DUO concepts expressed as ODRL rules

[coolharsh55]

Hello. Together with @besteves4 we created machine-readable rules for each DUO concept using Open Digital Rights Language (ODRL), a W3C standard, and indicate how to optionally relate it to jurisdiction-agnostic legal requirements as well as jurisdiction-specific ones (e.g. GDPR), using the Data Privacy Vocabulary (DPV).
The work is available here: https://github.com/besteves4/duo-odrl-dpv with an overview table and examples in the README and a draft article explaining the motivation and creation of this work in the repo.

Using ODRL, we make explicit the permissions, prohibitions, and obligations present in the text, e.g. use for a specific purpose (permission), or condition to not use for a purpose (prohibition), or to provide data back (duty). We faced a few challenges in understanding how to express the relevant data, e.g. associating the disease for disease-specific purposes - we used the is_relevant_for property from DUO for these, though we also identify other mechanisms for representing this information.

The ODRL rules are provided for each DUO concept (as odrl:Set), which can be combined into a policy for a specific dataset (as odrl:Offer) and then matched with an investigation (as odrl:Request). The resulting data use decision (e.g. DAC grants access) can be represented in a similar manner (as odrl:Agreement). We also describe the matching process between offers and requests based on satisfying all stated permissions and ensuring no prohibition is applicable.

Our work is intended to supplement or compliment DUO, so it does not seek to replace DUO codes, e.g. in consent forms. It works on top of DUO by providing a formal representation of the conditions as rules, and a way for representing data donations or requests or decisions along with relevant information (e.g provision).

For indicating legal relevant concepts, as indicated in #96,#97,#111, we use the DPV which provides a rich taxonomy of such concepts. It can be used, optionally and as needed, in a jurisdiction-agnostic manner - e.g. to specify consent should be the legal basis without specifying under what law, or in a specific manner - e.g. to specify explicit consent is needed under GDPR. It also provides concepts that together with ODRL can specify additional restrictions such as - no third parties, specific tech / org measures are needed (e.g. data storage and security), necessity to perform impact assessments, indicating data transfer based on party locations, and many more. These can be declared for a dataset, or per-request, or even by the requester in their internal data - thus respecting DUO's scoping decisions.