We've developed ConsentGuardian, a Web3.0-ready approach to consent management for sensitive data in the cloud.

Every day, we navigate a complex web of digital services, accepting terms of service and privacy policies that very few fully read, understand, or bother to customise - if that is even possible. While checking these familiar toggle buttons without a second thought might be fine for everyday services, for sensitive data (such as health information), the approach needs to be different: Consent management needs to be fully informed and customisable, and it should be the provider's responsibility to make the process seamless and transparent for the participant.

Furthermore, changing our minds in response to new information is human nature. As such, updating consent on how data is used needs to be the norm rather than a rare exception. At the same time, participants must not be expected to micromanage every individual decision about data to achieve the outcome they intended. Consent management hence also needs to be dynamic to cover data being repurposed in ways that were unimaginable at the time of initial consent, without creating long-term implications that are not in line with the original intent.

While technologically this is all possible today (technology push), there is a disconnect in the uptake (market pull), both from a consumer and provider perspective. This is because research and clinics predominantly operate in a one-time consent mode, albeit at opposite ends of the spectrum: In the clinic, tests or procedures are consented to when they are performed, making the consent targeted (atomic) and immutable; in research, participants often consent once to a broad application spectrum to enable future study activity. Both current application cases don't need dynamic consent. However, applications are starting to be much more distributed along the spectrum between targeted and broad consent. For example, clinical trial recruitment and continuous disease screening cater to future applications and cannot be broad. Instead, a nuanced and individualised decision-making process is needed.

Consent management hence needs to be an ongoing conversation rather than a one-time checkbox for users. We view this approach as a novel framework for how to approach consent, grounded in a relationship of trust.

Value Proposition

This is where ConsentGuardian comes in — our flexible consent management platform that puts participants (referred to as users hereafter) at the centre of data control. Originally developed for genomics research, it is adaptable to any consent management needs with minimal tweaks. With ConsentGuardian, users can easily track how their data is being used through a friendly dashboard, and update their consent preferences as new uses emerge real-time, transforming static consent into a dynamic, user-centred process.

  • Cloud-native development: ConsentGuardian is a fully cloud-native solution currently prototyped on AWS using serverless architecture and Infrastructure-as-Code (IaC). This enables quick and easy deployment to any cloud account, providing sovereignty over the system and data underneath.
  • Modern tech stack: ConsentGuardian is built with popular, modern technologies: NodeJS (backend) and React with TypeScript (frontend). This stack ensures easier maintenance, extensibility, and seamless integration with existing web applications.
  • Real-world validation: ConsentGuardian is being tested in a real-world application for MRFF-funded genomics studies.
  • Modular design: Let's face it,  one size doesn't fit all, so ConsentGuardian employs a highly flexible, modular architecture that allows for easy customisation and feature additions to meet specific use case requirements.

Long-term vision for ConsentGuardian

Our vision for ConsentGuardian extends beyond its current capabilities to create a more comprehensive and user-friendly, decentralised consent management ecosystem. And we want to develop quite literally a future-ready plug-and-play system that sits on top of any data management systems. Here is what we are thinking of adding to ConsentGuardian:

Portable Consent Management: Leveraging self-sovereign identity principles, we have plans to enable users to store their consent preferences for a given data as (cryptographically) verifiable credentials in digital wallets installed on their devices (e.g., phones), maintained as a single point of truth. This will empower users to independently manage their data access rights across multiple organisations and research studies.

Quantum-Safe Security: By implementing post-quantum cryptographic methods, we aim to future-proof our data encryption against potential threats from next-generation quantum computing. This proactive approach ensures long-term security for sensitive user data.

Healthcare System Integration: We're developing ConsentGuardian to seamlessly integrate with existing and future healthcare infrastructure by adopting HL7 FHIR standards for our internal data model. This standards-based approach ensures broad interoperability across the healthcare ecosystem.

Mobile-First Experience: We have plans to develop a dedicated mobile application to put consent management literally in users' hands. By leveraging personal devices people already use daily, we're making consent management more accessible, flexible, and integrated into everyday life.

We propose the above Trust model for managing sensitive genomic information based on the self-sovereign identity (SSI) principles of user existence, user control, transparency, persistence, portability, interoperability, and data protection. Read more about it here [1]

Application cases

  • Disease screening programs: Technology and knowledge continuously improve. As such, a sample provided once can be re-evaluated to gain the most up-to-date insights. This is especially true for genomics, where our understanding of disease genes and risk factors grows daily, helping to detect diseases earlier with newborn or prognostic screening, advise reproductive choices with carrier screening, or inform drug choice and dosing with pharmacogenomics. However, it needs to be up to the individual to manage if and how they want to be updated about new findings, with the option of changing their mind.
  • Clinical trails: Being assigned to a clinical trial can be a life-saving event and personal data can help make this decision more informed and targeted to increase the success-rate. However, only the affected individual or their proxy can decide if being contacted to participate a stratified trial, is the right decision, as they are by definition experimental and carry risks. Since the risk-benefit balance can shift, individuals need to be able to adjust their consent in real-time.
  • Biobank: Whether the biobanks hold information about healthy individuals or a targeted cohort, individuals need to have a say over how their data is used. Some can contribute their data to advance knowledge and improve health care, others view the risk for them or their kin as too high, while others yet, want to see a financial gain for their contribution. All of these scenarios are valid personal decisions and should be supported through consent management.  
  • Consumer data: Such personal choices should not only be about health data but also cover all forms of sensitive or private data. As such, digital service platforms where users can granularly control data-sharing preferences across multiple features (e.g., smart home systems, fitness apps, and wearables) should become the norm.

Partner with us to redesign consent processes that truly empower users in any sensitive data setting. Read more on how to contact us.

References

[1] Anubhav Kaphle et al. Future-proofing genomic data and consent management: a comprehensive review of technology innovations 2024. DOI: 10.1093/gigascience/giae021.

Case Studies