Consent-Based Document & Data Sharing
This article is republished from a post made on LinkedIn.
We deal with documents and data every day, whether personal or business, legal or medical, and paper or digital. Most document management solutions such as OneDrive, Google Drive, or Box are based on cloud storage with password protection and read/write/delete access permissions.
Here we explore a blockchain-enabled solution where one can store their documents anywhere and let the blockchain smart contract mediate and enable consent-based secure sharing and tracking.
Overview
Documents are an integral aspect of all businesses, falling under categories such as corporate, legal, financial, products and services, operations, and regular business transactions. Documents come in various formats such as plain text, word, excel, PDFs, images, video, audio, etc. Some documents may be publicly disclosable while others may contain confidential and proprietary information that should be shared on a “need to know” basis. Sometimes the disclosure and sharing of documents may be governed by other documents such as a non-disclosure agreement. Documents are used to communicate decisions and conduct business, making it crucial to manage their lifecycle and control their accessibility.
Document sharing can occur within a business, between two or more businesses, or between individuals and businesses. These parties may share business contracts, corporate financial reports, health records, business transactions such as pricing catalogs and purchase orders, and legal documents. While companies have historically shared these in person, through electronic means, or in data rooms, this has evolved to online file-sharing services and virtual data rooms.
Sharing of information is governed by privacy laws such as GDPR and HIPAA. Protecting confidential and private information, and securing consent from the owner is very critical in today’s environment. Additionally, once the task is complete, the requester must properly archive or dispose of the documents appropriately.
The following business case examples explore instances where secure document sharing is a requirement. Their processes necessitate the sharing of sensitive, proprietary information with individuals outside of the owner organization, or with an internal subset of employees.
Document Sharing Use Cases
Mergers and Acquisitions (M&A)
M&A involves extensive due diligence conducted by one or both parties, where huge volumes of confidential proprietary documents and files are exchanged. Various resources from all the companies involved, including third parties are engaged in conducting a thorough analysis of the deal.
Both parties must ensure that documents are shared with people on a need-to-know basis and the information shared is secure, tracked, and auditable. This usually occurs via a “deal room”, where documents related to the divisions, units, and companies being acquired are stored and accessed.
Product Design and Manufacturing
Brand Owners (business entities) share design and product documents with their suppliers, contract manufacturers, and other strategic partners. Multiple organizations contribute to these documents, which may contain proprietary intellectual property, ideas, trade secrets, partnerships, and sourcing relationships.
For work contracted by government agencies or the defense department, it may be necessary for a company to maintain secrecy about the product until it is made publicly available, or in some cases forever. Records of who accessed the design information may need to be retained for legal and audit purposes.
Life Sciences and Healthcare
Biotech companies share proprietary information with partners, investors, CROs, and federal agencies such as the FDA. These may include drug formulation, clinical trial data, manufacturing and distribution processes, drug pricing, reactions, and side effects.
Healthcare providers securely share information such as patient records that may contain Protected Health Information (PHI) and Personally Identifiable Information (PII). This requires compliance with regulations such as HIPAA, GDPR, and other privacy protection laws.
Value-based care requires collaboration between healthcare providers such as doctors, hospitals, pharmacies, and health plan providers, hence care must be taken in obtaining patient consent and securely sharing information.
Audits and Compliance
Businesses must use documentation to show that they comply with various international and federal regulations such as export controls, SOX, PCI, US-M-CA, Customs, and Border Patrol, and others. Businesses work with their partners such as channel partners, distributors, and retailers. They establish partner compliance requirements which have to be tracked and audited. Those documents and others used to comply with audits, may contain sensitive legal, financial, operational, and corporate information.
Legal
Law firms exchange information with their clients. Legal firms and attorneys may share the client’s information with need-to-know parties when negotiating business transactions, filing patents, or conducting litigations. A majority of law firms still deal with paper and/or electronic documents exchanged via postal or email channels.
Government
Federal, state, and local government agencies often need to collaborate on sensitive documents together and protect sensitive content and IP across state lines. Documents they manage may contain personal information, such as that unemployment claims and small business loan applications. Certain maps, maintenance manuals, and facility blueprints should be seen by pertinent employees only. Documents classified as top secret must be controlled particularly well, only shared with employees who have the clearance and need to view them. In the case of federal agencies, documents can only be shared online if FedRAMP cloud security standards are met.
Investment Management
Firms and financial advisors must securely share documents with investors such as financial statements, K-1 tax filings, and proprietary investment updates — and manage other asset documentation. Internally, project-specific information, involving certain funds, for example, may need to be shared with employees.
Document Sharing Today
Organizations dealt with paper documents in the past. These documents had watermarks and attestations to protect their authenticity and were stored in file cabinets located in secure “data rooms” or by third parties such as Iron Mountain. As companies transitioned to hybrid models, they used share drives and document management systems to store and share content and files.
Today the cloud is pervasive, and collaboration file-sharing services such as Box, Dropbox, Google Drive, and Microsoft One Drive have become popular to store documents with easy access.
Virtual Data Rooms
Virtual Data Rooms (VDRs) are online document filing systems that allow users to store and distribute critical documents from an easy-to-use central repository using strict controls. The types of documents stored in a VDR can contain confidential financial, PII, intellectual property, and product information and may be stored on the VDR ‘s cloud, a shared cloud, or an individual computer.
Like a physical data room, a virtual data room has restrictions that can be put in place limiting who can access files and preventing viewers from copying or printing sensitive documents. Unlike physical rooms, there is no risk of having copies of documents lying around that a person can walk out with.
As described earlier the common use of a VDR is to serve as a deal room for due diligence processes during mergers and acquisitions and venture capital transactions. Entry to the deal room is through a website with restricted access using login credentials. This allows a company to securely store and share confidential information in the room. If a bidder withdraws, their access can be immediately removed.
BlocDocs — An Accelerator for Document-Sharing Applications
There are blockchain-based options such as IPFS and File Coin which base their use-case on decentralized storage. They compete against solutions such as SharePoint, Dropbox, OneDrive, and Google Drive.
However, BlocDocs looks at the solution from a different perspective. The digital version of the document that a user wishes to share can live anywhere. The user can register their profile in a registry and define share policies. These policies can be based on roles, number of shares, time window, etc. Additionally, the policies could be manually triggered or automatically applied by the owner of the document.
Any user or entity registered with the service can request access to the document. For example, Dr. Bob may be interested in viewing the document.
The share-mediator will check the share policies associated with the document, create a shareable blob service (potentially embed a share-policy token) and generate share keys for Bob.
The policy-based blob has a different hash value compared to the original. The share event logger records all events surrounding the requests and shares, and can be used for tracking and maybe even billing. Once the instance of share expires, the blob becomes inactive. The ledger maintains the registry, access policies, and access events. Workflows for various use cases as discussed above can be overlaid on top of the BlocDocs accelerator framework.
BlocDocs facilitates the secure sharing of a document but does not serve as a document storage repository. The design of BlocDocs leverages enterprise blockchain technologies nurtured by the Hyperledger Foundation such as Fabric and Besu. Since no documents are stored on the chain other than the registry, policies, and events, even a public blockchain such as Ethereum can serve the purpose. Here tokens can be used to grant access along with share keys, and contracts can be programmed to automatically deduct fees. An additional advantage of using public blockchains is the ease of creating NFTs around valuable documents.
A cut-down demo of an early developer version by one of the engineers can be viewed here.
Some of the audio in this presentation has some inconsistencies and should be ignored. In the demo, the document to be shared is stored on the cloud.
For more information or interest in evolving use cases, please send me a message. Chainyard is a boutique blockchain consulting and advisory services firm based in Morrisville, NC. Disclaimer: The ideas and thoughts in this article do not necessarily reflect the opinions of the company or its leaders.
Credit is due to my colleague Aashish Shrestha who worked with us on the ideas. The UI/UX and demo were supported by Ashish Joshi, Sravani Jonnala, and Sahinul Haque. As CTO of Chainyard, I have overseen the delivery of many blockchain projects including some very unique use cases and implementations. Please email us to learn more.