices and find commonalities which may then lead to an
agreement about minimum standards. As an output we want to come up with a set of
guidelines on how institutions define security requirements and how they can exchange their
data in a secure way. Already existing best practices should be made more visible by
providing user stories that highlight the benefits and pitfalls of secure data exchange.
Expertise from existing RDA groups will provide further inputs.
 
We will present these ideas and goals during the P6 in Paris, where we have registered for a
BoF group. The aim is to create a caste statement and establish a Working Group for Data
Security and Trust under the umbrella of RDA.